A Project Review 1

On

MODELING AND DETECTION OF COMOUFLAGING WORM

Abstract

Active worms pose major security threats to the Internet. Active worms continuously compromise computers on the Internet. The C-Worm is different from traditional worms. We analyze characteristics of the C-Worm. We design a novel spectrum-based scheme to detect the C-Worm.

Cont

Power Spectral Density (PSD) distribution and Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from background traffic.

The generality of our spectrum-based scheme in effectively detecting not only the C-Worm, but traditional worms as well.

Literature Review

Code-Red Worm Slammer Worm Witty Worm

Code Red Worm

From July 12, 2001, the Code-Red I worm began to exploit. The worm generates a random list of IP addresses. The 1st version of the Code-Red worm (Code-Red I v1) which is memory resistant. Began to infect hosts running unpatched versions of Microsofts IIS web server. The 2nd version is Code- Red I v2 uses a random seed in its pseudorandom number generator.

Methodology

Cont

Cont

Cont

Slammer Worm

Slammer (sometimes called Sapphire) was the fastest computer worm in history. The worm infected more than 90 percent of vulnerable hosts within 10 minutes. Slammers most novel feature is its propagation speed. By comparison, Slammer was two orders of magnitude faster than the Code Red worm. The worms spreading strategy uses random scanning. For a random-scanning worm to be effective, it needs a good source of random numbers to select new attack targets.

Cont

Slammer uses a linear congruent, or power residue, pseudo random number generation (PRNG) algorithm. These algorithms take the form: x' = (x a + b) mod m, where x' is the new pseudo random number to be generated, x is the last pseudo random number generated, m represents the range of the result, and a

and b are carefully chosen constants.

Cont

Cont

Cont

Cont

Witty Worm

The worm took advantage of a security flaw in these firewall applications. Network telescope ISS vulnerability Witty worm details Witty worm spread

Cont

Cont

Cont

Introduction to Proposed Project

An active worm refers to a malicious software program that propagates itself on the Internet to infect other computers.

1. Launch massive Distributed Denial-of-Service (DDoS) attacks that disrupt the Internet utilities, 2. Access confidential information that can be misused through large-scale traffic sniffing, key logging, identity theft, etc., 3. Destroy data that has a high monetary value, and

4. Distribute large-scale unsolicited advertisement emails (as spam) or software (as malware).

Cont

Worms that adopt such smart attack strategies could exhibit overall scan traffic patterns different from those of traditional worms. We conduct a systematic study on a new class of such smartworms denoted as Camouflaging Worm (C-Worm in short). The camouflage is achieved by manipulating the scan traffic volume of worm infected computers.

Cont

A novel spectrum-based detection scheme that uses the Power Spectral Density (PSD) distribution of scan traffic volume in the frequency domain and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from non worm traffic (background traffic).

Cont

Furthermore, we demonstrate the effectiveness of our spectrum-based detection scheme in comparison with existing worm-detection schemes. We define several new metrics. Maximal Infection Ratio (MIR) is the one to quantify the infection damage caused by a worm before being detected. Other metrics include Detection Time (DT) and Detection Rate (DR).

Existing System

Existing detection schemes are based on a tacit assumption that each worm-infected computer keeps scanning the Internet and propagates itself at the highest possible speed. Threshold based detection and trend-based detection have been developed to detect the large scale propagation of worms in the Internet . The scheme adopts the distribution of attack targets as the basic detection data to capture the key feature of worm propagation.

Proposed System

We demonstrate effectiveness of the C-Worm against existing traffic volume-based detection schemes; our detection scheme captures the distinct pattern of the C-Worm in the frequency domain. To identify the C-Worm propagation we use the distribution of Power Spectral Density (PSD) and its corresponding Spectral Flatness Measure (SFM) of the scan traffic.

Software Requirement Specifications

HARDWARE REQUIREMENTS

PROCESSOR Core 2 Duo. RAM MONITOR : HARD DISK : CDDRIVE :

PENTIUM IV 2.6 GHz, Intel

: 512 MB DD RAM 15 COLOR 40 GB LG 52X

SOFTWARE REQUIREMENTS

Front End Back End Operating System IDE

: : : :

JAVA (SWINGS) MS SQL 2000/05 Windows XP/07 Net Beans, Eclipse

References
1.

D. Moore, C. Shannon, and J. Brown, Code-Red: A Case Study on the Spread and Victims of an Internet Worm, Proc. Second Internet Measurement Workshop (IMW), Nov. 2002. D. Moore, V. Paxson, and S. Savage, Inside the Slammer Worm, Proc. IEEE Magazine of Security and Privacy, July 2003. CERT, CERT/CC Advisories, http://www.cert.org/advisories/,2010.

2. 3.

4.

J. Ma, G.M. Voelker, and S. Savage, Self-Stopping Worms, Proc. ACM Workshop Rapid Malcode (WORM), Nov. 2005.