著者
Ayako Akiyama Hasegawa Takuya Watanabe Eitaro Shioji Mitsuaki Akiyama Tatsuya Mori
出版者
Information Processing Society of Japan
雑誌
Journal of Information Processing (ISSN:18826652)
巻号頁・発行日
vol.28, pp.1030-1046, 2020 (Released:2020-12-15)
参考文献数
42

Online service providers exert tremendous effort to protect users' accounts against sensitive data breaches. Although threats from complete outsiders, such as account hijacking for monetization, still occur, recent studies have shed light on threats to privacy from insiders. In this study, we focus on these latter threats. Specifically, we present the first comprehensive study of an attack from insiders that identifies the existence of a target's account by using the target's email address and the insecure login-related messages that are displayed. Such a threat may violate intimates' or acquaintances' privacy because the kinds of service accounts a user has implies his/her personal preferences or situation. We conducted surveys regarding user expectations and behaviors on online services and an extensive measurement study of login-related messages on online services that are considered sensitive. We found that over 80% of participants answered that they have sensitive services and that almost all services were vulnerable to our attack. Moreover, about half the participants who have sensitive services were insecurely registered on them, thus could be potential victims. Finally, we recommend ways for online service providers to improve login-related messages and for users to take appropriate defensive actions. We also report our responsible disclosure process.
著者
Kazuki Nomoto Takuya Watanabe Eitaro Shioji Mitsuaki Akiyama Tatsuya Mori
出版者
Information Processing Society of Japan
雑誌
Journal of Information Processing (ISSN:18826652)
巻号頁・発行日
vol.31, pp.620-642, 2023 (Released:2023-09-15)
参考文献数
80

Modern Web services provide advanced features by utilizing hardware resources on the user's device. Web browsers implement a user consent-based permission model to protect user privacy. In this study, we developed PERMIUM, a web browser analysis framework that automatically analyzes the behavior of permission mechanisms implemented by various browsers. We systematically studied the behavior of permission mechanisms for 22 major browser implementations running on five different operating systems. We found fragmented implementations. Implementations between browsers running on different operating systems are not always identical. We determined that implementation inconsistencies could lead to privacy risks. We identified gaps between browser permission implementations and user perceptions from the user study corresponding to the analyses using PERMIUM. Based on the implementation inconsistencies, we developed two proof-of-concept attacks and evaluated their feasibility. The first attack uses permission information to secretly track the user. The second attack aims to create a situation in which the user cannot correctly determine the origin of the permission request and the user mistakenly grants permission. Finally, we clarify the technical issues that must be standardized in privacy mechanisms and provide recommendations to OS/browser vendors to mitigate the threats identified in this study.
著者
Keika MORI Takuya WATANABE Yunao ZHOU Ayako AKIYAMA HASEGAWA Mitsuaki AKIYAMA Tatsuya MORI
出版者
The Institute of Electronics, Information and Communication Engineers
雑誌
IEICE Transactions on Information and Systems (ISSN:09168532)
巻号頁・発行日
vol.E103.D, no.7, pp.1541-1555, 2020-07-01 (Released:2020-07-01)
参考文献数
33
被引用文献数
1 2

This work aims to determine the propensity of password creation through the lens of language spheres. To this end, we consider four different countries, each with a different culture/language: China/Chinese, United Kingdom (UK) and India/English, and Japan/Japanese. We first employ a user study to verify whether language and culture are reflected in password creation. We found that users in India, Japan, and the UK prefer to create their passwords from base words, and the kinds of words they are incorporated into passwords vary between countries. We then test whether the findings obtained through the user study are reflected in a corpus of leaked passwords. We found that users in China and Japan prefer dates, while users in India, Japan, and the UK prefer names. We also found that cultural words (e.g., “sakura” in Japan and “football” in the UK) are frequently used to create passwords. Finally, we demonstrate that the knowledge on the linguistic background of targeted users can be exploited to increase the speed of the password guessing process.
著者
Tatsuya MORI Tetsuya TAKINE Jianping PAN Ryoichi KAWAHARA Masato UCHIDA Shigeki GOTO
出版者
The Institute of Electronics, Information and Communication Engineers
雑誌
IEICE TRANSACTIONS on Communications (ISSN:09168516)
巻号頁・発行日
vol.E90-B, no.11, pp.3061-3072, 2007-11-01
被引用文献数
30

With the rapid increase of link speed in recent years, packet sampling has become a very attractive and scalable means in collecting flow statistics; however, it also makes inferring original flow characteristics much more difficult. In this paper, we develop techniques and schemes to identify flows with a very large number of packets (also known as heavy-hitter flows) from sampled flow statistics. Our approach follows a two-stage strategy: We first parametrically estimate the original flow length distribution from sampled flows. We then identify heavy-hitter flows with Bayes' theorem, where the flow length distribution estimated at the first stage is used as an a priori distribution. Our approach is validated and evaluated with publicly available packet traces. We show that our approach provides a very flexible framework in striking an appropriate balance between false positives and false negatives when sampling frequency is given.
著者
Mitsuhiro HATADA Tatsuya MORI
出版者
The Institute of Electronics, Information and Communication Engineers
雑誌
IEICE Transactions on Information and Systems (ISSN:09168532)
巻号頁・発行日
vol.E103.D, no.2, pp.265-275, 2020-02-01 (Released:2020-02-01)
参考文献数
27

This work develops a system called CLAP that detects and classifies “potentially unwanted applications” (PUAs) such as adware or remote monitoring tools. Our approach leverages DNS queries made by apps. Using a large sample of Android apps from third-party marketplaces, we first reveal that DNS queries can provide useful information for detection and classification of PUAs. We then show that existing DNS blacklists are limited when performing these tasks. Finally, we demonstrate that the CLAP system performs with high accuracy.
著者
Bo Sun Xiapu Luo Mitsuaki Akiyama Takuya Watanabe Tatsuya Mori
出版者
Information Processing Society of Japan
雑誌
Journal of Information Processing (ISSN:18826652)
巻号頁・発行日
vol.26, pp.212-223, 2018 (Released:2018-02-15)
参考文献数
40
被引用文献数
3

Mobile app stores, such as Google Play, play a vital role in the ecosystem of mobile device software distribution platforms. When users find an app of interest, they can acquire useful data from the app store to inform their decision regarding whether to install the app. This data includes ratings, reviews, number of installs, and the category of the app. The ratings and reviews are the user-generated content (UGC) that affect the reputation of an app. Therefore, miscreants can leverage such channels to conduct promotional attacks; for example, a miscreant may promote a malicious app by endowing it with a good reputation via fake ratings and reviews to encourage would-be victims to install the app. In this study, we have developed a system called PADetective that detects miscreants who are likely to be conducting promotional attacks. Using a 1723-entry labeled dataset, we demonstrate that the true positive rate of detection model is 90%, with a false positive rate of 5.8%. We then applied our system to an unlabeled dataset of 57M reviews written by 20M users for 1M apps to characterize the prevalence of threats in the wild. The PADetective system detected 289K reviewers as potential PA attackers. The detected potential PA attackers posted reviews to 136K apps, which included 21K malicious apps. We also report that our system can be used to identify potentially malicious apps that have not been detected by anti-virus checkers.