Open Access  Subscription or Fee Access

Large scale worm outbreaks are consider as a major security threat to today‟s internet. Internet worms can be classified according to the technique by which they discover new targets to infect. So, In this paper we will introduce the basic principles behind the modeling and detection of an polymorphic worm, referred to as Camouflaging-Worm(C-Worm).The C-Worm‟s most novel feature is hiding and controlling of the propagation and it‟s speed from the worm defense system. Due to the nature of self-propagation, the C-Worm use more complex mechanisms to manipulate the scan traffic volume over time in order to avoid detection. Order to defend against C-Worm, an effective way is to analyze the scan traffic volume in frequency domain. Our proposed method uses the Power Spectral Density (PSD) distribution of the scan traffic volume and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from non-worm traffic. Promising results have been produced with a simulated C-worm, demonstrating that all other traditional worms can be detected by our spectrum-based scheme.

Anomaly Detection, Camouflaging, Worm.

“The Jargon Jargonfile lexicon.”Available: http://www.catb.org/~esr/jargon/

National Institute of Standards and Technology Special Publication 800-83 Natl. Inst. Stand. Technol. Spec. Publ. 800-83, 101 pages (November 2005)

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 8, NO.3, MAY-JUNE 2011.

J. Postel. Rfc 792: Internet control message protocol. Volume 792 of Request for Comments.

Z. S. Chen, L.X. Gao, and K. Kwiat, “Modeling the spread of active worms,” in Proceedings of the IEEE Conference on Computer Communications (INFOCOM), San Francisco, CA, March 2003

C. C. Zou, W. Gong, and D. Towsley, “Code-red worm propagation modeling and analysis,” in Proceedings of the 9-th ACM Conference on Computer and Communication Security (CCS), Washington DC,November 2002

C. C. Zou, W. Gong, and D. Towsley, “Worm propagation modeling and analysis under dynamic quarantine defense,” in Proceedings of the 1-th ACM CCS Workshop on Rapid Malcode (WORM), Washington DC,October 2003

C. Zou, Don Towsley, and Weibo Gong, “Email worm modeling and defense,” in Proceedings of the 13-th International Conference on Computer Communications and Networks (ICCCN), Chicago, IL,October 2004

W. Yu, S. Chellappan C. Boyer, and D. Xuan, “Peer-to-peer system based active worm attacks: Modeling and analysis,” in Proceedings of IEEE International Conference on Communication (ICC), Seoul, Korea,May 2005

Wei Yu, Xun Wang, Prasad Cal yam, Dong Xuan, and Wei Zha ” On Detecting Camouflaging Worm” Proceedings of the 22nd Annual Computer Security Applications Conference @IEEE 2006

Dshield.org, Distributed Intrusion Detection System, 2005. Available: http://www.dshield. .

SANS, Internet Storm Center, Available : http://isc.sans.org/