Transcript
A Project Review 1
On
MODELING AND DETECTION OF COMOUFLAGING WORM
Abstract Active worms pose major security threats to the Internet.
Active worms continuously compromise computers on the Internet.
The C-Worm is different from traditional worms.
We analyze characteristics of the C-Worm.
We design a novel spectrum-based scheme to detect the C-Worm.
Cont…
Power Spectral Density (PSD) distribution and Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from background traffic.
The generality of our spectrum-based scheme in effectively detecting not only the C-Worm, but traditional worms as well.
Literature Review Code-Red Worm
Slammer Worm
Witty Worm
Code Red Worm From July 12, 2001, the Code-Red I worm began to exploit.
The worm generates a random list of IP addresses.
The 1st version of the Code-Red worm (Code-Red I v1) which is memory resistant.
Began to infect hosts running unpatched versions of Microsoft’s IIS web server.
The 2nd version is Code- Red I v2 uses a random seed in its pseudo-random number generator.
Methodology
Cont…
Cont…
Cont…
Slammer Worm Slammer (sometimes called Sapphire) was the fastest
computer worm in history. The worm infected more than 90 percent of vulnerable hosts
within 10 minutes. Slammer’s most novel feature is its propagation speed. By comparison, Slammer was two orders of magnitude faster
than the Code Red worm. The worm’s spreading strategy uses random scanning. For a random-scanning worm to be effective, it needs a good
source of random numbers to select new attack targets.
Cont… Slammer uses a linear congruent, or power residue,
pseudo random number generation (PRNG) algorithm. These algorithms take the form: x' = (x × a + b) mod m, where x' is the new pseudo random number to be generated, x is the last pseudo random number generated, m represents the range of the result, and a
and b are carefully chosen constants.
Cont…
Cont…
Cont…
Cont…
Witty Worm The worm took advantage of a security flaw in these firewall
applications.
Network telescope ISS vulnerability Witty worm details Witty worm spread
Cont…
Cont…
Cont…
Introduction to Proposed ProjectAn active worm refers to a malicious software program
that propagates itself on the Internet to infect other computers.
1. Launch massive Distributed Denial-of-Service (DDoS) attacks that disrupt the Internet utilities,
2. Access confidential information that can be misused through large-scale traffic sniffing, key logging, identity theft, etc.,
3. Destroy data that has a high monetary value, and 4. Distribute large-scale unsolicited advertisement
emails (as spam) or software (as malware).
Cont… Worms that adopt such smart attack strategies could exhibit
overall scan traffic patterns different from those of traditional worms.
We conduct a systematic study on a new class of such smart-worms denoted as Camouflaging Worm (C-Worm in short).
The camouflage is achieved by manipulating the scan traffic volume of worm infected computers.
Cont… A novel spectrum-based detection scheme that uses
the Power Spectral Density (PSD) distribution of scan traffic volume in the frequency domain and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from non worm traffic (background traffic).
Cont… Furthermore, we demonstrate the effectiveness of our
spectrum-based detection scheme in comparison with existing worm-detection schemes. We define several new metrics. Maximal Infection Ratio (MIR) is the one to quantify the infection damage caused by a worm before being detected. Other metrics include Detection Time (DT) and Detection Rate (DR).
Existing System Existing detection schemes are based on a tacit
assumption that each worm-infected computer keeps scanning the Internet and propagates itself at the highest possible speed.
Threshold based detection and trend-based detection have been developed to detect the large scale propagation of worms in the Internet .
The scheme adopts the distribution of attack targets as the basic detection data to capture the key feature of worm propagation.
Proposed System We demonstrate effectiveness of the C-Worm against
existing traffic volume-based detection schemes; our detection scheme captures the distinct pattern of the C-Worm in the frequency domain.
To identify the C-Worm propagation we use the distribution of Power Spectral Density (PSD) and its corresponding Spectral Flatness Measure (SFM) of the scan traffic.
Software Requirement SpecificationsHARDWARE REQUIREMENTS
PROCESSOR : PENTIUM IV 2.6 GHz, Intel Core 2 Duo. RAM : 512 MB DD RAM MONITOR : 15” COLOR HARD DISK : 40 GB CDDRIVE : LG 52X
SOFTWARE REQUIREMENTS
Front End : JAVA (SWINGS) Back End : MS SQL 2000/05 Operating System : Windows XP/07 IDE : Net Beans, Eclipse
References1. D. Moore, C. Shannon, and J. Brown, “Code-Red: A Case Study
on the Spread and Victims of an Internet Worm,” Proc. Second Internet Measurement Workshop (IMW), Nov. 2002.
2. D. Moore, V. Paxson, and S. Savage, “Inside the Slammer Worm,” Proc. IEEE Magazine of Security and Privacy, July 2003.
3. CERT, CERT/CC Advisories, http://www.cert.org/advisories/,2010.
4. J. Ma, G.M. Voelker, and S. Savage, “Self-Stopping Worms,” Proc. ACM Workshop Rapid Malcode (WORM), Nov. 2005.
Presented byM. Nagaraju
M.Tech(CSE) 2nd Year
top related