Professional Documents
Culture Documents
MJNS10 First Review1
MJNS10 First Review1
ABSTRACT
Active worms causes major security threats to the Internet. This is due to the ability of
active worms to propagate in an automated fashion as they continuously compromise computers
on the Internet. Active worms evolve during their propagation and thus pose great challenges to
defend against them. Here we investigate a new class of active worms, referred to as
Camouflaging Worm (C-Worm in short). The C-Worm is different from traditional worms
because of its ability to intelligently manipulate its scan traffic volume over time. Thereby, the CWorm camouflages its propagation from existing worm detection systems based on analyzing
the propagation traffic generated by worms. we design a novel spectrum-based scheme to detect
the C-Worm. Our scheme uses the Power Spectral Density (PSD) distribution of the scan traffic
volume and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm
traffic from background traffic.
INTRODUCTION:
An active worm refers to a malicious software program that propagates itself on the Internet to
infect other computers. The propagation of the worm is based on exploiting vulnerabilities of
computers on the Internet. Many real-world worms have caused notable damage on the Internet.
These worms include Code-Red worm in 2001 , Slammer worm in 2003 ,and
Witty/Sasser worms in 2004 . Many active worms are used to infect a large number of
computers and recruit them as bots or zombies, which are networked together to form botnets
These botnets can be used to: (a) launch massive Distributed Denial-of-Service (DDoS) attacks
that disrupt the Internet utilities , (b) access confidential information that can be misused ,
through large scale traffic sniffing, key logging, identity theft etc, (c) destroy data that has a high
monetary value , and (d) distribute large-scale unsolicited advertisement emails (as spam) or
software (as malware).There is evidence showing that infected computers are being rented out as
Botnets for creating an entire black-market industry for renting, trading, and managing
owned computers,leading to economic incentives for attackers . Researchers also showed
very commonly used by spam senders for sending junk email or to cloak their website's address.
[1]
Spammers are therefore thought to be a source of funding for the creation of such worms,[2][3]
and the worm writers have been caught selling lists of IP addresses of infected machines.[4]
Others try to blackmail companies with threatened DoS attacks.[5]
Backdoors can be exploited by other malware, including worms. Examples include Doomjuice,
which spreads better using the backdoor opened by Mydoom, and at least one instance of
malware taking advantage of the rootkit and backdoor installed by the Sony/BMG DRM
software utilized by millions of music CDs prior to late 2005.[dubious discuss]
Camouflage:
Which is
organism or object to remain indiscernible from the surrounding environment through deception.
Examples include a tiger's stripes, the battledress of a modern soldier and a butterfly
camouflaging itself as a leaf. The theory of camouflage covers the various strategies which are
used to achieve this effect Cryptic coloration is the most common form of camouflage, found to
some extent in the majority of species. The simplest way is for an animal to be of a color similar
to its surroundings. Examples include the "earth tones" of deer, squirrels, or moles (to match
trees or dirt), or the combination of blue skin and white underbelly of sharks via countershading
(which makes them difficult to detect from both above and below). More complex patterns can
be seen in animals such as flounder, moths, and frogs, among many others.
Anomaly Detection:
Anomaly detection, also referred to as outlier detection[1] refers to detecting patterns in a given
data set that do not conform to an established normal behavior.[2] The patterns thus detected are
called anomalies and often translate to critical and actionable information in several application
domains. Anomalies are also referred to as outliers, surprise, aberrant, deviation, peculiarity, etc.
Three broad categories of anomaly detection techniques exist. Supervised anomaly detection
techniques learn a classifier using labeled instances belonging to normal and anomaly class, and
then assign a normal or anomalous label to a test instance. Semi-supervised anomaly detection
techniques construct a model representing normal behavior from a given normal training data set,
and then test the likelihood of a test instance to be generated by the learnt model. Unsupervised
anomaly detection techniques detect anomalies in an unlabeled test data set under the assumption
that majority of the instances in the data set are normal. Anomaly detection is applicable in a
variety of domains, such as intrusion detection, fraud detection, fault detection, system health
monitoring, event detection in sensor networks, and detecting eco-system disturbances. It is often
used in preprocessing to remove anomalous data from the dataset.
EXISTING SYSTEM
The C-Worm is quite different from traditional worms in which it camouflages any
noticeable trends in the number of infected computers over time. The camouflage is achieved by
manipulating the scan traffic volume of worm-infected computers. Such a manipulation of the
scan traffic volume prevents exhibition of any exponentially increasing trends or even crossing
of thresholds that are tracked by existing detection schemes.
C-Worm scan traffic shows no noticeable trends in the time domain, it demonstrates a
distinct pattern in the frequency domain. Specifically, there is an obvious concentration within a
narrow range of frequencies. This concentration within a narrow range of frequencies is
inevitable since the C-Worm adapts to the dynamics of the Internet in a recurring manner for
manipulating and controlling its overall scan traffic volume.
PROPOSED SYSTEM
we adopt frequency domain analysis techniques and develop a detection scheme against Widespreading of the C-Worm. Particularly, we develop a novel spectrum-based detection scheme that
uses the Power Spectral Density (PSD) distribution of scan traffic volume in the frequency
domain and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm
traffic from non worm traffic (background traffic).
ADVANTAGES IN PROPOSED SYSTEM
Our evaluation data clearly demonstrate that our spectrum-based detection scheme achieves
much better detection performance against the C-Worm propagation compared with existing
detection schemes. Our evaluation also shows that our spectrum-based detection scheme is
general enough to be used for effective detection of traditional worms as well.
System Architecture:
Monitor 1
User 1
Monitor 2
User 2
Monitor 3
User 4
User 3
User 5
Traffic logs
Monitor 1
Monitor 2
IP address
IP address
Message
Client 1
Module:
User
Monitoring
Client 2
Client 3
Client 4
User:
Data
Center
Client
Server
Monitoring:
Client 1
Monitor
..
Client n
Client 1
Monitor 1
Client 1
Client 1
Monitor 1
..
Client 1
Report Preparation:
Client 1
Client 1
Server
Monitor n
Server
.
Report Distribution
Server
Monitor 1
Client 1
Client n
Client 1
Monitor n
.
Client n
UserLogin
Monitoring
Centralized data
center
Monitor
DataCollection
Detection
User
Distribution
Class Diagram:
DataCenter
userDetails
monitorDetails
authentication
dataCollection
WormDetection
userIP
monitorIP
findRatio
report
getUserDetails()
acceptUsers()
provideAuthentication()
getDataCollection()
User Login
userDetails
ipAddress
portNumber
getUserDetails()
getConnection()
dataTransfer()
getUserIP()
getMonitorIP()
getWormRatio()
prepareReport()
ClientMonitor
monitorDetails
ipAddress
portNumber
authentication
getAuthentication()
getMonitorDetails()
forwardToDataCenter()
DataDistribution
dataDistribution
ipAddress
collectIP()
dataDistribution()
Sequence Diagram:
DataCenter
Monitor
LogCollection
LogDistribution
Login
Monitoring
TrafficLog
DetectWorm
PrepareReport
Distribution
Collaboration Diagram:
Client
Monitor
4: DetectWorm
DataCen
ter
3: TrafficLog
LogColle
ction
2: Monitoring
5: PrepareReport
1: Login
6: Distribution
LogDistri
bution
Activity Diagram:
Client
Start
DataCenter
Monitor
User
End
SYSTEM REQUIREMENTS
HARDWARE
PROCESSOR
RAM
512 MB DD RAM
MONITOR
15 COLOR
HARD DISK
40 GB
CDDRIVE
LG 52X
Front End
JAVA (SWINGS)
Back End
MS SQL 2000/05
Operating System
Windows XP/07
IDE
SOFTWARE
Conclusion:
In this paper we presented an analytical framework, based on Interactive
Markov Chains, that can be used to study the dynamics of malware propagation on
a network. The exact solution of a stochastic model intended to capture the
probabilistic nature of malware propagation on an arbitrary topology appears to be
a major challenge, because of the high computational complexity necessary to
analyze very large systems. However, one can resort to simple bounds and
approximations in order to obtain a gross-level prediction of the system behavior
that can help to understand important characteristics of malware propagation.
Although we have focused on the modeling aspects of the problem, we believe our
methodology can be usefully applied to evaluate different countermeasures against