Paradigmatic and Exploration of Blind Worm

Yellamandaiah Gogula; E.Jhansi Rani

doi:https://doi.org/10.14445/22315381/IJETT-V3I3P208

Research Article | Open Access | Download PDF

Volume 3 | Issue 3 | Year 2012 | Article Id. IJETT-V3I3P208 | DOI : https://doi.org/10.14445/22315381/IJETT-V3I3P208

Paradigmatic and Exploration of Blind Worm

Yellamandaiah Gogula, E.Jhansi Rani

Citation :

Yellamandaiah Gogula, E.Jhansi Rani, "Paradigmatic and Exploration of Blind Worm," International Journal of Engineering Trends and Technology (IJETT), vol. 3, no. 3, pp. 289-293, 2012. Crossref, https://doi.org/10.14445/22315381/IJETT-V3I3P208

Abstract

Active worms pose major security threats to the Internet. This is due to the ability of active worms to propagate in an automated fashion as they continuously compromise computers on the Internet. Active worms evolve during their propagation and thus pose great challenges to defend against them. In this paper, we investigate a new class of active worms, referred to as Tarnen Worm (C-Worm in short). The C-Worm is different from traditional worms because of its ability to intelligently manipulate its scan traffic volume over time. Thereby, the C-Worm camouflages its propagation from existing worm exploration systems based on analyzing the propagation traffic generated by worms. We analyze characteristics of the C-Worm and conduct a comprehensive comparison between its traffic and non-worm traffic (background traffic). We observe that these two types of traffic are barely distinguishable in the time domain. However, their distinction is clear in the frequency domain, due to the recurring manipulative nature of the C-Worm. Motivated by our observations, we design a novel spectrum-based scheme to detect the C-Worm. Our scheme uses the Power Spectral Density (PSD) distribution of the scan traffic volume and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from background traffic. Using a comprehensive set of exploration metric s and real-world traces as background traffic, we conduct extensive performance evaluations on our proposed spectrum-based exploration scheme. The performance data clearly demonstrates that our scheme can effectively detect the C-Worm propagation. Furthermore, we show the generality of our spectrum-based scheme in effectively detecting not only the C-Worm, but traditional worms as well.

Keywords

Worm, Glitch Exploration .

References

[1] D. Moore, C. Shannon, and J. Brown, “Code - red: a case study on the spread and victims of an internet worm,” in P roceedings of the 2 – th Internet Measurement Wo rksh op (IMW) , Marseille, France, November 2002.
[2] D. Moore, V. Paxson, and S. Savage, “Inside the slammer worm,” in IE E E Magaz ine o f S ecur ity and P r ivacy , July 2003.
[3] CERT, CE R T /CC advis or ies, http://www.cert.org/advisories/.
[4] P.R.Robert s, Zotob Arrest Breaks Credit Card Fraud R ing, http: //www.eweek.com/article2/0,1895,1854162,00.asp.
[5] W32/MyDoom. B Virus, http://www.us - cert.gov/cas/techalerts/ TA04 - 028A.html.
[6] W32. Sircam. Worm @mm , http://www.symantec.com/avcenter/venc/data/ w32.sircam.worm@mm.html.
[7] Wo rm. E xploreZip, http://www.symantec.com/avcenter/v enc/data/worm . explore.zip.html.
[8] R. Naraine, Botnet Hunters Search for Com m and and Control Ser vers , http://www.eweek.com/article2/0,1759,1829347,00.asp.
[9] T. Sanders, B o tnet opera tion contro lled 1. 5m PCs L arges t z o m - biearm y ever created , http://www.vnunet.com/vnunet/news/2144375/ botnet - operation - ruled - million, 2005.
[10] R. Vogt, J. Aycock, and M. Jacobson, “Quorum sensing and self - stopping worms,” in Proceedings of 5th ACM Wor kshop on Recurring Malcode (WO R M), Alexandria VA, October 2007.
[11] S. Staniford, V. Paxson, and N. W eaver, “How to own the internet in yourspare time,” in P roceedings of the 11 - th U S E NIX Secur ity Sym pos ium(SECURITY), San Francisco, CA, August 2 002.