著者
Xuping Huang Shunsuke Mochizuki Akira Fujita Katsunari Yoshioka
出版者
情報処理学会
雑誌
情報処理学会論文誌 (ISSN:18827764)
巻号頁・発行日
vol.64, no.3, 2023-03-15

In recent years, malware-infected devices, such as Mirai, have been used to conduct impactful attacks like massive DDoS attacks. Internet Service Providers (ISPs) respond by sending security notifications to infected users, instructing them to remove the malware; however, there are no approaches to quantify or simulate the performance and effectiveness of the notification activities. In this paper, we propose a model of security notification by ISPs. In the proposed model, we simulate the security notification with composite parameters, indicating the nature of malware attacks such as persistence of malware, user response ratio, and notification efforts by ISPs, and then discuss their effectiveness. Moreover, we conduct a simulation based on the actual attack.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.31(2023) (online)DOI http://dx.doi.org/10.2197/ipsjjip.31.165------------------------------
著者
Yin Minn Pa Pa Shogo Suzuki Katsunari Yoshioka Tsutomu Matsumoto Takahiro Kasama Christian Rossow
出版者
一般社団法人 情報処理学会
雑誌
Journal of Information Processing (ISSN:18826652)
巻号頁・発行日
vol.24, no.3, pp.522-533, 2016 (Released:2016-05-15)
参考文献数
32
被引用文献数
1 123

We analyze the increasing threats against IoT devices. We show that Telnet-based attacks that target IoT devices have rocketed since 2014. Based on this observation, we propose an IoT honeypot and sandbox, which attracts and analyzes Telnet-based attacks against various IoT devices running on different CPU architectures such as ARM, MIPS, and PPC. By analyzing the observation results of our honeypot and captured malware samples, we show that there are currently at least 5 distinct DDoS malware families targeting Telnet-enabled IoT devices and one of the families has quickly evolved to target more devices with as many as 9 different CPU architectures.
著者
Koji NAKAO Katsunari YOSHIOKA Takayuki SASAKI Rui TANABE Xuping HUANG Takeshi TAKAHASHI Akira FUJITA Jun'ichi TAKEUCHI Noboru MURATA Junji SHIKATA Kazuki IWAMOTO Kazuki TAKADA Yuki ISHIDA Masaru TAKEUCHI Naoto YANAI
出版者
The Institute of Electronics, Information and Communication Engineers
雑誌
IEICE Transactions on Information and Systems (ISSN:09168532)
巻号頁・発行日
vol.E106.D, no.9, pp.1302-1315, 2023-09-01 (Released:2023-09-01)
参考文献数
40

In this paper, we developed the latest IoT honeypots to capture IoT malware currently on the loose, analyzed IoT malware with new features such as persistent infection, developed malware removal methods to be provided to IoT device users. Furthermore, as attack behaviors using IoT devices become more diverse and sophisticated every year, we conducted research related to various factors involved in understanding the overall picture of attack behaviors from the perspective of incident responders. As the final stage of countermeasures, we also conducted research and development of IoT malware disabling technology to stop only IoT malware activities in IoT devices and IoT system disabling technology to remotely control (including stopping) IoT devices themselves.
著者
Xuping Huang Shunsuke Mochizuki Akira Fujita Katsunari Yoshioka
出版者
Information Processing Society of Japan
雑誌
Journal of Information Processing (ISSN:18826652)
巻号頁・発行日
vol.31, pp.165-173, 2023 (Released:2023-03-15)
参考文献数
25
被引用文献数
1

In recent years, malware-infected devices, such as Mirai, have been used to conduct impactful attacks like massive DDoS attacks. Internet Service Providers (ISPs) respond by sending security notifications to infected users, instructing them to remove the malware; however, there are no approaches to quantify or simulate the performance and effectiveness of the notification activities. In this paper, we propose a model of security notification by ISPs. In the proposed model, we simulate the security notification with composite parameters, indicating the nature of malware attacks such as persistence of malware, user response ratio, and notification efforts by ISPs, and then discuss their effectiveness. Moreover, we conduct a simulation based on the actual attack.
著者
Xuping Huang Shunsuke Mochizuki Katsunari Yoshioka
出版者
情報処理学会
雑誌
情報処理学会論文誌 (ISSN:18827764)
巻号頁・発行日
vol.63, no.12, 2022-12-15

IoT malware Mirai and its variants continue to evolve and their activities consume network resources, particularly radio resources. This paper proposes a method to identify connection types and estimate the wireless uplink speed of malware-infected hosts observed by IoT honeypot by using the Connection Type Database of Maxmind's GeoIP2, a well-known industrial resource for IP address related information, and Network Diagnosis Tool (NDT) database, a measurement data set of the uplink speed of various networks. The proposed Mobile Network Identification method divides IP addresses into IP ranges assigned to each Autonomous System (AS), and then employs the NDT database based on the IP ranges. We analyzed the infected hosts observed by IoT honeypot to assess and validate the precision of the proposed technique. Our method estimates the maximum average uplink speed of the infected cellular host to be 40.6Mbps, which is between two reference measurement results of cellar networks, indicating the adequacy of the proposed method.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.30(2022) (online)DOI http://dx.doi.org/10.2197/ipsjjip.30.859------------------------------
著者
Takahiro KASAMA Katsunari YOSHIOKA Daisuke INOUE Tsutomu MATSUMOTO
出版者
The Institute of Electronics, Information and Communication Engineers
雑誌
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences (ISSN:09168508)
巻号頁・発行日
vol.E96-A, no.1, pp.225-232, 2013-01-01

As the number of new malware has increased explosively, traditional malware detection approaches based on pattern matching have been less effective. Therefore, it is important to develop a detection method which relies on not signatures but characteristic behaviors of malware. Recently, malware authors have been embedding functions for countermeasure against malware analyses and detections into malware. Accordingly, modern malware often changes their runtime behaviors in each execution to tolerate against malware analyses and detections. For example, when malware copies itself on a file system, it can randomly determine its file name for avoiding the detections. Another example is that when malware tries to connect its command and control server, it randomly chooses a domain name from a hard-coded domain name list to avoid being blocked by a static blacklist of malicious domain names. We assume that such evasive behaviors are unnecessary for benign software. Therefore the behaviors can be the clues to distinguish malware from benign software. In this paper, we propose a novel behavior-based malware detection method which focuses attention on such characteristics. Our proposed method conducts dynamic analysis on an executable file multiple times in same sandbox environment so as to obtain plural lists of API call sequences and plural traffic logs, and then compares the lists and the logs to find the difference between the multiple executions. In the experiments with 5,697 malware samples and 819 benign software samples, we can detect about 70% malware samples and the false positive rate is about 1%. In addition, we can detect about 50% malware samples which were not detected by each Anti-Virus Software engine. Therefore we confirm the possibility the proposed method may be able to improve the accuracy of malware detection utilizing in combination with other existing methods.