22-04-2012, 12:00 AM
modeling and detection of c worm ppt,uml diagrams,each module design
22-04-2012, 12:00 AM
modeling and detection of c worm ppt,uml diagrams,each module design
04-07-2012, 03:00 PM
Modeling and Detection of Camouflaging Worm
Modeling and Detection.pdf (Size: 421.73 KB / Downloads: 128) Abstract Active worms pose major security threats to the Internet. This is due to the ability of active worms to propagate in an automated fashion as they continuously compromise computers on the Internet. Active worms evolve during their propagation and thus pose great challenges to defend against them. In this paper, we investigate a new class of active worms, referred to as Camouflaging Worm (C-Worm in short). The C-Worm is different from traditional worms because of its ability to intelligently manipulate its scan traffic volume over time. Thereby, the C-Worm camouflages its propagation from existing worm detection systems based on analyzing the propagation traffic generated by worms. We analyze characteristics of the C-Worm and conduct a comprehensive comparison between its traffic and non-worm traffic (background traffic). INTRODUCTION An active worm refers to a malicious software program that propagates itself on the Internet to infect other computers. The propagation of the worm is based on exploiting vulnerabilities of computers on the Internet. Many real-world worms have caused notable damage on the Internet. These worms include “Code-Red” worm in 2001 [1], “Slammer” worm in 2003 [2], and “Witty”/“Sasser” worms in 2004 [3]. Many active worms are used to infect a large number of computers and recruit them as bots or zombies, which are networked together to form botnets [4]. These botnets can be used to: (a) launch massive Distributed Denial-of-Service (DDoS) attacks that disrupt the Internet utilities [5], (b) access confidential information that can be misused [6] through large scale traffic sniffing. BACKGROUND AND RELATED WORK Active Worms Active worms are similar to biological viruses in terms of their infectous and self-propagating nature. They identify vulnerable computers, infect them and the worm-infected computers propagate the infection further to other vulnerable computers. In order to understand worm behavior, we first need to model it. With this understanding, effective detection and defense schemes could be developed to mitigate the impact of the worms. For this reason, tremendous research effort has focused on this area [12], [24], [14], [25], [16]. Active worms use various scan mechanisms to propagate themselves efficiently. The basic form of active worms can be categorized as having the Pure Random Scan (PRS) nature. In the PRS form, a worm-infected computer continuously scans a set of random Internet IP addresses to find new vulnerable computers. Other worms propagate themselves more effectively than PRS worms using various methods, e.g., network port scanning, email, file sharing, Peer-to-Peer (P2P) networks, and Instant Messaging (IM) [26], [27]. In addition, worms use different scan strategies during different stages of propagation. In order to increase propagation efficiency, they use a local network or hitlist to infect previously identified vulnerable computers at the initial stage of propagation [12], [28]. Worm Detection Worm detection has been intensively studied in the past and can be generally classified into two categories: “host-based” detection and “network-based” detection. Host-based detection systems detect worms by monitoring, collecting, and analyzing worm behaviors on end-hosts. Since worms are malicious programs that execute on these computers, analyzing the behavior of worm executables plays an important role in hostbased detection systems. Many detection schemes fall under this category [37], [38]. In contrast, network-based detection systems detect worms primarily by monitoring, collecting, and analyzing the scan traffic (messages to identify vulnerable computers) generated by worm attacks. Many detection schemes fall under this category [19], [20], [21], [39], [40]. Ideally, security vulnerabilities must be prevented to begin with, a problem which must addressed by the programming language community. However, while vulnerabilities exist and pose threats of large-scale damage, it is critical to also focus on network-based detection, as this paper does, to detect widespreading worms. Effectiveness of the C-Worm We now demonstrate the effectiveness of the C-Worm in evading worm detection through controlling P(t). Given random selection of ¯Mc, we generate three C-Worm attacks (viz., CWorm 1, C-Worm 2 and C-Worm 3) that are characterized by different selections of mean and variance magnitudes for ¯MC. In our simulations, we assume that the scan rate of the traditional PRS worm follow a normal distribution Sn = N(40, 40) (note that if the scan rate generated by above distribution is less than 0 , we set the scan rate as 0). We also set the total number of vulnerable computers on the Internet as 360,000, which is the total number of infected computers in “Code-Red” worm incident [1]. Spectrum-based Detection Scheme We now present the details of our spectrum-based detection scheme. Similar to other detection schemes [19], [21], we use a “destination count” as the number of the unique destination IP addresses targeted by launched scans during worm propagation. To understand how the destination count data is obtained, we recall that an ITM system collects logs from distributed monitors across the Internet. On a side note, Internet Threat Monitoring (ITM) systems are a widely deployed facility to detect, analyze, and characterize dangerous Internet threats such as worms. In general, an ITM system consists of one centralized data center and a number of monitors distributed across the Internet. Each monitor records traffic that addressed to a range of IP addresses (which are not commonly used IP address also called the dark IP addresses) and periodically sends the traffic logs to the data center. FINAL REMARKS In this paper, we studied a new class of smart-worm called CWorm, which has the capability to camouflage its propagation and further avoid the detection. Our investigation showed that, although the C-Worm successfully camouflages its propagation in the time domain, its camouflaging nature inevitably manifests as a distinct pattern in the frequency domain. Based on observation, we developed a novel spectrum-based detection scheme to detect the C-Worm.
16-08-2012, 10:32 AM
to get information about the topic "advantages of modeling and detection of camouflaging worm" full report ppt and related topic refer the link bellow https://seminarproject.net/Thread-modeli...g-worm-ppt https://seminarproject.net/Thread-modeli...8#pid88178 https://seminarproject.net/Thread-modeli...?pid=97440
07-01-2013, 05:21 PM
haiiiii sir i want ppt modeling detection camouflaging worm ppt please send me...
08-01-2013, 01:19 PM
to get information about the topic "modeling and detection of camouflaging worm" full report ppt and related topic refer the link bellow
https://seminarproject.net/Thread-modeli...g-worm-ppt https://seminarproject.net/Thread-modeli...ull-report https://seminarproject.net/Thread-modeli...0#pid97440 |
|