Professional Documents
Culture Documents
On
Abstract
Active worms pose major security threats to the Internet. Active worms continuously compromise computers on the Internet. The C-Worm is different from traditional worms. We analyze characteristics of the C-Worm. We design a novel spectrum-based scheme to detect the C-Worm.
Cont
Power Spectral Density (PSD) distribution and Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from background traffic.
The generality of our spectrum-based scheme in effectively detecting not only the C-Worm, but traditional worms as well.
Literature Review
From July 12, 2001, the Code-Red I worm began to exploit. The worm generates a random list of IP addresses. The 1st version of the Code-Red worm (Code-Red I v1) which is memory resistant. Began to infect hosts running unpatched versions of Microsofts IIS web server. The 2nd version is Code- Red I v2 uses a random seed in its pseudorandom number generator.
Methodology
Cont
Cont
Cont
Slammer Worm
Slammer (sometimes called Sapphire) was the fastest computer worm in history. The worm infected more than 90 percent of vulnerable hosts within 10 minutes. Slammers most novel feature is its propagation speed. By comparison, Slammer was two orders of magnitude faster than the Code Red worm. The worms spreading strategy uses random scanning. For a random-scanning worm to be effective, it needs a good source of random numbers to select new attack targets.
Cont
Slammer uses a linear congruent, or power residue, pseudo random number generation (PRNG) algorithm. These algorithms take the form: x' = (x a + b) mod m, where x' is the new pseudo random number to be generated, x is the last pseudo random number generated, m represents the range of the result, and a
Cont
Cont
Cont
Cont
Witty Worm
The worm took advantage of a security flaw in these firewall applications. Network telescope ISS vulnerability Witty worm details Witty worm spread
Cont
Cont
Cont
1. Launch massive Distributed Denial-of-Service (DDoS) attacks that disrupt the Internet utilities, 2. Access confidential information that can be misused through large-scale traffic sniffing, key logging, identity theft, etc., 3. Destroy data that has a high monetary value, and
4. Distribute large-scale unsolicited advertisement emails (as spam) or software (as malware).
Cont
Worms that adopt such smart attack strategies could exhibit overall scan traffic patterns different from those of traditional worms. We conduct a systematic study on a new class of such smartworms denoted as Camouflaging Worm (C-Worm in short). The camouflage is achieved by manipulating the scan traffic volume of worm infected computers.
Cont
A novel spectrum-based detection scheme that uses the Power Spectral Density (PSD) distribution of scan traffic volume in the frequency domain and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from non worm traffic (background traffic).
Cont
Furthermore, we demonstrate the effectiveness of our spectrum-based detection scheme in comparison with existing worm-detection schemes. We define several new metrics. Maximal Infection Ratio (MIR) is the one to quantify the infection damage caused by a worm before being detected. Other metrics include Detection Time (DT) and Detection Rate (DR).
Existing System
Existing detection schemes are based on a tacit assumption that each worm-infected computer keeps scanning the Internet and propagates itself at the highest possible speed. Threshold based detection and trend-based detection have been developed to detect the large scale propagation of worms in the Internet . The scheme adopts the distribution of attack targets as the basic detection data to capture the key feature of worm propagation.
Proposed System
We demonstrate effectiveness of the C-Worm against existing traffic volume-based detection schemes; our detection scheme captures the distinct pattern of the C-Worm in the frequency domain. To identify the C-Worm propagation we use the distribution of Power Spectral Density (PSD) and its corresponding Spectral Flatness Measure (SFM) of the scan traffic.
SOFTWARE REQUIREMENTS
: : : :
References
1.
D. Moore, C. Shannon, and J. Brown, Code-Red: A Case Study on the Spread and Victims of an Internet Worm, Proc. Second Internet Measurement Workshop (IMW), Nov. 2002. D. Moore, V. Paxson, and S. Savage, Inside the Slammer Worm, Proc. IEEE Magazine of Security and Privacy, July 2003. CERT, CERT/CC Advisories, http://www.cert.org/advisories/,2010.
2. 3.
4.
J. Ma, G.M. Voelker, and S. Savage, Self-Stopping Worms, Proc. ACM Workshop Rapid Malcode (WORM), Nov. 2005.