A Proposal of Malware Distinction Method Based on Scan Patterns Using Spectrum Analysis
ICONIP '09 Proceedings of the 16th International Conference on Neural Information Processing: Part II
Characterizing and defending against divide-conquer-scanning worms
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.00 |
Active worms pose major security threats to the Internet. In this paper, we investigate a new class of active worms, i.e., Camouflaging Worm (C-Worm in short). The C-Worm has the capability to intelligently manipulate its scan traffic volume over time, thereby camouflaging its propagation from existing worm detection systems. We analyze characteristics of the C-Worm and conduct a comprehensive comparison between its traffic and non-worm traffic. We observe that these two types of traffic are barely distinguishable in the time domain, however, their distinction is clear in the frequency domain, due to the recurring manipulative nature of the C-Worm. Motivated by our observations, we design a novel spectrum-based scheme to detect the C-Worm. Our scheme uses the Power Spectral Density (PSD) distribution of the scan traffic volume and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from non-worm traffic. We conduct extensive performance evaluations on our proposed detection scheme against the C-Worm. The performance data clearly demonstrates that our proposed scheme can effectively detect the C-Worm propagation.