C-Worm Traffic Detection using Power Spectral Density and Spectral Flatness Measure

Abstract

As Internet and its technologies are improving with rapid pace, there are security threats growing with same pace. The malicious software such as worm is causing such threats to IT systems linked to information super highway. The worms are capable of replicating themselves and infect systems over network. Their traffic propagation can be detected by employing anti worm or virus software. However, there is a new type of worm that can camouflage itself so as to prevent anti worm software from identifying it. The difference between normal worm's traffic and C-worm's traffic can't be found when time domain is considered. However, in terms of frequency definitely it can be differentiated. Based on this hypothesis, this paper presents novel schemes such as PSD and SFM that are capable of differentiating the traffic of C-worm from background traffic. The empirical results revealed that our schemes are effecting in detecting camouflaging worms effectively besides identifying normal worms. Keywords - Traffic propagation, worm, camouflaging worm, time domain, and frequency domain. I. Introduction Worm is a word with broad meaning. It refers to any program which is malicious in nature. Such program could be a VIRUS, worm etc. They have common features which are also there with biological virus. The common features include that they replicate themselves and also propagate from one machine to another machine. The means of propagation is only through infected storage media and also networks of all kinds including those without wire. Active worms continuously strive to propagate themselves to other systems and make them insecure. This is a problem which has been around ever since the world came across malicious programs for the first time. Some worms include Slammer (2), Sasser (3) and Code-Red (1). Some worms will work together by forming bonnets and cause more damage to IT systems. The attacks made by such worms include DDoS; attack to obtain sensitive information; destroying data (5) and also put forth unwanted materials such as advertisements. Many such worms are commonly known as malware (malicious software). This includes virus as well. The virus could be boot sector virus, file virus, love virus, time bomb virus, Trojan virus and so on. There is enough evidence in the history that some people have made it their business to create malware and also solutions to prevent them. This is major problem in the world of computers. This man made evil will continue posing threats to IT systems and also cause the businesses to loose confidential information and thus loosing confidence and profits in the business (4), (6). Researchers also predicting the possibility of malicious programs such as bonnets to collaborate and cause more security threats to IT world. Such collaborated bonnets is known as super bots (7). As there were reports of worms causing major damage to IT systems, the past few years saw significant research in the area of worms. Worm detection and prevention is an essential task required by all systems involved in IT. Thus the presence of anti-worm software is felt and the same is done through research. The process of identifying the worms by observing their scan traffic much anti-worm software succeed in detecting and also preventing any damage to IT systems. The emergence of Internet and also other networking facilities and communication systems paved way for the increase of threats caused by worms. Studying different kinds of worms and their impact on the IT systems and also prevention techniques are to be given paramount importance. When a worm infects a system, it will propagate its traffic in the system to cause damage to its data. It also strives to propagate the traffic to other systems though infected storage media and networks to other systems in the real world. They keep on identifying IP addresses of systems in the world and infect them though the ways known to them. The common way they follow is generating scan traffic in the time domain and frequency domain. Thus they make all the systems attacked by worms vulnerable to security threats. There is a possibility of loosing companies' sensitive information that leads to collapse of business or losing in revenues in large scale. The patterns of the worms (2), (8), (9) are increasing day by day. The more patterns of worm propagation is known, the more possibility to detect and prevent them. The assumption of all software in the world that is sued to combat worms is that the worms generate scan traffic and try to replicate themselves and infect systems in the same network and remote networks. The patterns are generally having same characteristics so as to enable anti-worm to detect them. However, a new class of worm has come into existence. This new worm is capable of hiding its presence.