Modeling and Detection of Camouflaging Worm

ABSTRACT
Active worms causes major security threats to the Internet. This is due to the ability of
active worms to propagate in an automated fashion as they continuously compromise computers
on the Internet. Active worms evolve during their propagation and thus pose great challenges to
defend against them. Here we investigate a new class of active worms, referred to as
Camouflaging Worm (C-Worm in short). The C-Worm is different from traditional worms
because of its ability to intelligently manipulate its scan traffic volume over time. Thereby, the CWorm camouflages its propagation from existing worm detection systems based on analyzing
the propagation traffic generated by worms. we design a novel spectrum-based scheme to detect
the C-Worm. Our scheme uses the Power Spectral Density (PSD) distribution of the scan traffic
volume and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm
traffic from background traffic.
INTRODUCTION:
An active worm refers to a malicious software program that propagates itself on the Internet to
infect other computers. The propagation of the worm is based on exploiting vulnerabilities of
computers on the Internet. Many real-world worms have caused notable damage on the Internet.
These worms include Code-Red worm in 2001 , Slammer worm in 2003 ,and
Witty/Sasser worms in 2004 . Many active worms are used to infect a large number of
computers and recruit them as bots or zombies, which are networked together to form botnets
These botnets can be used to: (a) launch massive Distributed Denial-of-Service (DDoS) attacks
that disrupt the Internet utilities , (b) access confidential information that can be misused ,
through large scale traffic sniffing, key logging, identity theft etc, (c) destroy data that has a high
monetary value , and (d) distribute large-scale unsolicited advertisement emails (as spam) or
software (as malware).There is evidence showing that infected computers are being rented out as
Botnets for creating an entire black-market industry for renting, trading, and managing
owned computers,leading to economic incentives for attackers . Researchers also showed

possibility of super-botnets, networks of independent botnets that can be coordinated for

attacks of unprecedented scale .For an adversary, super botnets would also be extremely versatile
and resistant to counter measures. Due to the substantial damage caused by worms in the past
years, there have been significant efforts on developing detection and defense mechanisms
against worms. A network based worm detection system plays a major role by monitoring,
collecting, and analyzing the scan traffic (messages to identify vulnerable computers) generated
during worm attacks. In this system, the detection is commonly based on the self propagating
behavior of worms that can be described as follows: after a worm-infected computer identifies
and infects a vulnerable computer on the Internet, this newly infected computer1 will
automatically and continuously scan several IP addresses to identify and infect other vulnerable
computers. As such, numerous existing detection schemes are based on a tacit assumption that
each worm-infected computer keeps scanning the Internet and propagates itself at the highest
possible speed. Furthermore, it has been shown that the worm scan traffic volume and the
number of worm-infected computers exhibit exponentially increasing patterns .
LITERATURE SURVEY:
Worm:

A computer worm is a self-replicating malware computer program. It uses a computer

network to send copies of itself to other nodes (computers on the network) and it may do so
without any user intervention. This is due to security shortcomings on the target computer.
Unlike a virus, it does not need to attach itself to an existing program. Worms almost always
cause at least some harm to the network, if only by consuming bandwidth, whereas viruses
almost always corrupt or modify files on a targeted computer. Many worms that have been
created are only designed to spread, and don't attempt to alter the systems they pass through.
However, as the Morris worm and Mydoom showed, the network traffic and other unintended
effects can often cause major disruption. A "payload" is code designed to do more than spread
the wormit might delete files on a host system (e.g., the ExploreZip worm), encrypt files in a
cryptoviral extortion attack, or send documents via e-mail. A very common payload for worms is
to install a backdoor in the infected computer to allow the creation of a "zombie" computer under
control of the worm author. Networks of such machines are often referred to as botnets and are

very commonly used by spam senders for sending junk email or to cloak their website's address.
[1]

Spammers are therefore thought to be a source of funding for the creation of such worms,[2][3]

and the worm writers have been caught selling lists of IP addresses of infected machines.[4]
Others try to blackmail companies with threatened DoS attacks.[5]
Backdoors can be exploited by other malware, including worms. Examples include Doomjuice,
which spreads better using the backdoor opened by Mydoom, and at least one instance of
malware taking advantage of the rootkit and backdoor installed by the Sony/BMG DRM
software utilized by millions of music CDs prior to late 2005.[dubious discuss]
Camouflage:
Which is

a method of crypsisavoidance of observationthat allows an otherwise visible

organism or object to remain indiscernible from the surrounding environment through deception.
Examples include a tiger's stripes, the battledress of a modern soldier and a butterfly
camouflaging itself as a leaf. The theory of camouflage covers the various strategies which are
used to achieve this effect Cryptic coloration is the most common form of camouflage, found to
some extent in the majority of species. The simplest way is for an animal to be of a color similar
to its surroundings. Examples include the "earth tones" of deer, squirrels, or moles (to match
trees or dirt), or the combination of blue skin and white underbelly of sharks via countershading
(which makes them difficult to detect from both above and below). More complex patterns can
be seen in animals such as flounder, moths, and frogs, among many others.
Anomaly Detection:

Anomaly detection, also referred to as outlier detection[1] refers to detecting patterns in a given
data set that do not conform to an established normal behavior.[2] The patterns thus detected are
called anomalies and often translate to critical and actionable information in several application
domains. Anomalies are also referred to as outliers, surprise, aberrant, deviation, peculiarity, etc.
Three broad categories of anomaly detection techniques exist. Supervised anomaly detection
techniques learn a classifier using labeled instances belonging to normal and anomaly class, and
then assign a normal or anomalous label to a test instance. Semi-supervised anomaly detection

techniques construct a model representing normal behavior from a given normal training data set,
and then test the likelihood of a test instance to be generated by the learnt model. Unsupervised
anomaly detection techniques detect anomalies in an unlabeled test data set under the assumption
that majority of the instances in the data set are normal. Anomaly detection is applicable in a
variety of domains, such as intrusion detection, fraud detection, fault detection, system health
monitoring, event detection in sensor networks, and detecting eco-system disturbances. It is often
used in preprocessing to remove anomalous data from the dataset.

EXISTING SYSTEM

The C-Worm is quite different from traditional worms in which it camouflages any
noticeable trends in the number of infected computers over time. The camouflage is achieved by
manipulating the scan traffic volume of worm-infected computers. Such a manipulation of the
scan traffic volume prevents exhibition of any exponentially increasing trends or even crossing
of thresholds that are tracked by existing detection schemes.

DRAWBACK IN EXISTING SYSTEM

C-Worm scan traffic shows no noticeable trends in the time domain, it demonstrates a
distinct pattern in the frequency domain. Specifically, there is an obvious concentration within a
narrow range of frequencies. This concentration within a narrow range of frequencies is
inevitable since the C-Worm adapts to the dynamics of the Internet in a recurring manner for
manipulating and controlling its overall scan traffic volume.
PROPOSED SYSTEM
we adopt frequency domain analysis techniques and develop a detection scheme against Widespreading of the C-Worm. Particularly, we develop a novel spectrum-based detection scheme that
uses the Power Spectral Density (PSD) distribution of scan traffic volume in the frequency
domain and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm
traffic from non worm traffic (background traffic).
ADVANTAGES IN PROPOSED SYSTEM

Our evaluation data clearly demonstrate that our spectrum-based detection scheme achieves
much better detection performance against the C-Worm propagation compared with existing
detection schemes. Our evaluation also shows that our spectrum-based detection scheme is
general enough to be used for effective detection of traditional worms as well.

Centralized data center

System Architecture:
Monitor 1

User 1

Monitor 2

User 2

Monitor 3

User 4

User 3

User 5

Data flow Diagram:

Centralized data center

Traffic logs

Traffic logs

Monitor 1

Monitor 2

IP address

IP address
Message

Client 1

Module:
User
Monitoring

Client 2

Client 3

Client 4

Centralized Data Center

Report Preparation
Report Distribution
Module Description:
User:
In this module user can login to the centralized server for
authentication, once the client is treated as authorized then it can share data
with the neighbors in the network.
Monitoring:
It will monitor the authorized clients for their transaction and it will
identify the traffic log (IP address which are not commonly used and dark IP
address).
Centralized Data Center:
It will collect all the traffic logs from various network monitors for
identifying the worms by their IP address.
Report Preparation:
The purpose of this module is to identify the actual worm by its ratio
not by scan traffic time in order to detect the active worm and the normal
worm.
Report Distribution:
The centralized data center has to distribute the report logs (dark IP
address) to all the users in the network.

User:

Data
Center

Client

Server

Monitoring:
Client 1

Monitor

..

Client n

Centralized Data Center:

Client 1
Monitor 1
Client 1

Client 1
Monitor 1

..

Client 1

Report Preparation:

Client 1

Client 1

Server

Monitor n

Server
.

Report Distribution

Server

Monitor 1

Client 1

Client n
Client 1

Monitor n

.
Client n

Use Case Diagram:

UserLogin

Monitoring

Centralized data
center

Monitor

DataCollection

Detection
User

Distribution

Class Diagram:

DataCenter
userDetails
monitorDetails
authentication
dataCollection

WormDetection
userIP
monitorIP
findRatio
report

getUserDetails()
acceptUsers()
provideAuthentication()
getDataCollection()

User Login
userDetails
ipAddress
portNumber
getUserDetails()
getConnection()
dataTransfer()

getUserIP()
getMonitorIP()
getWormRatio()
prepareReport()

ClientMonitor
monitorDetails
ipAddress
portNumber
authentication
getAuthentication()
getMonitorDetails()
forwardToDataCenter()

DataDistribution
dataDistribution
ipAddress
collectIP()
dataDistribution()

Sequence Diagram:

DataCenter

Monitor

LogCollection

LogDistribution

Login

Monitoring

TrafficLog

DetectWorm

PrepareReport

Distribution

Collaboration Diagram:

Client

Monitor

4: DetectWorm
DataCen
ter

3: TrafficLog

LogColle
ction
2: Monitoring

5: PrepareReport
1: Login
6: Distribution
LogDistri
bution

Activity Diagram:

Client

Start

DataCenter

Monitor

User

End

SYSTEM REQUIREMENTS
HARDWARE

PROCESSOR

PENTIUM IV 2.6 GHz, Intel Core 2 Duo.

RAM

512 MB DD RAM

MONITOR

15 COLOR

HARD DISK

40 GB

CDDRIVE

LG 52X

Front End

JAVA (SWINGS)

Back End

MS SQL 2000/05

Operating System

Windows XP/07

IDE

Net Beans, Eclipse

SOFTWARE

Conclusion:
In this paper we presented an analytical framework, based on Interactive
Markov Chains, that can be used to study the dynamics of malware propagation on
a network. The exact solution of a stochastic model intended to capture the
probabilistic nature of malware propagation on an arbitrary topology appears to be
a major challenge, because of the high computational complexity necessary to
analyze very large systems. However, one can resort to simple bounds and
approximations in order to obtain a gross-level prediction of the system behavior
that can help to understand important characteristics of malware propagation.
Although we have focused on the modeling aspects of the problem, we believe our
methodology can be usefully applied to evaluate different countermeasures against

future malware activity, as well as fundamental issues on network vulnerability

assessment. Moreover, the flexibility of the approach based on IMCs allows to
apply our work beyond the problem of malware spreading, addressing a wide
variety of dynamic interactions on networks. Our modeling effort is to be
considered a first step in a rather novel research area that we expect to gain more
and more relevance in the next future.
Reference:
[1] D. Moore, C. Shannon, and J. Brown, Code-red: a case study on the spread and victims of
an internet worm, in Proceedings of the 2-th Internet Measurement Workshop (IMW),
Marseille, France, November 2002.
[2] D. Moore, V. Paxson, and S. Savage, Inside the slammer worm, in IEEE Magazine of
Security and Privacy, July 2003.
[3] CERT, CERT/CC advisories, http://www.cert.org/advisories/.
[4] P. R. Roberts, Zotob Arrest Breaks Credit Card Fraud Ring,
http://www.eweek.com/article2/0,1895,1854162,00.asp.
[5] W32/MyDoom.B Virus, http://www.us-cert.gov/cas/techalerts/ TA04-028A.html.
[6] W32.Sircam.Worm@mm,
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html.