Prototyping and Detection of Concealing Worm
Abstract
Worms pose major security threats to the Internet.
This is due to the ability of active worms to propagate in an
automated fashion as they continuously compromise computers on the Internet. Active worms evolve during their propagation and thus
pose great challenges to defend against them. In this paper, we investigate a new class of active worms, referred to as Concealing Worm (C-Worm in short). The C-Worm is different from traditional worms because of its ability to intelligently manipulate its scan traffic volume overtime. Thereby, the C-Worm conceals its propagation from existing worm detection systems based on analyzing the
propagation traffic generated by worms. We analyze characteristics of the C-Worm and conduct a comprehensive comparison between its traffic and non-worm traffic (background traffic). We observe that
these two types of traffic are barely distinguishable in the time
domain. However, their distinction is clear in the frequency domain, due to the recurring manipulative nature of the C-Worm. Motivated by our observations, we design a novel spectrum-based scheme to detect the C-Worm. Our scheme uses the Power Spectral Density
(PSD) distribution of the scan traffic volume and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from background traffic.
Keywords
Full Text:
PDFReferences
D. Moore, C. Shannon, and J. Brown, ―Code-red: a case study on the
spread and victims of an internet worm,‖ in Proceedings of the 2-th
Internet Measurement Workshop (IMW), Marseille, France, November
D. Moore, V. Paxson, and S. Savage, ―Inside the slammer worm,‖ in
IEEE Magazine of Security and Privacy, July 2003.
P. R. Roberts, Zotob Arrest Breaks Credit Card Fraud Ring, http:
//www.eweek.com/article2/0,1895,1854162,00.asp.
Z. S. Chen, L.X. Gao, and K. Kwiat, ―Modeling the spread of active
worms,‖ in Proceedings of the IEEE Conference on Computer
Communications (INFOCOM), San Francisco, CA, March 2003.
M. Garetto, W. B. Gong, and D. Towsley, ―Modeling malware spreading
dynamics,‖ in Proceedings of the IEEE Conference on Computer
Communications (INFOCOM), San Francisco, CA, March 2003.
C. C. Zou, W. Gong, and D. Towsley, ―Code-red worm propagation
modeling and analysis,‖ in Proceedings of the 9-th ACM Conference on
Computer and Communication Security (CCS), Washington DC,
November 2002.
SANS, Internet Storm Center, http://isc.sans.org/.
L. Martignoni D. Bruschi and M. Monga, ―Detecting self-mutating
malware using control flow graph matching,‖ in Proceedings of the
Conference on Detection of Intrusions and Malware and Vulnerability
Assessment (DIMVA), Berlin, Germany, 2006 July.
R. Perdisci, O. Kolesnikov, P. Fogla, M. Sharif, and W. Lee, ―Polymorphic
blending attacks,‖ in Proceedings of the 15-th USENIX Security
Symposium (SECURITY), Vancouver, B.C., August 2006.
H. Kim and B. Karp, ―Autograph: Toward automated, distributed worm
signature detection,‖ in Proceedings of the 13-th USENIX Security
Symposium (SECURITY), San Diego, CA, August 2004.
M. Cai, K. Hwang, J. Pan, and C. Papadopoulos, ―Wormshield: Fast
worm signature generation with distributed fingerprint aggregation,‖
IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 2,
pp. 88–104, 2007.
R. Dantu, J. W. Cangussu, and S. Patwardhan, ―Fast worm containment
using feedback control,‖ IEEE Transactions on Dependable and Secure
Computing, vol. 4, no. 2, pp. 119–136, 2007.
K. Ogata, MOdern Control Engineering, Pearson Prentice Hall, 2002.
J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon,
―Peer-to-peer Botnets: Overview and case study,‖ in Proceedings of
USENIX Workshop on Hot Topics in Understanding Botnets (HotBots),
Cambridge, MA, April 2007.
P. Wang, S. SParka, and C. Zou, ―An advanced hybrid peer-to-peer
botnet,‖ in Proceedings of USENIX Workshop on Hot Topics in
Understanding Botnets (HotBots), Cambridge, MA, April 2007.
D. J. Daley and J. Gani, Epidemic Modeling: an Introduction, Cambridge
University Press, 1999.
D. Bruschi, L. Martignoni, and M. Monga, ―Detecting self-mutating
malware using control flow graph matching,‖ in Proceedings of the
Conference on Detection of Intrusions and Malware & Vulnerability
Assessment (DIMVA), Berlin, Germany, July 2006.
MetaPHOR, http://securityresponse.symantec.com/avcenter/venc/data/
w32.simile.html.
P. Ferrie and P. Szo¨r. Zmist, Zmist opportunities, Virus Bullettin, http:
//www.virusbtn.com.
John Bethencourt, Dawn Song, and Brent Waters, ―Analysis-resistant
malware,‖ in Proceedings of the 15th IEEE Network and Distributed
System Security Symposium (NDSS), San Diego, CA, Febrary 2008.
J. Ma, G. M. Voelker, and S. Savage, ―Self-stopping worms,‖ in Proceedings
of the ACM Workshop on Rapid Malcode (WORM),
Washington D.C, November 2005
C. C. Zou, W. Gong, and D. Towsley, ―Worm propagation modeling and
analysis under dynamic quarantine defense,‖ in Proceedings of the 1-th
ACM CCS Workshop on Rapid Malcode (WORM), Washington DC,
October 2003
C. C. Zou, D. Towsley, and W. Gong, ―Modeling and simulation study
of the propagation and defense of internet e-mail worm,‖ IEEE
Transactions on Dependable and Secure Computing, vol. 4, no. 2, pp.
–118, 2007.
C. Zou, Don Towsley, and Weibo Gong, ―Email worm modeling and
defense,‖ in Proceedings of the 13-th International Conference on
Computer Communications and Networks (ICCCN), Chicago, IL,
October 2004.
W. Yu, S. Chellappan C. Boyer, and D. Xuan, ―Peer-to-peer systembased
active worm attacks: Modeling and analysis,‖ in Proceedings of
IEEE International Conference on Communication (ICC), Seoul, Korea,
May 2005.
L. Martignoni D. Bruschi and M. Monga, ―Detecting self-mutating
malware using control flow graph matching,‖ in Proceedings of the
Conference on Detection of Intrusions and Malware and Vulnerability
Assessment (DIMVA), Berlin, Germany, 2006 July.
R. Perdisci, O. Kolesnikov, P. Fogla, M. Sharif, and W. Lee, ―Polymorphic
blending attacks,‖ in Proceedings of the 15-th USENIX Security
Symposium (SECURITY), Vancouver, B.C., August 2006.
Linux.com, Understanding Stealth Scans: Forewarned is Forearmed,
http://security.itworld.com/4363/LWD010321vcontrol3/page1.html.
Solar Designer, Designing and Attacking Port Scan Detection Tools,
http://www.phrack.org/phrack/53/P53-13.
Yubin Li, Zesheng Chen, and Chao Chen, ―Understanding divideconquer-
scanning worms,‖ in Proceedings of International Performance
Computing and Communications Conference (IPCCC), Austin, TX,
December 2008.
D. Ha and H. Ngo, ―On the trade-off between speed and resiliency of
flash worms and similar malcodes,‖ in Proceedings of 5th ACM
Workshop on Recurring Malcode (WORM), Alexandria VA, October
X. Wang, W. Yu, A. Champion, X. Fu, and D. Xuan, ―Detecting worms
via mining dynamic program execution,‖ in Proceedings of IEEE
International Conference on Security and Privacy in Communication
Networks (SECURECOMM), Nice, France, September 2007
S. Staniford, V. Paxson, and N. Weaver, ―How to own the internet in
your
spare time,‖ in Proceedings of the 11-th USENIX Security
Symposium(SECURITY), San Francisco, CA, August 2002.
V. Yegneswaran, P. Barford, and D. Plonka, ―On the design and utility
of internet sinks for network abuse monitoring,‖ in Proceeding of
Symposium on Recent Advances in Intrusion Detection (RAID),
Pittsburgh, PA, September 2003.
M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson, ―The
internet motion sensor: A distributed blackhole monitoring system,‖ in
Proceedings of the 12-th IEEE Network and Distributed Systems
Security Symposium (NDSS), San Diego, CA, February 2005.
D. Moore, ―Network telescopes: Observing small or distant security
events,‖ in Invited Presentation at the 11th USENIX Security
Symposium (SECURITY)), San Francisco, CA, August 2002.
C. Zou, W. B. Gong, D. Towsley, and L. X. Gao, ―Monitoring and early
detection for internet worms,‖ in Proceedings of the 10th ACM
Conference on Computer and Communication Security (CCS),
Washington DC, October 2003.
S. Venkataraman, D. Song, P. Gibbons, and A. Blum, ―New streaming
algorithms for superspreader detection,‖ in Proceedings of the 12-th
IEEE Network and Distributed Systems Security Symposium (NDSS),
San Diego, CA, Febrary 2005.
J. Wu, S. Vangala, and L. X. Gao, ―An effective architecture and
algorithm for detecting worms with various scan techniques,‖ in
Proceedings of the 11-th IEEE Network and Distributed System Security
Symposium (NDSS), San Diego, CA, Febrary 2004.
A. Lakhina, M. Crovella, and C. Diot, ―Mining anomalies using traffic
feature distribution,‖ in Proceedings of ACM SIGCOMM, Philadelphia,
PA, August 2005
Refbacks
- There are currently no refbacks.
This work is licensed under a Creative Commons Attribution 3.0 License.