Modeling and Detection of Camouflaging Worm
ABSTRACT
Active worms causes major security threats to the Internet. This
is due to the ability of active worms to propagate in an automated
fashion as they continuously compromise computers on the Internet.
Active worms evolve during their propagation and thus pose great
challenges to defend against them. Here we investigate a new class
of active worms, referred to as Camouflaging Worm (C-Worm in
short). The C-Worm is different from traditional worms because of
its ability to intelligently manipulate its scan traffic volume
over time. Thereby, the C-Worm camouflages its propagation from
existing worm detection systems based on analyzing
the propagation traffic generated by worms. we design a novel
spectrum-based scheme to detect the C-Worm. Our scheme uses the
Power Spectral Density (PSD) distribution of the scan traffic
volume and its corresponding Spectral Flatness Measure (SFM) to
distinguish the C-Worm traffic from background traffic.
INTRODUCTION:
An active worm refers to a malicious software program that
propagates itself on the Internet to infect other computers. The
propagation of the worm is based on exploiting vulnerabilities of
computers on the Internet. Many real-world worms have caused
notable damage on the Internet. These worms include Code-Red worm
in 2001 , Slammer worm in 2003 ,and Witty/Sasser worms in 2004 .
Many active worms are used to infect a large number of computers
and recruit them as bots or zombies, which are networked together
to form botnets These botnets can be used to: (a) launch massive
Distributed Denial-of-Service (DDoS) attacks that disrupt the
Internet utilities , (b) access confidential information that can
be misused , through large scale traffic sniffing, key logging,
identity theft etc, (c) destroy data that has a high monetary value
, and (d) distribute large-scale unsolicited advertisement emails
(as spam) or software (as malware).There is evidence showing that
infected computers are being rented out as Botnets for creating an
entire black-market industry for renting, trading, and managing
owned computers,leading to economic incentives for attackers .
Researchers also showed possibility of super-botnets, networks of
independent botnets that can be coordinated for attacks of
unprecedented scale .For an adversary, super botnets would also be
extremely versatile and resistant to counter measures. Due to the
substantial damage caused by worms in the past years, there have
been significant efforts on developing detection and defense
mechanisms against worms. A network based worm detection system
plays a major role by monitoring, collecting, and analyzing the
scan traffic (messages to identify vulnerable computers) generated
during worm attacks. In this system, the detection is commonly
based on the self propagating behavior of worms that can be
described as follows: after a worm-infected computer identifies and
infects a vulnerable computer on the Internet, this newly infected
computer1 will automatically and continuously scan several IP
addresses to identify and infect other vulnerable computers. As
such, numerous existing detection schemes are based on a tacit
assumption that each worm-infected computer keeps scanning the
Internet and propagates itself at the highest possible speed.
Furthermore, it has been shown that the worm scan traffic volume
and the number of worm-infected computers exhibit exponentially
increasing patterns .
LITERATURE SURVEY:
Worm:
A computer worm is a self-replicating malware computer program.
It uses a computer network to send copies of itself to other nodes
(computers on the network) and it may do so without any user
intervention. This is due to security shortcomings on the target
computer. Unlike a virus, it does not need to attach itself to an
existing program. Worms almost always cause at least some harm to
the network, if only by consuming bandwidth, whereas viruses almost
always corrupt or modify files on a targeted computer. Many worms
that have been created are only designed to spread, and don't
attempt to alter the systems they pass through. However, as the
Morris worm and Mydoom showed, the network traffic and other
unintended effects can often cause major disruption. A "payload" is
code designed to do more than spread the wormit might delete files
on a host system (e.g., the ExploreZip worm), encrypt files in a
cryptoviral extortion attack, or send documents via e-mail. A very
common payload for worms is to install a backdoor in the infected
computer to allow the creation of a "zombie" computer under control
of the worm author. Networks of such machines are often referred to
as botnets and are very commonly used by spam senders for sending
junk email or to cloak their website's address.[1] Spammers are
therefore thought to be a source of funding for the creation of
such worms,[2][3] and the worm writers have been caught selling
lists of IP addresses of infected machines.[4] Others try to
blackmail companies with threatened DoS attacks.[5]
Backdoors can be exploited by other malware, including worms.
Examples include Doomjuice, which spreads better using the backdoor
opened by Mydoom, and at least one instance of malware taking
advantage of the rootkit and backdoor installed by the Sony/BMG DRM
software utilized by millions of music CDs prior to late
2005.[dubious discuss]
Camouflage:
Which is a method of crypsisavoidance of observationthat allows
an otherwise visible organism or object to remain indiscernible
from the surrounding environment through deception. Examples
include a tiger's stripes, the battledress of a modern soldier and
a butterfly camouflaging itself as a leaf. The theory of camouflage
covers the various strategies which are used to achieve this effect
Cryptic coloration is the most common form of camouflage, found to
some extent in the majority of species. The simplest way is for an
animal to be of a color similar to its surroundings. Examples
include the "earth tones" of deer, squirrels, or moles (to match
trees or dirt), or the combination of blue skin and white
underbelly of sharks via countershading (which makes them difficult
to detect from both above and below). More complex patterns can be
seen in animals such as flounder, moths, and frogs, among many
others.
Anomaly Detection:
Anomaly detection, also referred to as outlier detection[1]
refers to detecting patterns in a given data set that do not
conform to an established normal behavior.[2] The patterns thus
detected are called anomalies and often translate to critical and
actionable information in several application domains. Anomalies
are also referred to as outliers, surprise, aberrant, deviation,
peculiarity, etc.
Three broad categories of anomaly detection techniques exist.
Supervised anomaly detection techniques learn a classifier using
labeled instances belonging to normal and anomaly class, and then
assign a normal or anomalous label to a test instance.
Semi-supervised anomaly detection techniques construct a model
representing normal behavior from a given normal training data set,
and then test the likelihood of a test instance to be generated by
the learnt model. Unsupervised anomaly detection techniques detect
anomalies in an unlabeled test data set under the assumption that
majority of the instances in the data set are normal. Anomaly
detection is applicable in a variety of domains, such as intrusion
detection, fraud detection, fault detection, system health
monitoring, event detection in sensor networks, and detecting
eco-system disturbances. It is often used in preprocessing to
remove anomalous data from the dataset.
EXISTING SYSTEM
The C-Worm is quite different from traditional worms in which it
camouflages any noticeable trends in the number of infected
computers over time. The camouflage is achieved by manipulating the
scan traffic volume of worm-infected computers. Such a manipulation
of the scan traffic volume prevents exhibition of any exponentially
increasing trends or even crossing of thresholds that are tracked
by existing detection schemes.
DRAWBACK IN EXISTING SYSTEM
C-Worm scan traffic shows no noticeable trends in the time
domain, it demonstrates a distinct pattern in the frequency domain.
Specifically, there is an obvious concentration within a narrow
range of frequencies. This concentration within a narrow range of
frequencies is inevitable since the C-Worm adapts to the dynamics
of the Internet in a recurring manner for manipulating and
controlling its overall scan traffic volume.
PROPOSED SYSTEM
we adopt frequency domain analysis techniques and develop a
detection scheme against Wide-spreading of the C-Worm.
Particularly, we develop a novel spectrum-based detection scheme
that uses the Power Spectral Density (PSD) distribution of scan
traffic volume in the frequency domain and its corresponding
Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic
from non worm traffic (background traffic).
ADVANTAGES IN PROPOSED SYSTEM
Our evaluation data clearly demonstrate that our spectrum-based
detection scheme achieves much better detection performance against
the C-Worm propagation compared with existing detection schemes.
Our evaluation also shows that our spectrum-based detection scheme
is general enough to be used for effective detection of traditional
worms as well.
(Centralized data centerMonitor 1Monitor 3User 1User 2User 4User
5Monitor 2User 3)System Architecture:
Data flow Diagram:
(IP addressIP addressTraffic logsTraffic logsCentralized data
centerMonitor 1Monitor 2Client 1Client 2Client 3Client
4Message)
Module:
User
Monitoring
Centralized Data Center
Report Preparation
Report Distribution
Module Description:
User:
In this module user can login to the centralized server for
authentication, once the client is treated as authorized then it
can share data with the neighbors in the network.
Monitoring:
It will monitor the authorized clients for their transaction and
it will identify the traffic log (IP address which are not commonly
used and dark IP address).
Centralized Data Center:
It will collect all the traffic logs from various network
monitors for identifying the worms by their IP address.
Report Preparation:
The purpose of this module is to identify the actual worm by its
ratio not by scan traffic time in order to detect the active worm
and the normal worm.
Report Distribution:
The centralized data center has to distribute the report logs
(dark IP address) to all the users in the network.
User:
(Data CenterServer) ( Client)
( Client 1 Client nMonitor)Monitoring:
...
Centralized Data Center:
(Client 1Client 1 Monitor 1Server)
...
(Client 1Client 1Client 1Client 1 Monitor 1 Monitor
nServer)Report Preparation:
.
Report Distribution
(Client 1Client nClient 1Client n Monitor 1 Monitor nServer)
.
Use Case Diagram:
Class Diagram:
Sequence Diagram:
Collaboration Diagram:
Activity Diagram:
SYSTEM REQUIREMENTS
HARDWARE
PROCESSOR: PENTIUM IV 2.6 GHz, Intel Core 2 Duo.
RAM:512 MB DD RAM
MONITOR:15 COLOR
HARD DISK :40 GB
CDDRIVE:LG 52X
SOFTWARE
Front End : JAVA (SWINGS)
Back End: MS SQL 2000/05
Operating System : Windows XP/07
IDE:Net Beans, Eclipse
Conclusion:
In this paper we presented an analytical framework, based on
Interactive Markov Chains, that can be used to study the dynamics
of malware propagation on a network. The exact solution of a
stochastic model intended to capture the probabilistic nature of
malware propagation on an arbitrary topology appears to be a major
challenge, because of the high computational complexity necessary
to analyze very large systems. However, one can resort to simple
bounds and approximations in order to obtain a gross-level
prediction of the system behavior that can help to understand
important characteristics of malware propagation. Although we have
focused on the modeling aspects of the problem, we believe our
methodology can be usefully applied to evaluate different
countermeasures against future malware activity, as well as
fundamental issues on network vulnerability assessment. Moreover,
the flexibility of the approach based on IMCs allows to apply our
work beyond the problem of malware spreading, addressing a wide
variety of dynamic interactions on networks. Our modeling effort is
to be considered a first step in a rather novel research area that
we expect to gain more and more relevance in the next future.
Reference:
[1] D. Moore, C. Shannon, and J. Brown, Code-red: a case study
on the spread and victims of an internet worm, in Proceedings of
the 2-th Internet Measurement Workshop (IMW), Marseille, France,
November 2002.
[2] D. Moore, V. Paxson, and S. Savage, Inside the slammer worm,
in IEEE Magazine of Security and Privacy, July 2003.
[3] CERT, CERT/CC advisories,
http://www.cert.org/advisories/.
[4] P. R. Roberts, Zotob Arrest Breaks Credit Card Fraud Ring,
http://www.eweek.com/article2/0,1895,1854162,00.asp.
[5] W32/MyDoom.B Virus, http://www.us-cert.gov/cas/techalerts/
TA04-028A.html.
[6] W32.Sircam.Worm@mm,
http://www.symantec.com/avcenter/venc/data/[email protected].
Centralized data
center
User
Monitor
UserLogin
Monitoring
DataCollection
Detection
Distribution
DataCenter
userDetails
monitorDetails
authentication
dataCollection
getUserDetails()
acceptUsers()
provideAuthentication()
getDataCollection()
ClientMonitor
monitorDetails
ipAddress
portNumber
authentication
getAuthentication()
getMonitorDetails()
forwardToDataCenter()
User Login
userDetails
ipAddress
portNumber
getUserDetails()
getConnection()
dataTransfer()
DataDistribution
dataDistribution
ipAddress
collectIP()
dataDistribution()
WormDetection
userIP
monitorIP
findRatio
report
getUserIP()
getMonitorIP()
getWormRatio()
prepareReport()
DataCenterMonitorLogCollectionLogDistributionClient
Login
Monitoring
TrafficLog
DetectWorm
PrepareReport
Distribution
Monitor
DataCen
ter
LogColle
ction
LogDistri
bution
Client
1: Login
2: Monitoring
3: TrafficLog
4: DetectWorm
5: PrepareReport
6: Distribution
Start
DataCenter
Monitor
User
End
