A worm is a malicious self-replicating programs, it is designed to spread via computer networks. Computer worms are one form of malware along with viruses and Trojans. Active worms pose major security threats to the Internet. This is the ability of active worms to continuously propagate in the computers on the Internet as an automated fashion. Active worms evolve during their propagation, and thus, pose great challenges to defend against them. In this paper, we investigate a new class of active worms, referred to as Camouflaging Worm (C-Worm in short). The C-Worm is different from traditional worms because of its ability to intelligently manipulate its scan traffic volume over time. Thereby, the C-Worm camouflages its propagation from existing worm detection systems based on analyzing the propagation traffic generated by worms. We analyze characteristics of the C-Worm and conduct a comprehensive comparison between its traffic and non-worm traffic (background traffic). We observe that these two types of traffic are barely distinguishable in the time domain. However, their distinction is clear in the frequency domain, due to the recurring manipulative nature of the C-Worm. Motivated by our observations, we design a novel spectrum-based scheme to detect the C-Worm. Our scheme uses the Power Spectral Density (PSD) distribution of the scan traffic volume and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from background traffic. Using a comprehensive set of detection metrics and real-world traces as background traffic, we conduct extensive performance evaluations on our proposed spectrum-based detection scheme. The performance data clearly demonstrates that our scheme can effectively detect the C-Worm propagation. Furthermore, we show the generality of our spectrum-based scheme in effectively detecting not only the C-Worm, but traditional worms as well.

D. Moore, C. Shannon, and J. Brown, ―Code-Red: A Case Study on the Spread and Victims of an Internet Worm,‖ Proc. Second Internet Measurement Workshop (IMW), Nov. 2002.

D. Moore, V. Paxson, and S. Savage, ―Inside the Slammer Worm,‖ Proc. IEEE Magazine of Security and Privacy, July 2003.

CERT, CERT/CC Advisories, http://www.cert.org/advisories/, 2010. 388 IEEE TRANSACTIONS on dependable and secure computing, vol. 8, no. 3, may/june 2011.

P.R. Roberts, Zotob Arrest Breaks Credit Card FraudRing,http://www.eweek.com/article2/0,1895,1854 162, 00.asp, 2010.

W32/MyDoom.B Virus, http://www.us cert.gov/cas/techalerts/TA04-028A.html, 2010.

W32.Sircam.Worm@mm,http://www.symantec.com/avcenter/venc/data/w32.sircam. worm@mm.html,2010.

R. Naraine, Botnet Hunters Search for Command and ControlServers,http://www.eweek.com/article2/0,1759,1829347,00.asp.

T. Sanders, Botnet operation controlled 1.5m PCs Largest zombie army ever created, http://www.vnunet.com/vnunet/news/2144375/ botnet-operation-ruled-million, 2005.

R. Vogt, J. Aycock, and M. Jacobson, ―Quorum sensing and selfstopping worms,‖ in Proceedings of 5th ACM Workshop

on Recurring Malcode (WORM), Alexandria VA, October 2007.

S. Staniford, V. Paxson, and N.Weaver, ―How to own the internet in your spare time,‖ in Proceedings of the 11-th USENIX Security Symposium (SECURITY), San Francisco, CA, August 2002.

Z. S. Chen, L.X. Gao, and K. Kwiat, ―Modelling the spread of active worms,‖ in Proceedings of the IEEE Conference on Computer Communications (INFOCOM), San Francisco, CA, March 2003.

Z. S. Chen, L.X. Gao, and K. Kwiat, ―Modelling the spread of active worms,‖ in Proceedings of the IEEE Conference on Computer Communications (INFOCOM), San Francisco, CA, March 2003.

M. Garetto, W. B. Gong, and D. Towsley, ―Modeling malware spreading dynamics,‖ in Proceedings of the IEEE Conference on Computer Communications (INFOCOM), San Francisco, CA, March 2003.

C. C. Zou, W. Gong, and D. Towsley, ―Code-red worm propagation modeling and analysis,‖ in Proceedings of the 9-th ACM Conference on Computer and Communication Security (CCS), Washington DC, November 2002.

Zdnet, Smart worm lies low to evade detection, http://news.zdnet.co.uk/ internet/security/0,39020375,39160285,00.htm.

J. Ma, G. M. Voelker, and S. Savage, ―Self-stopping worms,‖ in Proceedings of the ACM Workshop on Rapid Malcode (WORM), Washington D.C, November 2005.

Min Gyyng Kang, Juan Caballero, and Dawn Song, ―Distributed evasive scan techniques and countermeasuress,‖ in Proceedings of International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), Lucerne, Switzerland, July 2007.

Charles Wright, Scott Coull, and Fabian Monrose, ―Traffic morphing: An efficient defense against statistical traffic analysis,‖ in Proceedings of the 15th IEEE Network and Distributed System Security Symposium (NDSS), San Diego, CA, Febrary 2008.

C. Zou, W. B. Gong, D. Towsley, and L. X. Gao, ―Monitoring and early detection for internet worms,‖ in Proceedings of the 10- th ACM Conference on Computer and Communication Security (CCS), Washington DC, October 2003.

S. Venkataraman, D. Song, P. Gibbons, and A. Blum, ―New streaming algorithms for superspreader detection,‖ in Proceedings of the 12-th IEEE Network and Distributed Systems Security Symposium (NDSS), San Diego, CA, Febrary 2005.