Abstract:-
Active worms pose major security threats to the
Internet. This is due to the ability of active worms to propagate in an automated
fashion as they continuously compromise computers on the Internet. Active worms
evolve during their propagation and thus pose great challenges to defend
against them. In this paper, we investigate a new class of active worms,
referred to as Camouflaging Worm (C-Worm in short). The C-Worm is different
from traditional worms because of its ability to intelligently manipulate its
scan traffic volume over time. Thereby, the C-Worm camouflages its propagation
from existing worm detection systems based on analyzing the propagation traffic
generated by worms. We analyze characteristics of the C-Worm and conduct a
comprehensive comparison between its traffic and non-worm traffic (background
traffic). We observe that these two types of traffic are barely distinguishable
in the time domain. However, their distinction is clear in the frequency
domain, due to the recurring manipulative nature of the C-Worm. Motivated by
our observations, we design a novel spectrum-based
scheme to detect the C-Worm. Our scheme uses the Power Spectral Density
(PSD) distribution of the scan traffic volume and its corresponding Spectral
Flatness Measure (SFM) to distinguish the C-Worm traffic from background
traffic. Using a comprehensive set of detection metrics and real-world traces
as background traffic, we conduct extensive performance evaluations on our proposed
spectrum-based detection scheme. The performance data clearly demonstrates that
our scheme can effectively detect the C-Worm propagation. Furthermore, we show
the generality of our spectrum-based scheme in effectively detecting not only
the C-Worm, but traditional worms as well.
Existing System
Existing worm detection schemes will not be
able to detect such scan traffic patterns, it is very important to understand such
smart-worms and develop new countermeasures to defend against them.
Existing detection schemes are based on a
tacit assumption that each worm-infected computer keeps scanning the Internet
and propagates itself at the highest possible speed. Furthermore, it has been
shown that the worm scan traffic volume and the number of worm-infected
computers exhibit exponentially increasing patterns. Nevertheless, the
attackers are crafting attack strategies that intend to defeat existing worm
detection systems. In particular, ‘stealth’ is one attack strategy used by a
recently-discovered active worm called “Attack” worm and the “self-stopping” worm circumvent detection by hibernating (i.e.,
stop propagating) with a pre-determined period. Worm might also use the evasive
scan and traffic morphing technique to hide the detection
Proposed System
Proposed Worm detection schemes that are
based on the global scan traffic monitor by detecting traffic anomalous behavior,
there are other worm detection and defense schemes such as sequential
hypothesis testing for detecting worm-infected computers, payload-based worm
signature detection. . In presented both theoretical modeling and
experimental results on a collaborative worm signature generation system that
employs distributed fingerprint filtering and aggregation and multiple edge
networks... In presented a state-space feedback control model that detects and
control the spread of these viruses or worms by measuring the velocity of the number
of new connections an infected computer makes. Despite the different approaches
described above, we believe that detecting widely scanning anomaly behavior
continues to be a useful weapon against worms, and that in practice
multifaceted defense has advantages
Modules
1. C-Worm detection
Module
Camouflaging Worm
(C Worm).
The C-Worm has a self-propagating behavior similar to traditional worms, i.e.,
it intends to rapidly infect as many vulnerable computers as possible. However,
the CWorm is quite different from traditional worms in which it camouflages any
noticeable trends in the number of infected computers over time. The camouflage
is achieved by manipulating the scan traffic volume of worm-infected computers.
Such a manipulation of the scan traffic volume prevents exhibition of any
exponentially increasing trends or even crossing of thresholds that are tracked
by existing detection schemes
2. Worms are malicious Detection Module OR Anomaly Detection
Worms are malicious programs that execute on
these computers, analyzing the behavior of worm executables plays an important
role in host based detection systems. Many detection schemes fall under this
category. In contrast, network-based detection systems detect worms primarily
by monitoring, collecting, and analyzing the scan traffic (messages to identify
vulnerable computers) generated by worm attacks. Many detection schemes fall
under this category. Ideally, security vulnerabilities must be prevented to
begin with, a problem which must addressed by the programming language
community. However, while vulnerabilities exist and pose threats of large-scale
damage, it is critical to also focus on network-based detection, as this paper
does, to detect wide spreading worms.
3. Pure Random Scan (PRS) Module
C-Worm can be extended to defeat other newly
developed detection schemes, such as destination distribution-based detection. In
the following, Recall that the attack target distribution based schemes analyze
the distribution of attack targets (the scanned destination IP addresses) as
basic detection data to capture the fundamental features of worm propagation,
i.e., they continuously scan different targets
4. Worm propagation Module
Worm scan traffic volume in the open-loop
control system will expose a much higher probability to show an increasing
trend with the progress of worm propagation. As more and more computers get
infected, they, in turn, take part in scanning other computers. Hence, we
consider the Cworm as a worst case attacking scenario that uses a closed loop control for
regulating the propagation speed based on the feedback propagation status.
System Requirements:
Hardware
Requirements:
PROCESSOR : PENTIUM IV 2.6 GHz
RAM : 512
MB DD RAM
MONITOR : 15”
COLOR
HARD DISK : 20 GB
FLOPPY DRIVE
: 1.44 MB
CDDRIVE : LG
52X
KEYBOARD : STANDARD
102 KEYS
MOUSE : 3
BUTTONS
Software
Requirements:
Front End :
Java, JFC (Swing)
Tools Used :
Eclipse 3.3
Operating System:
Windows XP/7
No comments:
Post a Comment