worm in at or
TRANSCRIPT
-
7/31/2019 Worm in at Or
1/46
Presented by
-
7/31/2019 Worm in at Or
2/46
Active Worms
Malicious software program
Propagates itself on internet
Infect other hosts
-
7/31/2019 Worm in at Or
3/46
Worms can cause
Massive DDoS attack disrupting
Internet utilities
Access confidential InformationDestroy data
-
7/31/2019 Worm in at Or
4/46
Traditional Worm
BehaviorA worm instance identifies & infects a
vulnerable host
Newly infected hosts will automaticallyscan IP address to identify othervulnerable host
-
7/31/2019 Worm in at Or
5/46
Camouflaging Worm
BehaviorAlso has Self propagating nature
Smart worms that avoid detection by
hibernatingCarefully controls its scan rate
Ultimately infecting as many hosts as
possibleCause serious Internet damage
-
7/31/2019 Worm in at Or
6/46
Analysis of C Worm
PropagationC Worm needs to adapt to the dynamics of
Internet to manipulate overall scan trafficvolume
This involves steady increase followed bydecrease in scan traffic volume
Scan traffic volume does not crossthresholds that could reveal its propagation
-
7/31/2019 Worm in at Or
7/46
Analysis of C Worm
Propagation
Such changes do not manifest any
trends in time domainBut demonstrates distinct pattern in
frequency domain
There is a concentration within anarrow range of frequency
-
7/31/2019 Worm in at Or
8/46
MALWARE
Malicious software
Disrupt normal computing activity
Several typesViruses
Worms
Trojans
Keyloggers
-
7/31/2019 Worm in at Or
9/46
Viruses Vs Worms
Virus is a small program that spreads
from computers to computers to
interfere operationWorms are viruses which are able to
run & copy itself on a huge scale with
no human assistance
-
7/31/2019 Worm in at Or
10/46
How Computers get
infected?
Worms & viruses are nefarious
All that needs for virus propagation isfor someone to click the file & open
Worms dont even require that muchaction.
-
7/31/2019 Worm in at Or
11/46
Fighting Computer
viruses & worms
Best defense is an updated computer
Protective measures are also adoptedby browsing software
-
7/31/2019 Worm in at Or
12/46
Conficker : A new family of
worms
Exploits vulnerability on Microsoft Windows
Also spreads via USB devices
Designed to download other malwarevariants
-
7/31/2019 Worm in at Or
13/46
Conficker : A new family of
worms
Allows attackers to execute remote code
Spread by RPC callsVulnerable machines will download a copy
of worm
Worm constantly updates
Changes its IP making it difficult to getblocked
-
7/31/2019 Worm in at Or
14/46
COMPUTER WORMS
Worms cause some harm to the
network
Payload : code in the worm designedto do more than spread
-
7/31/2019 Worm in at Or
15/46
EXISTING SYSTEM
Assumes that each infected computer
scans and propagates at a high
speed.Will not be able to detect smart worms
-
7/31/2019 Worm in at Or
16/46
PROPOSED SYSTEM
Based on the global scan traffic
monitor
-
7/31/2019 Worm in at Or
17/46
MODULES
C-Worm detection modules
Malicious worm detectionmodule/anomaly detection
Pure random scan(PRS)module
Worm propagation module
-
7/31/2019 Worm in at Or
18/46
SOFTWARE REQUIREMENTS
Hardware Requirements
Processor :Pentium IV 2.6 GHz
RAM :512 MB DD RAM
Monitor :15color
Hard disk :20 GB
Floppy Drive:1.44 MB
CD Drive :LG 52X
Keyboard :Standard 102 keys
Mouse :3 Button
-
7/31/2019 Worm in at Or
19/46
SOFTWARE REQUIREMENTS
Software Requirements
Front End : Java, JFC(Swing)
Tools Used : Eclipse 3.3
Operating Systems : Windows XP/7
-
7/31/2019 Worm in at Or
20/46
SOFTWARE REQUIREMENTS
FRONT END:JAVA
Developed by James Gosling at Sun Micro
systems released in 1995 Syntax derived from C & C++
General purpose, concurrent, class -based,
object-oriented. Lets developers WORA.
Client-server web application
-
7/31/2019 Worm in at Or
21/46
java
Primary Goals
Simple, object-oriented & familiar
Robust & Secure
Architecture-neutral & portal
High performanceInterpreted, threaded & dynamic
-
7/31/2019 Worm in at Or
22/46
java
Pcap(packet capture)Application program for capturing network traffic
Windows uses a port of libpcap known as
Winpcap Libpcap/Winpcap support saving captured
packets
Jpcapjava library for capturing & sending networking
packets
Open sources & is licensed under GNU LGPL
-
7/31/2019 Worm in at Or
23/46
java
Jnetpcap
True java wrapper around the native libpcap &winpcap libraries
Libpcap
Developed by the tcpdump
Capture file reading & writing code of tcpdump
Winpcap
Implementations of a lower level library for thelisted O.S to communicate
-
7/31/2019 Worm in at Or
24/46
Java networking
Provides many built-in networking class objectsthrough its .net, .nio & .rmi packages
Java.net provides http connections & streams as
well as protocol sockets Internet address uniquely identifies each
computer on the network
Servers to share resources
Network socket uses in TCP/IP protocol
Internet streams allow to access remotedocument data
BACKGROUND AND RELATED
-
7/31/2019 Worm in at Or
25/46
BACKGROUND AND RELATED
WORK
Active WormsSimilar to biological viruses in terms
of their infectious and self-
propagating nature. Identify vulnerable computers, infect
them and the worm-infected
computers propagate the infection.Use DNS, network topology and
routing information
-
7/31/2019 Worm in at Or
26/46
Active worms use various scan
mechanisms to propagate themselvesefficiently like
PRS(Pure Random Scan)
network port scanning,email, file sharing,
Peer-to-Peer (P2P) networks, andInstant Messaging (IM).
W
-
7/31/2019 Worm in at Or
27/46
Worm Detection
Worm DetectionWorm detection can be generally
classified into two categories:
1.host-based detection and2. network-based detection.
C-Worm
The C-Worm camouflages its propagationby controlling scan traffic volume duringits propagation.
-
7/31/2019 Worm in at Or
28/46
-
7/31/2019 Worm in at Or
29/46
Generic Worm Detection
Architecture
Deplo ment of Monitoring
-
7/31/2019 Worm in at Or
30/46
Deplo ment of MonitoringComponents
The detection networks consist of a set ofaddresses monitored by monitoring components.
The monitoring components can be deployed on
virtual machines or on gateways of local networks.
Also be traffic analyzers beside routers,observing the traffic to a set of addresses.
Worms may not choose to scan the entire IPv4address space. In addition, different worms mightuse different target spaces.
-
7/31/2019 Worm in at Or
31/46
Detection Of C-Worm
Jpcap : for capturing & sending
network packets
Host based detection/Network baseddetection
C worm undetected try to determine
only in time domain
Use novel spectrum-based detection
-
7/31/2019 Worm in at Or
32/46
Novel spectrum-based
detection
Frequency domain based scheme
Use distribution
Power spectrum density(PSD)
Spectrum flatness measure(SFM)
-
7/31/2019 Worm in at Or
33/46
Power spectrum density(PSD)
How the power time series is
distributed in frequency domain
Spectrum flatness measure(SFM)
Ratio of the geometric mean to thearithmatic mean of PSD coefficient
-
7/31/2019 Worm in at Or
34/46
Detection Decision Rule
SFM value used to distinguish the c-
worm & normal non-worm traffic
Compare SFM with predefinedthreshold
SFM value is smaller than the
threshold, then c-worm occured
-
7/31/2019 Worm in at Or
35/46
ADVANTAGE
Reduced detection time
Effectively detect C-Worm
Traditional worms are also detected
-
7/31/2019 Worm in at Or
36/46
CONCLUSION
Developed a novel spectrum-based
detection scheme
Superior detection performanceLays the foundation for ongoing
studies of smart worms
-
7/31/2019 Worm in at Or
37/46
REFERENCE
[1] D. Moore, C. Shannon, and J. Brown, Code-red: a case study on the
spread and victims of an internet worm, in Proceedings of the 2-th Internet Measurement Workshop (IMW), Marseille, France, November
2002.
[2] D. Moore, V. Paxson, and S. Savage, Inside the slammer worm, in
IEEE Magazine of Security and Privacy, July 2003.
[3] CERT, CERT/CC advisories, http://www.cert.org/advisories/.
[4] P. R. Roberts, Zotob Arrest Breaks Credit Card Fraud Ring, http:
//www.eweek.com/article2/0,1895,1854162,00.asp.
[5] W32/MyDoom.B Virus, http://www.us-cert.gov/cas/techalerts/
TA04-028A.html.
[6] W32.Sircam.Worm@mm, http://www.symantec.com/avcenter/venc/data/
[7] Worm.ExploreZip, http://www.symantec.com/avcenter/venc/data/worm.
explore.zip.html.
-
7/31/2019 Worm in at Or
38/46
SCREENSHOT :Main frame
-
7/31/2019 Worm in at Or
39/46
SCREENSHOT :systems scan
-
7/31/2019 Worm in at Or
40/46
SCREENSHOT :scan drive
-
7/31/2019 Worm in at Or
41/46
SCREENSHOT :scan folder
-
7/31/2019 Worm in at Or
42/46
SCREENSHOT :task manager
-
7/31/2019 Worm in at Or
43/46
SCREENSHOT : report
-
7/31/2019 Worm in at Or
44/46
SCREENSHOT : log file
-
7/31/2019 Worm in at Or
45/46
SCREENSHOT : about us
-
7/31/2019 Worm in at Or
46/46
THANK YOU.