On Detecting Camouflaging Worm

Wei Yu
Computer Science Dept., Texas A&M University, Texas

Xun Wang
Ohio State University

Prasad Calyam
Ohio State University

Dong Xuan
Ohio State University

Wei Zhao
Computer Science Dept., Texas A&M Univ.

Active worms pose major security threats to the Internet. With the
recent increase in new forms of active worms, much work has been
devoted towards modeling, detecting and defending against active
worms. In this paper, we address issues related to a new class of an
active worm, viz., Camouflaging Worm (C-Worm). The C-Worm has
the ability to camouflage its propagation by intelligently
manipulating its scanning traffic volume over time so that its
propagation may not be detected by the existing worm detection
schemes. We analyze characteristics of the C-Worm and compare
traffic by both the C-Worm and the normal non-worm scanning. We
observe that both are relatively indistinguishable in the time
domain. However, in the frequency domain, the distinction is clear
due to the manipulative nature of the C-Worm. Motivated by our
observations, we design a novel spectrum-based scheme to detect the
C-Worm. Our scheme uses the Power Spectral Density (PSD)
distribution of the scanning traffic volume and its corresponding
Spectral Flatness Measure (SFM). Via extensive simulations
that use real traces as background scanning traffic, we demonstrate
that our spectrum-based scheme can more rapidly and accurately
detect C-Worms in comparison to some of the popular worm detection
schemes. Furthermore, we show the generality of our spectrum-based
scheme, as it not only detects the C-Worms, but can also effectively
identify the traditional worms.

Keywords: Worm Attacks, Camouflaging, Spectrum-based Detection

Read Paper Read Paper (in PDF)