Active worms pose major security threats to the Internet. An active worm refers to a malicious software program that self-propagates in a network and infects hosts. Recently, active worms such as “Code-Red” infected more than 350,000 Microsoft IIS servers and caused 1.2 billion dollars of damage in less than 14 hours. Amongst the numerous forms of active worms, we studied a particular worm called the Camouflaging Worm (C-Worm). The C-Worm has the ability to camouflage its propagation by intelligently manipulating its scanning traffic volume over time so that its propagation goes undetected by the existing worm detection schemes. In collaboration with the Networking Research Lab at The Ohio State University, we have analyzed characteristics of the C-Worm and compared traffic by both the C-Worm and the normal non-worm scanning. We observed that both are relatively indistinguishable in the time domain. However, in the frequency domain, there was a clear distinction due to the manipulative nature of the C-Worm. Motivated by our observations, we have designed a novel Digital Signal Processing (DSP) scheme to detect the C-Worm. Our scheme used the Power Spectral Density (PSD) distribution of the scanning traffic volume and its corresponding Spectral Flatness Measure (SFM). Our studies have demonstrated the effectiveness of our spectrum-based scheme to rapidly and accurately detect C-Worms propagation, which would otherwise have gone undetected using existing worm detection schemes.
Figure: Power Spectral Density Function of C-Worm Scanning Traffic
Wei Yu, Xun Wang, Prasad Calyam, Dong Xuan, Wei Zhao, "On Detecting Camouflaging Worms", Annual Computer Security Applications Conference (ACSAC), 2006. [pdf]