Worms pose major security threats to the Internet.
This is due to the ability of active worms to propagate in an
automated fashion as they continuously compromise computers on the Internet. Active worms evolve during their propagation and thus
pose great challenges to defend against them. In this paper, we investigate a new class of active worms, referred to as Concealing Worm (C-Worm in short). The C-Worm is different from traditional worms because of its ability to intelligently manipulate its scan traffic volume overtime. Thereby, the C-Worm conceals its propagation from existing worm detection systems based on analyzing the
propagation traffic generated by worms. We analyze characteristics of the C-Worm and conduct a comprehensive comparison between its traffic and non-worm traffic (background traffic). We observe that
these two types of traffic are barely distinguishable in the time
domain. However, their distinction is clear in the frequency domain, due to the recurring manipulative nature of the C-Worm. Motivated by our observations, we design a novel spectrum-based scheme to detect the C-Worm. Our scheme uses the Power Spectral Density
(PSD) distribution of the scan traffic volume and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from background traffic.

D. Moore, C. Shannon, and J. Brown, ―Code-red: a case study on the

spread and victims of an internet worm,‖ in Proceedings of the 2-th

Internet Measurement Workshop (IMW), Marseille, France, November

D. Moore, V. Paxson, and S. Savage, ―Inside the slammer worm,‖ in

IEEE Magazine of Security and Privacy, July 2003.

P. R. Roberts, Zotob Arrest Breaks Credit Card Fraud Ring, http:

//www.eweek.com/article2/0,1895,1854162,00.asp.

Z. S. Chen, L.X. Gao, and K. Kwiat, ―Modeling the spread of active

worms,‖ in Proceedings of the IEEE Conference on Computer

Communications (INFOCOM), San Francisco, CA, March 2003.

M. Garetto, W. B. Gong, and D. Towsley, ―Modeling malware spreading

dynamics,‖ in Proceedings of the IEEE Conference on Computer

Communications (INFOCOM), San Francisco, CA, March 2003.

C. C. Zou, W. Gong, and D. Towsley, ―Code-red worm propagation

modeling and analysis,‖ in Proceedings of the 9-th ACM Conference on

Computer and Communication Security (CCS), Washington DC,

November 2002.

SANS, Internet Storm Center, http://isc.sans.org/.

L. Martignoni D. Bruschi and M. Monga, ―Detecting self-mutating

malware using control flow graph matching,‖ in Proceedings of the

Conference on Detection of Intrusions and Malware and Vulnerability

Assessment (DIMVA), Berlin, Germany, 2006 July.

R. Perdisci, O. Kolesnikov, P. Fogla, M. Sharif, and W. Lee, ―Polymorphic

blending attacks,‖ in Proceedings of the 15-th USENIX Security

Symposium (SECURITY), Vancouver, B.C., August 2006.

H. Kim and B. Karp, ―Autograph: Toward automated, distributed worm

signature detection,‖ in Proceedings of the 13-th USENIX Security

Symposium (SECURITY), San Diego, CA, August 2004.

M. Cai, K. Hwang, J. Pan, and C. Papadopoulos, ―Wormshield: Fast

worm signature generation with distributed fingerprint aggregation,‖

IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 2,

pp. 88–104, 2007.

R. Dantu, J. W. Cangussu, and S. Patwardhan, ―Fast worm containment

using feedback control,‖ IEEE Transactions on Dependable and Secure

Computing, vol. 4, no. 2, pp. 119–136, 2007.

K. Ogata, MOdern Control Engineering, Pearson Prentice Hall, 2002.

J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon,

―Peer-to-peer Botnets: Overview and case study,‖ in Proceedings of

USENIX Workshop on Hot Topics in Understanding Botnets (HotBots),

Cambridge, MA, April 2007.

P. Wang, S. SParka, and C. Zou, ―An advanced hybrid peer-to-peer

botnet,‖ in Proceedings of USENIX Workshop on Hot Topics in

Understanding Botnets (HotBots), Cambridge, MA, April 2007.

D. J. Daley and J. Gani, Epidemic Modeling: an Introduction, Cambridge

University Press, 1999.

D. Bruschi, L. Martignoni, and M. Monga, ―Detecting self-mutating

malware using control flow graph matching,‖ in Proceedings of the

Conference on Detection of Intrusions and Malware & Vulnerability

Assessment (DIMVA), Berlin, Germany, July 2006.

MetaPHOR, http://securityresponse.symantec.com/avcenter/venc/data/

w32.simile.html.

P. Ferrie and P. Szo¨r. Zmist, Zmist opportunities, Virus Bullettin, http:

//www.virusbtn.com.

John Bethencourt, Dawn Song, and Brent Waters, ―Analysis-resistant

malware,‖ in Proceedings of the 15th IEEE Network and Distributed

System Security Symposium (NDSS), San Diego, CA, Febrary 2008.

J. Ma, G. M. Voelker, and S. Savage, ―Self-stopping worms,‖ in Proceedings

of the ACM Workshop on Rapid Malcode (WORM),

Washington D.C, November 2005

C. C. Zou, W. Gong, and D. Towsley, ―Worm propagation modeling and

analysis under dynamic quarantine defense,‖ in Proceedings of the 1-th

ACM CCS Workshop on Rapid Malcode (WORM), Washington DC,

October 2003

C. C. Zou, D. Towsley, and W. Gong, ―Modeling and simulation study

of the propagation and defense of internet e-mail worm,‖ IEEE

Transactions on Dependable and Secure Computing, vol. 4, no. 2, pp.

–118, 2007.

C. Zou, Don Towsley, and Weibo Gong, ―Email worm modeling and

defense,‖ in Proceedings of the 13-th International Conference on

Computer Communications and Networks (ICCCN), Chicago, IL,

October 2004.

W. Yu, S. Chellappan C. Boyer, and D. Xuan, ―Peer-to-peer systembased

active worm attacks: Modeling and analysis,‖ in Proceedings of

IEEE International Conference on Communication (ICC), Seoul, Korea,

May 2005.

L. Martignoni D. Bruschi and M. Monga, ―Detecting self-mutating

malware using control flow graph matching,‖ in Proceedings of the

Conference on Detection of Intrusions and Malware and Vulnerability

Assessment (DIMVA), Berlin, Germany, 2006 July.

R. Perdisci, O. Kolesnikov, P. Fogla, M. Sharif, and W. Lee, ―Polymorphic

blending attacks,‖ in Proceedings of the 15-th USENIX Security

Symposium (SECURITY), Vancouver, B.C., August 2006.

Linux.com, Understanding Stealth Scans: Forewarned is Forearmed,

http://security.itworld.com/4363/LWD010321vcontrol3/page1.html.

Solar Designer, Designing and Attacking Port Scan Detection Tools,

http://www.phrack.org/phrack/53/P53-13.

Yubin Li, Zesheng Chen, and Chao Chen, ―Understanding divideconquer-

scanning worms,‖ in Proceedings of International Performance

Computing and Communications Conference (IPCCC), Austin, TX,

December 2008.

D. Ha and H. Ngo, ―On the trade-off between speed and resiliency of

flash worms and similar malcodes,‖ in Proceedings of 5th ACM

Workshop on Recurring Malcode (WORM), Alexandria VA, October

X. Wang, W. Yu, A. Champion, X. Fu, and D. Xuan, ―Detecting worms

via mining dynamic program execution,‖ in Proceedings of IEEE

International Conference on Security and Privacy in Communication

Networks (SECURECOMM), Nice, France, September 2007

S. Staniford, V. Paxson, and N. Weaver, ―How to own the internet in

your

spare time,‖ in Proceedings of the 11-th USENIX Security

Symposium(SECURITY), San Francisco, CA, August 2002.

V. Yegneswaran, P. Barford, and D. Plonka, ―On the design and utility

of internet sinks for network abuse monitoring,‖ in Proceeding of

Symposium on Recent Advances in Intrusion Detection (RAID),

Pittsburgh, PA, September 2003.

M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson, ―The

internet motion sensor: A distributed blackhole monitoring system,‖ in

Proceedings of the 12-th IEEE Network and Distributed Systems

Security Symposium (NDSS), San Diego, CA, February 2005.

D. Moore, ―Network telescopes: Observing small or distant security

events,‖ in Invited Presentation at the 11th USENIX Security

Symposium (SECURITY)), San Francisco, CA, August 2002.

C. Zou, W. B. Gong, D. Towsley, and L. X. Gao, ―Monitoring and early

detection for internet worms,‖ in Proceedings of the 10th ACM

Conference on Computer and Communication Security (CCS),

Washington DC, October 2003.

S. Venkataraman, D. Song, P. Gibbons, and A. Blum, ―New streaming

algorithms for superspreader detection,‖ in Proceedings of the 12-th

IEEE Network and Distributed Systems Security Symposium (NDSS),

San Diego, CA, Febrary 2005.

J. Wu, S. Vangala, and L. X. Gao, ―An effective architecture and

algorithm for detecting worms with various scan techniques,‖ in

Proceedings of the 11-th IEEE Network and Distributed System Security

Symposium (NDSS), San Diego, CA, Febrary 2004.

A. Lakhina, M. Crovella, and C. Diot, ―Mining anomalies using traffic

feature distribution,‖ in Proceedings of ACM SIGCOMM, Philadelphia,

PA, August 2005