11-07-2012, 10:18 AM
On Detecting Camouflaging Worm
On Detecting Camouflaging Worm.pdf (Size: 204.1 KB / Downloads: 29)
Abstract
Active worms pose major security threats to the Internet.
In this paper, we investigate a new class of active worms,
i.e., Camouflaging Worm (C-Worm in short). The C-Worm
has the capability to intelligently manipulate its scan traffic
volume over time, thereby camouflaging its propagation
from existing worm detection systems. We analyze characteristics
of the C-Worm and conduct a comprehensive comparison
between its traffic and non-worm traffic. We observe
that these two types of traffic are barely distinguishable
in the time domain, however, their distinction is clear
in the frequency domain, due to the recurring manipulative
nature of the C-Worm. Motivated by our observations,
we design a novel spectrum-based scheme to detect the CWorm.
Our scheme uses the Power Spectral Density (PSD)
distribution of the scan traffic volume and its corresponding
Spectral Flatness Measure (SFM) to distinguish the CWorm
traffic from non-worm traffic. We conduct extensive
performance evaluations on our proposed detection scheme
against the C-Worm. The performance data clearly demonstrates
that our proposed scheme can effectively detect the
C-Worm propagation.
1 Introduction
An active worm refers to a malicious software program
that propagates itself on the Internet to infect other hosts.
The propagation of the worm is based on exploiting vulnerabilities
of hosts on the Internet. Many real worms have
posed much damage on the Internet. These worms include
“Code-Red” worm in