PPT for Project Review 1

A Project Review 1

On

MODELING AND DETECTION OF COMOUFLAGING WORM

Abstract Active worms pose major security threats to the Internet.

Active worms continuously compromise computers on the Internet.

The C-Worm is different from traditional worms.

We analyze characteristics of the C-Worm.

We design a novel spectrum-based scheme to detect the C-Worm.

Cont…

Power Spectral Density (PSD) distribution and Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from background traffic.

The generality of our spectrum-based scheme in effectively detecting not only the C-Worm, but traditional worms as well.

Literature Review Code-Red Worm

Slammer Worm

Witty Worm

Code Red Worm From July 12, 2001, the Code-Red I worm began to exploit.

The worm generates a random list of IP addresses.

The 1st version of the Code-Red worm (Code-Red I v1) which is memory resistant.

Began to infect hosts running unpatched versions of Microsoft’s IIS web server.

The 2nd version is Code- Red I v2 uses a random seed in its pseudo-random number generator.

Methodology

Cont…

Cont…

Cont…

Slammer Worm Slammer (sometimes called Sapphire) was the fastest

computer worm in history. The worm infected more than 90 percent of vulnerable hosts

within 10 minutes. Slammer’s most novel feature is its propagation speed. By comparison, Slammer was two orders of magnitude faster

than the Code Red worm. The worm’s spreading strategy uses random scanning. For a random-scanning worm to be effective, it needs a good

source of random numbers to select new attack targets.

Cont… Slammer uses a linear congruent, or power residue,

pseudo random number generation (PRNG) algorithm. These algorithms take the form: x' = (x × a + b) mod m, where x' is the new pseudo random number to be generated, x is the last pseudo random number generated, m represents the range of the result, and a

and b are carefully chosen constants.

Cont…

Cont…

Cont…

Cont…

Witty Worm The worm took advantage of a security flaw in these firewall

applications.

Network telescope ISS vulnerability Witty worm details Witty worm spread

Cont…

Cont…

Cont…

Introduction to Proposed ProjectAn active worm refers to a malicious software program

that propagates itself on the Internet to infect other computers.

1. Launch massive Distributed Denial-of-Service (DDoS) attacks that disrupt the Internet utilities,

2. Access confidential information that can be misused through large-scale traffic sniffing, key logging, identity theft, etc.,

3. Destroy data that has a high monetary value, and 4. Distribute large-scale unsolicited advertisement

emails (as spam) or software (as malware).

Cont… Worms that adopt such smart attack strategies could exhibit

overall scan traffic patterns different from those of traditional worms.

We conduct a systematic study on a new class of such smart-worms denoted as Camouflaging Worm (C-Worm in short).

The camouflage is achieved by manipulating the scan traffic volume of worm infected computers.

Cont… A novel spectrum-based detection scheme that uses

the Power Spectral Density (PSD) distribution of scan traffic volume in the frequency domain and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from non worm traffic (background traffic).

Cont… Furthermore, we demonstrate the effectiveness of our

spectrum-based detection scheme in comparison with existing worm-detection schemes. We define several new metrics. Maximal Infection Ratio (MIR) is the one to quantify the infection damage caused by a worm before being detected. Other metrics include Detection Time (DT) and Detection Rate (DR).

Existing System Existing detection schemes are based on a tacit

assumption that each worm-infected computer keeps scanning the Internet and propagates itself at the highest possible speed.

Threshold based detection and trend-based detection have been developed to detect the large scale propagation of worms in the Internet .

The scheme adopts the distribution of attack targets as the basic detection data to capture the key feature of worm propagation.

Proposed System We demonstrate effectiveness of the C-Worm against

existing traffic volume-based detection schemes; our detection scheme captures the distinct pattern of the C-Worm in the frequency domain.

To identify the C-Worm propagation we use the distribution of Power Spectral Density (PSD) and its corresponding Spectral Flatness Measure (SFM) of the scan traffic.

Software Requirement SpecificationsHARDWARE REQUIREMENTS

PROCESSOR : PENTIUM IV 2.6 GHz, Intel Core 2 Duo. RAM : 512 MB DD RAM MONITOR : 15” COLOR HARD DISK : 40 GB CDDRIVE : LG 52X

SOFTWARE REQUIREMENTS

Front End : JAVA (SWINGS) Back End : MS SQL 2000/05 Operating System : Windows XP/07 IDE : Net Beans, Eclipse

References1. D. Moore, C. Shannon, and J. Brown, “Code-Red: A Case Study

on the Spread and Victims of an Internet Worm,” Proc. Second Internet Measurement Workshop (IMW), Nov. 2002.

2. D. Moore, V. Paxson, and S. Savage, “Inside the Slammer Worm,” Proc. IEEE Magazine of Security and Privacy, July 2003.

3.  CERT, CERT/CC Advisories, http://www.cert.org/advisories/,2010. 

4. J. Ma, G.M. Voelker, and S. Savage, “Self-Stopping Worms,” Proc. ACM Workshop Rapid Malcode (WORM), Nov. 2005.

Presented byM. Nagaraju

M.Tech(CSE) 2nd Year