The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.03 - May/June (2011 vol.8)
pp: 377-390
Wei Yu , Towson University, Towson, MD
Xun Wang , Cisco Systems, Inc, San Jose, CA
Prasad Calyam , The Ohio State University, Columbus, OH
Dong Xuan , The Ohio State University, Columbus, OH
Wei Zhao , University of Macau, Macau, China
ABSTRACT
Active worms pose major security threats to the Internet. This is due to the ability of active worms to propagate in an automated fashion as they continuously compromise computers on the Internet. Active worms evolve during their propagation, and thus, pose great challenges to defend against them. In this paper, we investigate a new class of active worms, referred to as Camouflaging Worm (C-Worm in short). The C-Worm is different from traditional worms because of its ability to intelligently manipulate its scan traffic volume over time. Thereby, the C-Worm camouflages its propagation from existing worm detection systems based on analyzing the propagation traffic generated by worms. We analyze characteristics of the C-Worm and conduct a comprehensive comparison between its traffic and nonworm traffic (background traffic). We observe that these two types of traffic are barely distinguishable in the time domain. However, their distinction is clear in the frequency domain, due to the recurring manipulative nature of the C-Worm. Motivated by our observations, we design a novel spectrum-based scheme to detect the C-Worm. Our scheme uses the Power Spectral Density (PSD) distribution of the scan traffic volume and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from background traffic. Using a comprehensive set of detection metrics and real-world traces as background traffic, we conduct extensive performance evaluations on our proposed spectrum-based detection scheme. The performance data clearly demonstrates that our scheme can effectively detect the C-Worm propagation. Furthermore, we show the generality of our spectrum-based scheme in effectively detecting not only the C-Worm, but traditional worms as well.
INDEX TERMS
Worm, camouflage, anomaly detection.
CITATION
Wei Yu, Xun Wang, Prasad Calyam, Dong Xuan, Wei Zhao, "Modeling and Detection of Camouflaging Worm", IEEE Transactions on Dependable and Secure Computing, vol.8, no. 3, pp. 377-390, May/June 2011, doi:10.1109/TDSC.2010.13
REFERENCES
[1] D. Moore, C. Shannon, and J. Brown, "Code-Red: A Case Study on the Spread and Victims of an Internet Worm," Proc. Second Internet Measurement Workshop (IMW), Nov. 2002.
[2] D. Moore, V. Paxson, and S. Savage, "Inside the Slammer Worm," Proc. IEEE Magazine of Security and Privacy, July 2003.
[3] CERT, CERT/CC Advisories, http://www.cert.orgadvisories/, 2010.
[4] P.R. Roberts, Zotob Arrest Breaks Credit Card Fraud Ring, http://www.eweek.com/article20,1895,1854162,00.asp , 2010.
[5] W32/MyDoom.B Virus, http://www.us-cert.gov/cas/techalertsTA04-028A.html , 2010.
[6] W32.Sircam.Worm@mm, http://www.symantec.com/avcenter/venc/data w32.sircam.worm@mm.html, 2010.
[7] Worm.ExploreZip, http://www.symantec.com/avcenter/venc/data worm.explore.zip.html, 2010.
[8] R. Naraine, Botnet Hunters Search for Command and Control Servers, http://www.eweek.com/article20,1759,1829347,00.asp , 2010.
[9] T. Sanders, Botnet Operation Controlled 1.5m PCs Largest Zombie Army Ever Created, http://www.vnunet.com/vnunet/news/2144375 botnet-operation-ruled-million, 2005.
[10] R. Vogt, J. Aycock, and M. Jacobson, "Quorum Sensing and Self-Stopping Worms," Proc. Fifth ACM Workshop Recurring Malcode (WORM), Oct. 2007.
[11] S. Staniford, V. Paxson, and N. Weaver, "How to Own the Internet in Your Spare Time," Proc. 11th USENIX Security Symp. (SECURITY), Aug. 2002.
[12] Z.S. Chen, L.X. Gao, and K. Kwiat, "Modeling the Spread of Active Worms," Proc. IEEE INFOCOM, Mar. 2003.
[13] M. Garetto, W.B. Gong, and D. Towsley, "Modeling Malware Spreading Dynamics," Proc. IEEE INFOCOM, Mar. 2003.
[14] C.C. Zou, W. Gong, and D. Towsley, "Code-Red Worm Propagation Modeling and Analysis," Proc. Ninth ACM Conf. Computer and Comm. Security (CCS), Nov. 2002.
[15] Zdnet, Smart Worm Lies Low to Evade Detection, http://news. zdnet.co.uk/internet/security 0,39020375,39160285,00.htm, 2010.
[16] J. Ma, G.M. Voelker, and S. Savage, "Self-Stopping Worms," Proc. ACM Workshop Rapid Malcode (WORM), Nov. 2005.
[17] M.G. Kang, J. Caballero, and D. Song, "Distributed Evasive Scan Techniques and Countermeasures," Proc. Int'l Conf. Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), July 2007.
[18] C. Wright, S. Coull, and F. Monrose, "Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis," Proc. 15th IEEE Network and Distributed System Security Symp. (NDSS), Feb. 2008.
[19] C. Zou, W.B. Gong, D. Towsley, and L.X. Gao, "Monitoring and Early Detection for Internet Worms," Proc. 10th ACM Conf. Computer and Comm. Security (CCS), Oct. 2003.
[20] S. Venkataraman, D. Song, P. Gibbons, and A. Blum, "New Streaming Algorithms for SuperSpreader Detection," Proc. 12th IEEE Network and Distributed Systems Security Symp. (NDSS), Feb. 2005.
[21] J. Wu, S. Vangala, and L.X. Gao, "An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques," Proc. 11th IEEE Network and Distributed System Security Symp. (NDSS), Feb. 2004.
[22] Dshield.org, Distributed Intrusion Detection System, http:/www.dshield.org/, 2005.
[23] SANS, Internet Storm Center, http:/isc.sans.org/, 2010.
[24] C.C. Zou, W. Gong, and D. Towsley, "Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense," Proc. First ACM CCS Workshop Rapid Malcode (WORM), Oct. 2003.
[25] C.C. Zou, D. Towsley, and W. Gong, "Modeling and Simulation Study of the Propagation and Defense of Internet E-Mail Worm," IEEE Trans. Dependable and Secure Computing, vol. 4, no. 2, pp. 105-118, Apr.-June 2007.
[26] C. Zou, D. Towsley, and W. Gong, "Email Worm Modeling and Defense," Proc. 13th Int'l Conf. Computer Comm. and Networks (ICCCN), Oct. 2004.
[27] W. Yu, S. Chellappan, C. Boyer, and D. Xuan, "Peer-to-Peer System-Based Active Worm Attacks: Modeling and Analysis," Proc. IEEE Int'l Conf. Comm. (ICC), May 2005.
[28] Dynamic Graphs of the Nimda Worm, http://www.caida.org/dynamic/analysis/security nimda, 2010.
[29] S. Staniford, D. Moore, V. Paxson, and N. Weaver, "The Top Speed of Flash Worms," Proc. Second ACM Conf. Computer and Comm. Security (CCS) Workshop Rapid Malcode (WORM), Oct. 2004.
[30] Y. Li, Z. Chen, and C. Chen, "Understanding Divide-Conquer-Scanning Worms," Proc. Int'l Performance Computing and Comm. Conf. (IPCCC), Dec. 2008.
[31] D. Ha and H. Ngo, "On the Trade-Off between Speed and Resiliency of Flash Worms and Similar Malcodes," Proc. Fifth ACM Workshop Recurring Malcode (WORM), Oct. 2007.
[32] Y. Yang, S. Zhu, and G. Cao, "Improving Sensor Network Immunity under Worm Attacks: A Software Diversity Approach," Proc. ACM MobiHoc, May 2008.
[33] L. Martignoni, D. Bruschi, and M. Monga, "Detecting Self-Mutating Malware Using Control Flow Graph Matching," Proc. Conf. Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), July 2006.
[34] R. Perdisci, O. Kolesnikov, P. Fogla, M. Sharif, and W. Lee, "Polymorphic Blending Attacks," Proc. 15th USENIX Security Symp. (SECURITY), Aug. 2006.
[35] Linux.com, Understanding Stealth Scans: Forewarned is Forearmed, http://security.itworld.com/4363/LWD010321vcontrol3 page1. html, 2010.
[36] Solar Designer, Designing and Attacking Port Scan Detection Tools, http://www.phrack.org/phrack/53P53-13, 2006.
[37] J.Z. Kolter and M.A. Maloof, "Learning to Detect Malicious Executables in the Wild," Proc. 10th ACM SIGKDD, Aug. 2004.
[38] X. Wang, W. Yu, A. Champion, X. Fu, and D. Xuan, "Detecting Worms via Mining Dynamic Program Execution," Proc. IEEE Int'l Conf. Security and Privacy in Comm. Networks (SECURECOMM), Sept. 2007.
[39] W. Yu, X. Wang, D. Xuan, and D. Lee, "Effective Detection of Active Worms with Varying Scan Rate," Proc. IEEE Int'l Conf. Security and Privacy in Comm. Networks (SECURECOMM), Aug. 2006.
[40] A. Lakhina, M. Crovella, and C. Diot, "Mining Anomalies Using Traffic Feature Distribution," Proc. ACM SIGCOMM, Aug. 2005.
[41] V. Yegneswaran, P. Barford, and D. Plonka, "On the Design and Utility of Internet Sinks for Network Abuse Monitoring," Proc. Symp. Recent Advances in Intrusion Detection (RAID), Sept. 2003.
[42] M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson, "The Internet Motion Sensor: A Distributed Blackhole Monitoring System," Proc. 12th IEEE Network and Distributed Systems Security Symp. (NDSS), Feb. 2005.
[43] D. Moore, "Network Telescopes: Observing Small or Distant Security Events," Proc. Invited Presentation at the 11th USENIX Security Symp. (SECURITY), Aug. 2002.
[44] J. Jung, V. Paxson, A.W. Berger, and H. Balakrishnan, "Fast Portscan Detection Using Sequential Hypothesis Testing," Proc. 25th IEEE Symp. Security and Privacy (S&P), May 2004.
[45] H. Kim and B. Karp, "Autograph: Toward Automated, Distributed Worm Signature Detection," Proc. 13th USENIX Security Symp. (SECURITY), Aug. 2004.
[46] M. Cai, K. Hwang, J. Pan, and C. Papadopoulos, "Wormshield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation," IEEE Trans. Dependable and Secure Computing, vol. 4, no. 2, pp. 88-104, Apr.-June 2007.
[47] R. Dantu, J.W. Cangussu, and S. Patwardhan, "Fast Worm Containment Using Feedback Control," IEEE Trans. Dependable and Secure Computing, vol. 4, no. 2, pp. 119-136, Apr.-June 2007.
[48] K. Ogata, Modern Control Engineering. Pearson Prentice Hall, 2002.
[49] J.B. Grizzard, V. Sharma, C. Nunnery, B.B. Kang, and D. Dagon, "Peer-to-Peer Botnets: Overview and Case Study," Proc. USENIX Workshop Hot Topics in Understanding Botnets (HotBots), Apr. 2007.
[50] P. Wang, S. SParka, and C. Zou, "An Advanced Hybrid Peer-to-Peer Botnet," Proc. USENIX Workshop Hot Topics in Understanding Botnets (HotBots), Apr. 2007.
[51] D.J. Daley and J. Gani, Epidemic Modeling: An Introduction. Cambridge Univ. Press, 1999.
[52] D. Bruschi, L. Martignoni, and M. Monga, "Detecting Self-Mutating Malware Using Control Flow Graph Matching," Proc. Conf. Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), July 2006.
[53] MetaPHOR, http://securityresponse.symantec.com/avcenter/ venc/dataw32.simile.html, 2010.
[54] P. Ferrie and P.S. Zmist, "Zmist Opportunities," Virus Bull., http:/www.virusbtn.com, 2010.
[55] J. Bethencourt, D. Song, and B. Waters, "Analysis-Resistant Malware," Proc. 15th IEEE Network and Distributed System Security Symp. (NDSS), Feb. 2008.
[56] M. Sharif, J. Giffin, W. Lee, and A. Lanzi, "Impeding Malware Analysis Using Conditional Code Obfuscation," Proc. 15th IEEE Network and Distributed System Security Symp. (NDSS), Feb. 2008.
[57] I.V. Popov, S.K. Debray, and G.R. Andrews, "Binary Obfuscation Using Signals," Proc. 17th USENIX Security Symp. (SECURITY), July 2008.
[58] M. Christodorescu and S. Jha, "Testing Malware Detectors," Proc. 2004 ACM SIGSOFT Int'l Symp. Software Testing and Analysis (ISSTA), July 2004.
[59] X. Wang, W. Yu, X. Fu, D. Xuan, and W. Zhao, "iloc: An Invisible Localization Attack to Internet Threat Monitoring Systems," Proc. 27th IEEE INFOCOM, Apr. 2008.
[60] J. Bethencourt, J. Frankin, and M. Vernon, "Mapping Internet Sensors with Probe Response Attacks," Proc. 14th USNIX Security Symp., July/Aug. 2005.
[61] Y. Shinoda, K. Ikai, and M. Itoh, "Vulnerabilities of Passive Internet Threat Monitors," Proc. 14th USNIX Security Symp., July/Aug. 2005.
[62] S. Soundararajan and D.L. Wang, "A Schema-Based Model for Phonemic Restoration," Technical Report OSU-CISRC-1/04-TR03, Dept. of Computer Science and Eng., The State Univ., Jan. 2004.
[63] N.S. Jayant and P. Noll, Digital Coding of Waveforms. Prentice Hall, 1984.
[64] R.E. Yantorno, K.R. Krishnamachari, J.M. Lovekin, D.S. Benincasa, and S.J. Wenndt, "The Spectral AutoCorrelation Peak Valley Ratio (SAPVR)—A Usable Speech Measure Employed as a Co-Channel Detection System," Proc. IEEE Int'l Workshop Intelligent Signal Processing (WISP), May 2001.
[65] S. Theodoridis and K. Koutroumbas, Pattern Recognition second ed. Elsevier Science, 2003.
60 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool