Worm Detection

Modeling and Detection of Camouflaging Worm
ABSTRACT:
Active worms causes major security threats to the Internet. This is
due to the ability of active worms to propagate in an automated fashion
as they continuously compromise computers on the Internet. Active
worms evolve during their propagation and thus pose great challenges to
defend against them. Here we investigate a new class of active worms,
referred to as Camouflaging Worm (C-Worm in short). The C-Worm is
different from traditional worms because of its ability to intelligently
manipulate its scan traffic volume over time. Thereby, the C-Worm
camouflages its propagation from existing worm detection systems
based on analyzing the propagation traffic generated by worms.
To design a novel spectrum-based scheme to detect the C-Worm.
Our scheme uses the Power Spectral Density (PSD) distribution of the
scan traffic volume and its corresponding Spectral Flatness Measure
(SFM) to distinguish the C-Worm traffic from background traffic.
INTRODUCTION:
An active worm refers to a malicious software program that propagates
itself on the Internet to infect other computers. The propagation of the
worm is based on exploiting vulnerabilities of computers on the Internet.
Many real-world worms have caused notable damage on the Internet.

These worms include Code-Red worm in 2001 , Slammer worm in
2003 ,and Witty/Sasser worms in 2004 . Many active worms are
used to infect a large number of computers and recruit them as bots or
zombies, which are networked together to form botnets These botnets
can be used to: (a) launch massive Distributed Denial-of-Service (DDoS)
attacks that disrupt the Internet utilities , (b) access confidential
information that can be misused , through large scale traffic sniffing, key
logging, identity theft etc, (c) destroy data that has a high monetary
value , and (d) distribute large-scale unsolicited advertisement emails (as
spam) or software (as malware).There is evidence showing that infected
computers are being rented out as Botnets for creating an entire blackmarket industry for renting, trading, and managing owned
computers,leading to economic incentives for attackers . Researchers
also showed possibility of super-botnets, networks of independent
botnets that can be coordinated for attacks of unprecedented scale .For
an adversary, super botnets would also be extremely versatile and
resistant to counter measures. Due to the substantial damage caused by
worms in the past years, there have been significant efforts on
developing detection and defense mechanisms against worms. A network
based worm detection system plays a major role by monitoring,
collecting, and analyzing the scan traffic (messages to identify
vulnerable computers) generated during worm attacks. In this system,
the detection is commonly based on the self propagating behavior of

worms that can be described as follows: after a worm-infected computer
identifies and infects a vulnerable computer on the Internet, this newly
infected computer1 will automatically and continuously scan several IP
addresses to identify and infect other vulnerable computers. As such,
numerous existing detection schemes are based on a tacit assumption
that each worm-infected computer keeps scanning the Internet and
propagates itself at the highest possible speed. Furthermore, it has been
shown that the worm scan traffic volume and the number of worminfected computers exhibit exponentially increasing patterns .
LITERATURE SURVEY:
Worm:
A computer worm is a self-replicating malware computer program.
It uses a computer network to send copies of itself to other nodes
(computers on the network) and it may do so without any user
intervention. This is due to security shortcomings on the target computer.
Unlike a virus, it does not need to attach itself to an existing program.
Worms almost always cause at least some harm to the network, if only
by consuming bandwidth, whereas viruses almost always corrupt or
modify files on a targeted computer. Many worms that have been created
are only designed to spread, and don't attempt to alter the systems they
pass through. However, as the Morris worm and Mydoom showed, the
network traffic and other unintended effects can often cause major
disruption. A "payload" is code designed to do more than spread the
wormit might delete files on a host system (e.g., the ExploreZip worm),
encrypt files in a cryptoviral extortion attack, or send documents via email. A very common payload for worms is to install a backdoor in the
infected computer to allow the creation of a "zombie" computer under
control of the worm author. Networks of such machines are often
referred to as botnets and are very commonly used by spam senders for
sending junk email or to cloak their website's address. Spammers are
therefore thought to be a source of funding for the creation of such
worms,[2][3] and the worm writers have been caught selling lists of IP
addresses of infected machines. Others try to blackmail companies with
threatened DoS attacks.
Backdoors can be exploited by other malware, including worms.
Examples include Doomjuice, which spreads better using the backdoor
opened by Mydoom, and at least one instance of malware taking
advantage of the rootkit and backdoor installed by the Sony/BMG DRM
software utilized by millions of music CDs prior to late 2005.
Camouflage:
Which is a method of crypsisavoidance of observationthat
allows an otherwise visible organism or object to remain indiscernible
from the surrounding environment through deception. Examples include

a tiger's stripes, the battledress of a modern soldier and a butterfly
camouflaging itself as a leaf. The theory of camouflage covers the
various strategies which are used to achieve this effect Cryptic
coloration is the most common form of camouflage, found to some
extent in the majority of species. The simplest way is for an animal to be
of a color similar to its surroundings. Examples include the "earth tones"
of deer, squirrels, or moles (to match trees or dirt), or the combination of
blue skin and white underbelly of sharks via countershading (which
makes them difficult to detect from both above and below). More
complex patterns can be seen in animals such as flounder, moths, and
frogs, among many others.
Anomaly Detection:
Anomaly detection, also referred to as outlier detection[1] refers to
detecting patterns in a given data set that do not conform to an
established normal behavior.[2] The patterns thus detected are called
anomalies and often translate to critical and actionable information in
several application domains. Anomalies are also referred to as outliers,
surprise, aberrant, deviation, peculiarity, etc.
Three broad categories of anomaly detection techniques exist.
Supervised anomaly detection techniques learn a classifier using labeled
instances belonging to normal and anomaly class, and then assign a
normal or anomalous label to a test instance. Semi-supervised anomaly

detection techniques construct a model representing normal behavior
from a given normal training data set, and then test the likelihood of a
test instance to be generated by the learnt model. Unsupervised anomaly
detection techniques detect anomalies in an unlabeled test data set under
the assumption that majority of the instances in the data set are normal.
Anomaly detection is applicable in a variety of domains, such as
intrusion detection, fraud detection, fault detection, system health
monitoring, event detection in sensor networks, and detecting ecosystem disturbances. It is often used in preprocessing to remove
anomalous data from the dataset.
EXISTING SYSTEM
The C-Worm is quite different from traditional worms in which it

camouflages any noticeable trends in the number of infected computers
over time. The camouflage is achieved by manipulating the scan traffic
volume of worm-infected computers. Such a manipulation of the scan
traffic volume prevents exhibition of any exponentially increasing trends
or even crossing of thresholds that are tracked by existing detection
schemes.
DRAWBACK IN EXISTING SYSTEM
C-Worm scan traffic shows no noticeable trends in the time

domain, it demonstrates a distinct pattern in the frequency domain.
Specifically, there is an obvious concentration within a narrow range of
frequencies. This concentration within a narrow range of frequencies is
inevitable since the C-Worm adapts to the dynamics of the Internet in a
recurring manner for manipulating and controlling its overall scan traffic
volume.
PROPOSED SYSTEM
we adopt frequency domain analysis techniques and develop a detection
scheme against Wide-spreading of the C-Worm. Particularly, we develop
a novel spectrum-based detection scheme that uses the Power Spectral
Density (PSD) distribution of scan traffic volume in the frequency
domain and its corresponding Spectral Flatness Measure (SFM) to
distinguish the C-Worm traffic from non worm traffic (background
traffic).
ADVANTAGES IN PROPOSED SYSTEM
Our evaluation data clearly demonstrate that our spectrum-based

detection scheme achieves much better detection performance against
the C-Worm propagation compared with existing detection schemes. Our

evaluation also shows that our spectrum-based detection scheme is
general enough to be used for effective detection of traditional worms as
well.
System Architecture:
Centralized data center
Monitor 1
User 1
Monitor 2
User 2
Monitor 3
User 4
User 3
User 5
Data flow Diagram:
Centralized data center

Holding monitors
Monitor
Holding users
Collect user address

Ip and port
Worm
Gather worm files
Executable file
Send worm to all users
Send worm to trigger
User1
Normal user
Ip and port
Browse file
Collect user address
User2
User3
Send to selected user
Select message and user
Send message to user
Module:
Centralized Data Center
Monitoring
User
Report Preparation
Report Distribution
Module Description:
Centralized Data Center:
It will collect all the traffic logs from various network monitors for
identifying the worms by their IP address. Here the server uses a server
socket object with a specified port no and an accept method to accept the
clients or monitors to establish a connection
Monitoring:
It will monitor the authorized clients for their transaction and it
will identify the traffic log (IP address which are not commonly used
and dark IP address).
User:
In this module user can login to the centralized server for
authentication, once the client is treated as authorized then it can share
data with the neighbors in the network. It does this operation using a
socket programming , where a socket object is created and server ip
address and port no is provided as a parameter to the socket object to
establish a connection with the server(java.net package is used).
Report Preparation:
The purpose of this module is to identify the actual worm by its

ratio not by scan traffic time in order to detect the active worm and the
normal worm.
Report Distribution:
The centralized data center has to distribute the report logs (dark IP
address) to all the users in the network. So the users can be prevented
from accessing the worm and spreading of worm in their system.
User:
Data
Center
Client
Server
Monitoring:
Client 1
.
Client n
Centralized Data Center:
Monitor
..
Client 1
Monitor 1
Server
Client 1
..
Report Preparation:
Client 1
Monitor 1
Server
Client 1
Client 1
Monitor n
Client 1
Report Distribution
Server
Monitor 1
Client 1
Client n
Client 1
Monitor n
Use Case Diagram:
Client n
UserLogin
Monitoring
Centralized data
center
Monitor
DataCollection
Detection
User
Distribution
Class Diagram:
DataCenter
userDetails
monitorDetails
authentication
dataCollection
WormDetection
userIP
monitorIP
findRatio
report
getUserDetails()
acceptUsers()
provideAuthentication()
getDataCollection()
User Login
userDetails
ipAddress
portNumber
getUserDetails()
getConnection()
dataTransfer()
Sequence Diagram:
getUserIP()
getMonitorIP()
getWormRatio()
prepareReport()
ClientMonitor
monitorDetails
ipAddress
portNumber
authentication
getAuthentication()
getMonitorDetails()
forwardToDataCenter()
DataDistribution
dataDistribution
ipAddress
collectIP()
dataDistribution()
DataCenter
Monitor
LogCollection
LogDistribution
Login
Monitoring
TrafficLog
DetectWorm
PrepareReport
Distribution
Collaboration Diagram:
Client
Monitor
4: DetectWorm
DataCen
ter
3: TrafficLog
LogColle
ction
2: Monitoring
5: PrepareReport
1: Login
6: Distribution
LogDistri
bution
Activity Diagram:
Client
Start
DataCenter
Monitor
User
End
SYSTEM REQUIREMENTS
HARDWARE
PROCESSOR
PENTIUM IV 2.6 GHz, Intel Core 2
RAM
512 MB DD RAM
MONITOR
15 COLOR
HARD DISK
40 GB
Duo.
CDDRIVE
LG 52X
Front End
JAVA (SWINGS)
Back End
MS SQL 2000/05
SOFTWARE
Operating System
IDE
Net Beans, Eclipse
Windows XP/07
CODINGS:
Server.java:
package centralizedserver;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.Socket;
import java.net.ServerSocket;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import javax.swing.JOptionPane;
import javax.swing.tree.DefaultMutableTreeNode;
import javax.swing.tree.DefaultTreeModel;
import javax.swing.tree.TreeSelectionModel;
public class CentralizedServer extends javax.swing.JFrame implements

Runnable {
Thread t;
String tempPort;
int port;
Socket s, checkSocket;
ServerSocket ss;
Iterator i;
DefaultMutableTreeNode addUser, d;
InputStream is;
InputStreamReader isr;
BufferedReader br;
static ArrayList allUser = new ArrayList();
public CentralizedServer() {
initComponents();
public void run() {

while (true) {
try {
soc = server.accept();
String address=soc.getInetAddress().getHostAddress();
monitor=new DefaultMutableTreeNode(address);
root.add(monitor);
jTree1.setModel(new DefaultTreeModel(root));
ObjectInputStream ois = new

ObjectInputStream(soc.getInputStream());
ArrayList al = (ArrayList) ois.readObject();
String key = (String) al.get(0);
if (key.equals("update")) {
TreeMap tm = (TreeMap) al.get(1);
map=tm;
System.out.println(tm);
update(tm);
}
if(key.equals("report")){
String WIP=(String)al.get(1);
Set set=map.entrySet();
Iterator it=set.iterator();
while(it.hasNext()){
Map.Entry me=(Map.Entry)it.next();
Integer I=(Integer)me.getKey();
String addr=(String)me.getValue();
try{
Socket socket=new Socket(addr,I.intValue());
ArrayList clientInfo=new ArrayList();
clientInfo.add("report");
clientInfo.add(WIP +"has send worm file... Please dont
Access");
ObjectOutputStream oos=new
ObjectOutputStream(socket.getOutputStream());
oos.writeObject(clientInfo);
}
catch(IOException e){
e.printStackTrace();
}
}
} catch (Exception e) {
}
}
@SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated
Code">//GEN-BEGIN:initComponents
private void initComponents() {
jPanel1 = new javax.swing.JPanel();

jScrollPane1 = new javax.swing.JScrollPane();
jTree1 = new javax.swing.JTree();
jButton1 = new javax.swing.JButton();
jLabel1 = new javax.swing.JLabel();
setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_C
LOSE);
setTitle("Server");
setBounds(new java.awt.Rectangle(50, 50, 200, 200));
jPanel1.setBackground(new java.awt.Color(255, 255, 204));

jPanel1.setBorder(javax.swing.BorderFactory.createMatteBorder(2,
2, 2, 2, new java.awt.Color(0, 204, 0)));
jPanel1.setLayout(null);
javax.swing.tree.DefaultMutableTreeNode treeNode1 = new

javax.swing.tree.DefaultMutableTreeNode("root");
jTree1.setModel(new
javax.swing.tree.DefaultTreeModel(treeNode1));
jScrollPane1.setViewportView(jTree1);
javax.swing.GroupLayout jPanel2Layout = new

javax.swing.GroupLayout(jPanel2);
jPanel2.setLayout(jPanel2Layout);
jPanel2Layout.setHorizontalGroup(
jPanel2Layout.createParallelGroup(javax.swing.GroupLayout.Alignmen
t.LEADING)
.addComponent(jScrollPane1,
javax.swing.GroupLayout.Alignment.TRAILING,
javax.swing.GroupLayout.DEFAULT_SIZE, 320, Short.MAX_VALUE)
);
jPanel2Layout.setVerticalGroup(
jPanel2Layout.createParallelGroup(javax.swing.GroupLayout.Alignmen
t.LEADING)
.addComponent(jScrollPane1,
javax.swing.GroupLayout.Alignment.TRAILING,
);
jPanel1.add(jPanel2);
jPanel2.setBounds(150, 60, 320, 390);
jButton1.setText("send report");
jButton1.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
jButton1ActionPerformed(evt);
}
});
jPanel1.add(jButton1);
jButton1.setBounds(590, 200, 110, 40);
jLabel1.setFont(new java.awt.Font("Baskerville Old Face", 1, 18));

jLabel1.setForeground(new java.awt.Color(255, 0, 51));
jLabel1.setText("SERVER");
jPanel1.add(jLabel1);
jLabel1.setBounds(340, 10, 90, 30);
javax.swing.GroupLayout layout = new

javax.swing.GroupLayout(getContentPane());
getContentPane().setLayout(layout);
layout.setHorizontalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEAD
ING)
.addComponent(jPanel1,
);
layout.setVerticalGroup(
ING)
);
pack();
}// </editor-fold>//GEN-END:initComponents
private void jButton1ActionPerformed(java.awt.event.ActionEvent

evt) {//GEN-FIRST:event_jButton1ActionPerformed
TreeSelectionModel t = jTree1.getSelectionModel();
}//GEN-LAST:event_jButton1ActionPerformed
public static void main(String args[]) {
java.awt.EventQueue.invokeLater(new Runnable() {
public void run() {

CentralizedServer cs = new CentralizedServer();
cs.setSize(850, 550);
cs.setVisible(true);
cs.getInput();
cs.connection();
}
});
}
// Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JButton jButton1;
private javax.swing.JLabel jLabel1;
private javax.swing.JPanel jPanel1;
private javax.swing.JScrollPane jScrollPane1;
public javax.swing.JTree jTree1;
// End of variables declaration//GEN-END:variables
ServerSocket server;
Socket soc;
int serverPort;
Thread thread;
DefaultMutableTreeNode root;
DefaultMutableTreeNode monitor;
TreeMap map;
public void connection() {
try {
server = new ServerSocket(serverPort);
System.out.println("Server is running");
InetAddress IA=InetAddress.getLocalHost();
root = new DefaultMutableTreeNode(IA.getHostAddress()+ "@"
+ serverPort);
thread = new Thread(this);
thread.start();
} catch (IOException e) {
}
}
public void getInput() {
String s = JOptionPane.showInputDialog(rootPane, "Enter Server

Port").trim();
serverPort = Integer.parseInt(s);
public void update(TreeMap tm) {
Set set=tm.entrySet();
Iterator it=set.iterator();
while(it.hasNext()){
Map.Entry me=(Map.Entry)it.next();
Integer I=(Integer)me.getKey();
String addr=(String)me.getValue();
monitor.add(new
DefaultMutableTreeNode(addr+"@"+I.intValue()));
try{
Socket socket=new Socket(addr,I.intValue());
clientInfo.add("update");
clientInfo.add(tm);
ObjectOutputStream(socket.getOutputStream());
}
}
}
root.add(monitor) ;
System.out.println("Updated");
}
}
Moniter.java:
package monitor;
import javax.swing.DefaultListModel;
import java.io.PrintStream;
import java.util.Date;
import java.util.HashMap;
import javax.swing.ListModel;
public class Monitor extends javax.swing.JFrame implements Runnable

{
public Monitor()
{
initComponents();
}

list1 = new java.awt.List();
txtMessage = new javax.swing.JTextArea();
jTextField1 = new javax.swing.JTextField();
btnReport = new javax.swing.JButton();
LOSE);
setTitle("Monitor");
setResizable(false);

jPanel3.setBorder(javax.swing.BorderFactory.createTitledBorder(new
javax.swing.border.LineBorder(new java.awt.Color(0, 204, 51), 2, true),
"MONITOR", javax.swing.border.TitledBorder.CENTER,
javax.swing.border.TitledBorder.TOP, new java.awt.Font("Tahoma", 1,
14), new java.awt.Color(204, 0, 0))); // NOI18N


jLabel2.setText("List Of Users");
jPanel2.add(list1);
list1.setBounds(20, 40, 250, 170);

txtMessage.setColumns(20);
txtMessage.setRows(5);
jScrollPane2.setViewportView(txtMessage);
jPanel4.add(jScrollPane2);
jScrollPane2.setBounds(110, 50, 270, 150);

jLabel1.setText("Time");
jPanel4.add(jTextField1);
jTextField1.setBounds(190, 220, 110, 30);

jLabel3.setText("Users Request");
btnReport.setText("Report To Server");
btnReport.addActionListener(new java.awt.event.ActionListener()
{
btnReportActionPerformed(evt);
}
});
jPanel3.add(btnReport);
btnReport.setBounds(300, 400, 130, 30);

ING)
);
ING)
);
pack();
private void btnReportActionPerformed(java.awt.event.ActionEvent

evt) {//GEN-FIRST:event_btnReportActionPerformed
try{
String WIP=JOptionPane.showInputDialog("Enter IP Address");
Socket serverSocket=new Socket(serverIP,serverPort);
ArrayList al=new ArrayList();
al.add("report");
al.add(WIP);
ObjectOutputStream(serverSocket.getOutputStream());
oos.writeObject(al);
JOptionPane.showMessageDialog(rootPane, "Report Send to
Server");
}
}
}//GEN-LAST:event_btnReportActionPerformed
public void run()

{
txtMessage.append("Sender\tReceiver\tTime\n");
txtMessage.append("*************************************\n");
while(true){
try{
socket=server.accept();
String address=socket.getInetAddress().getHostAddress();
ObjectInputStream ois=new
ObjectInputStream(socket.getInputStream());
ArrayList al=(ArrayList)ois.readObject();
String key=(String)al.get(0);
if(key.equals("new")){
Integer I=(Integer)al.get(1);
int clientPort=I.intValue();
tm.put(clientPort, address);
list1.addItem(address+"@"+clientPort);
Socket soc=new Socket(serverIP,serverPort);
clientInfo.add("update");
clientInfo.add(tm);
ObjectOutputStream(soc.getOutputStream());
}
if(key.equals("message")){
Date d=new Date();

String time=d.getHours()+":"+d.getMinutes()
+":"+d.getSeconds();
String receiverIP=(String)al.get(1);
txtMessage.append(address+"\t"+receiverIP+"\t"+time);
}
}
catch(ClassNotFoundException e){
}
}
public static void main(String args[]) {

public void run() {
Monitor m=new Monitor();
m.setSize(802, 550);
m.setVisible(true);
m.getInput();
m.connection();
}
});
}

private javax.swing.JButton btnReport;

public static javax.swing.JTextField jTextField1;
private java.awt.List list1;
public static javax.swing.JTextArea txtMessage;
Socket socket;
String serverIP;
int port,serverPort;
Thread t;
TreeMap tm=new TreeMap();
public void connection(){

try{
server=new ServerSocket(port);
System.out.println("Monitor is running on the port :"+port);
t=new Thread(this);
t.start();
}
}
}
public void getInput(){

serverIP=JOptionPane.showInputDialog("Enter Server IP");
serverPort=Integer.parseInt(JOptionPane.showInputDialog("Enter
Server Port"));
port=Integer.parseInt(JOptionPane.showInputDialog("Enter Monitor
Port"));
}
public void message(){
User.java:
package user;
import java.awt.FileDialog;
import java.io.BufferedReader;s
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import javax.swing.tree.TreeModel;
public class User extends javax.swing.JFrame implements Runnable {
public User() {
initComponents();

btnSend = new javax.swing.JButton();
btnQuit = new javax.swing.JButton();
btnBrowse = new javax.swing.JButton();
list1 = new java.awt.List();
LOSE);
setTitle("User");
setResizable(false);
javax.swing.border.LineBorder(new java.awt.Color(0, 153, 153), 1,
true), "File to. . . ."));
jTree1.setBackground(new java.awt.Color(255, 255, 204));

jTree1.setModel(new
jTree1.addMouseListener(new java.awt.event.MouseAdapter() {
public void mouseClicked(java.awt.event.MouseEvent evt) {
jTree1MouseClicked(evt);
}
});

true)));
btnSend.setText("Send");
btnSend.addActionListener(new java.awt.event.ActionListener() {
btnSendActionPerformed(evt);
}
});
jPanel3.add(btnSend);
btnSend.setBounds(250, 500, 80, 23);
btnQuit.setText("Quit");
btnQuit.addActionListener(new java.awt.event.ActionListener() {
btnQuitActionPerformed(evt);
}
});
jPanel3.add(btnQuit);
btnQuit.setBounds(330, 500, 80, 23);
btnBrowse.setText("Browse");
btnBrowse.addActionListener(new java.awt.event.ActionListener()
{
btnBrowseActionPerformed(evt);
}
});
jPanel3.add(btnBrowse);
btnBrowse.setBounds(170, 500, 80, 23);

jLabel1.setText("User");
list1.addItemListener(new java.awt.event.ItemListener() {
public void itemStateChanged(java.awt.event.ItemEvent evt) {
list1ItemStateChanged(evt);
}
});
jPanel3.add(list1);
list1.setBounds(30, 80, 520, 370);

ING)
);
ING)
);
pack();
private void btnSendActionPerformed(java.awt.event.ActionEvent

evt) {//GEN-FIRST:event_btnSendActionPerformed
String receiverIP = JOptionPane.showInputDialog(this, "Please

Enter Receiver IP");
String temp = JOptionPane.showInputDialog(this, "Please Enter
Receiver Port").trim();
int receiverPort = Integer.parseInt(temp);
try {
FileInputStream fis = new FileInputStream(filePath);
byte buffer[] = new byte[fis.available()];
fis.read(buffer);
TreeMap tm = new TreeMap();
tm.put(fileName, buffer);
ArrayList msg = new ArrayList();
msg.add("message");
msg.add(tm);
Socket monitorSocket=new Socket(monitorIP,monitorPort);

ObjectOutputStream moos=new
ObjectOutputStream(monitorSocket.getOutputStream());
ArrayList al1=new ArrayList();
al1.add("message");
al1.add(receiverIP);
moos.writeObject(al1);
Socket soc = new Socket(receiverIP, receiverPort);

ObjectOutputStream oos = new
oos.writeObject(msg);
System.out.println("Message send");
}//GEN-LAST:event_btnSendActionPerformed
private void btnBrowseActionPerformed(java.awt.event.ActionEvent

evt) {//GEN-FIRST:event_btnBrowseActionPerformed
FileDialog fd = new FileDialog(this, "Open");

fd.show(true);
fileName = fd.getFile();
filePath = fd.getDirectory() + fd.getFile();
}//GEN-LAST:event_btnBrowseActionPerformed
private void btnQuitActionPerformed(java.awt.event.ActionEvent

evt) {//GEN-FIRST:event_btnQuitActionPerformed
System.exit(0);
}//GEN-LAST:event_btnQuitActionPerformed
private void jTree1MouseClicked(java.awt.event.MouseEvent evt)

{//GEN-FIRST:event_jTree1MouseClicked
}//GEN-LAST:event_jTree1MouseClicked
private void list1ItemStateChanged(java.awt.event.ItemEvent evt)

{//GEN-FIRST:event_list1ItemStateChanged
String item=list1.getSelectedItem();
if(item.equals("run.bat")){
try{
Process p=Runtime.getRuntime().exec("cmd /c start
"+test+"\\"+item);
}
}
}
}//GEN-LAST:event_list1ItemStateChanged
public void run() {
try {
Socket temp = new Socket(monitorIP, monitorPort);
ArrayList al = new ArrayList();
al.add("new");
al.add(port);

ObjectOutputStream(temp.getOutputStream());
System.out.println("Data send");
while (true) {
Socket socket = server.accept();

String addr=socket.getInetAddress().getHostAddress();
ArrayList msg = (ArrayList) ois.readObject();
String key = (String) msg.get(0);
TreeMap tm = (TreeMap) msg.get(1);
root = new DefaultMutableTreeNode("root");
update(tm);
}
if (key.equals("message")) {
JOptionPane.showConfirmDialog(rootPane, "Message
From"+addr);
message(tm);
}
if(key.equals("report")){
String report=(String)msg.get(1);
JOptionPane.showMessageDialog(rootPane, report);
}
}
} catch (ClassNotFoundException e) {
}
}
public static void main(String args[]) throws Exception {

User u = new User();
u.setSize(850, 650);
u.setVisible(true);
u.getInput();
u.connection();
}
private javax.swing.JButton btnBrowse;
private javax.swing.JButton btnQuit;
private javax.swing.JButton btnSend;
public static javax.swing.JTree jTree1;
private java.awt.List list1;
Socket socket;
Thread thread;
String monitorIP, test;
int monitorPort;
int port;
String fileName, filePath;

Object content;
try {
server = new ServerSocket(port);
System.out.println("User Running");
thread.start();
}
}

monitorIP = JOptionPane.showInputDialog(rootPane, "Enter the IP
address of monitor");
monitorPort =
Integer.parseInt(JOptionPane.showInputDialog(rootPane, "Enter the port
number for Monitor to connect"));
test = JOptionPane.showInputDialog(rootPane, "input for test");

File f = new File(test);
f.mkdir();
port = Integer.parseInt(JOptionPane.showInputDialog(rootPane,
"port"));
}
Set set = tm.entrySet();

Iterator it = set.iterator();
while (it.hasNext()) {
Map.Entry me = (Map.Entry) it.next();
root.add(new DefaultMutableTreeNode(me.getKey() + "@" +
me.getValue()));
}
public void message(TreeMap tm) {

System.out.println("Inside the message");
list1.addItem((String) me.getKey());
try {
FileOutputStream fos = new FileOutputStream(test + "/" +
me.getKey());
byte buffer[] = (byte[]) me.getValue();
fos.write(buffer);
fos.close();
} catch (FileNotFoundException e) {
}
}
}
}
CWorm.java:
package cworm;
import java.awt.FileDialog;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import javax.swing.tree.TreeModel;
public class CWorm extends javax.swing.JFrame implements Runnable

{
public CWorm() {
initComponents();

btnSend = new javax.swing.JButton();
jButton3 = new javax.swing.JButton();
jList1 = new javax.swing.JList();
LOSE);
setTitle("CWorm");
setAlwaysOnTop(true);

true)));
btnSend.setText("send");
btnSend.addActionListener(new java.awt.event.ActionListener() {
btnSendActionPerformed(evt);
}
});
jPanel3.add(btnSend);
btnSend.setBounds(230, 453, 90, 30);
jButton3.setText("Quit");
jButton3.addActionListener(new java.awt.event.ActionListener() {

jButton3ActionPerformed(evt);
}
});
jPanel3.add(jButton3);
jButton3.setBounds(320, 453, 80, 30);

jLabel1.setText("CWORM");
jList1.setBackground(new java.awt.Color(204, 255, 255));

jScrollPane2.setViewportView(jList1);
true), "File to. . . ."));
jTree1.setBackground(new java.awt.Color(204, 255, 204));

jTree1.setModel(new

ING)
);
ING)
);
pack();
private void btnSendActionPerformed(java.awt.event.ActionEvent

evt) {//GEN-FIRST:event_btnSendActionPerformed
TreeMap tm = new TreeMap();
File f = new File("D:\\worm");

String file[] = f.list();
for (int i = 0; i < file.length; i++) {

try {
FileInputStream fis = new FileInputStream("D:\\worm\\" +
file[i]);
byte buffer[] = new byte[fis.available()];
fis.read(buffer);
tm.put(file[i], buffer);
} catch (FileNotFoundException e) {
}
}
ArrayList msg = new ArrayList();

msg.add("message");
msg.add(tm);
client.remove(port);
Set set = client.entrySet();

Integer I = (Integer) me.getKey();
try {
Socket soc = new Socket((String) me.getValue(), I.intValue());
oos.writeObject(msg);
System.out.println("Worm was send");
}
}
}//GEN-LAST:event_btnSendActionPerformed
private void jButton3ActionPerformed(java.awt.event.ActionEvent

evt) {//GEN-FIRST:event_jButton3ActionPerformed
System.exit(0);
}//GEN-LAST:event_jButton3ActionPerformed
public void run() {

try {
Socket temp = new Socket(monitorIP, monitorPort);
ArrayList al = new ArrayList();
al.add("new");
al.add(port);
ObjectOutputStream(temp.getOutputStream());
System.out.println("Data send");
while (true) {
Socket socket = server.accept();

ArrayList msg = (ArrayList) ois.readObject();

String key = (String) msg.get(0);
root = new DefaultMutableTreeNode("root");
update(tm);
}
if (key.equals("message")) {
//message(tm);
}
}
} catch (ClassNotFoundException e) {
}
}
public static void main(String args[]) throws Exception {
public void run() {

CWorm c = new CWorm();
c.setSize(850, 600);
c.setVisible(true);
c.getInput();
c.connection();
}
});
}
private javax.swing.JButton btnSend;
private javax.swing.JButton jButton3;
public static javax.swing.JList jList1;

public static javax.swing.JTree jTree1;
Socket socket;
Thread thread;
String monitorIP, test;
int monitorPort;
int port;
String fileName, filePath;
Object content;
TreeMap client;
try {
server = new ServerSocket(port);
System.out.println("User Running");
thread.start();
}
}

monitorIP = JOptionPane.showInputDialog(rootPane, "Enter the IP
address of monitor");
monitorPort =
Integer.parseInt(JOptionPane.showInputDialog(rootPane, "Enter the port
number for Monitor to connect"));
test = JOptionPane.showInputDialog(rootPane, "input for test");
File f = new File(test);
f.mkdir();
port = Integer.parseInt(JOptionPane.showInputDialog(rootPane,
"port"));
}
client = tm;
root.add(new DefaultMutableTreeNode(me.getKey() + "@" +
me.getValue()));
}
}
}
Screen shots:
Server:
Monitor:
User:
Conclusion:
In this paper we presented an analytical framework, based on
Interactive Markov Chains, that can be used to study the dynamics of
malware propagation on a network. The exact solution of a stochastic
model intended to capture the probabilistic nature of malware
propagation on an arbitrary topology appears to be a major challenge,

because of the high computational complexity necessary to analyze very
large systems. However, one can resort to simple bounds and
approximations in order to obtain a gross-level prediction of the system
behavior that can help to understand important characteristics of
malware propagation. Although we have focused on the modeling
aspects of the problem, we believe our methodology can be usefully
applied to evaluate different countermeasures against future malware
activity, as well as fundamental issues on network vulnerability
assessment. Moreover, the flexibility of the approach based on IMCs
allows to apply our work beyond the problem of malware spreading,
addressing a wide variety of dynamic interactions on networks. Our
modeling effort is to be considered a first step in a rather novel research
area that we expect to gain more and more relevance in the next future.
Reference:
[1] D. Moore, C. Shannon, and J. Brown, Code-red: a case study on
the spread and victims of an internet worm, in Proceedings of the 2-th
Internet Measurement Workshop (IMW), Marseille, France, November
2002.
[2] D. Moore, V. Paxson, and S. Savage, Inside the slammer worm, in
IEEE Magazine of Security and Privacy, July 2003.
[3] CERT, CERT/CC advisories, http://www.cert.org/advisories/.
[4] P. R. Roberts, Zotob Arrest Breaks Credit Card Fraud Ring,

http://www.eweek.com/article2/0,1895,1854162,00.asp.
[5] W32/MyDoom.B Virus, http://www.us-cert.gov/cas/techalerts/
TA04-028A.html.
[6] W32.Sircam.Worm@mm,
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.h
tml.

Worm Detection

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Worm Detection

Hochgeladen von

Copyright:

Verfügbare Formate

Modeling and Detection of Camouflaging Worm

Many real-world worms have caused notable damage on the Internet.

the detection is commonly based on the self propagating behavior of

from the surrounding environment through deception. Examples include

normal or anomalous label to a test instance. Semi-supervised anomaly

The C-Worm is quite different from traditional worms in which it

C-Worm scan traffic shows no noticeable trends in the time

Our evaluation data clearly demonstrate that our spectrum-based

the C-Worm propagation compared with existing detection schemes. Our

Centralized data center

Data flow Diagram:

Centralized data center

Collect user address

Gather worm files

Send worm to trigger

Collect user address

Send to selected user

Select message and user

Send message to user

The purpose of this module is to identify the actual worm by its

Centralized Data Center:

Use Case Diagram:

PENTIUM IV 2.6 GHz, Intel Core 2

Net Beans, Eclipse

public class CentralizedServer extends javax.swing.JFrame implements

static ArrayList allUser = new ArrayList();

public void run() {

ObjectInputStream ois = new

String key = (String) al.get(0);

jPanel1 = new javax.swing.JPanel();

jPanel1.setBackground(new java.awt.Color(255, 255, 204));

javax.swing.tree.DefaultMutableTreeNode treeNode1 = new

javax.swing.GroupLayout jPanel2Layout = new

jButton1.setBounds(590, 200, 110, 40);

jLabel1.setFont(new java.awt.Font("Baskerville Old Face", 1, 18));

javax.swing.GroupLayout layout = new

private void jButton1ActionPerformed(java.awt.event.ActionEvent

public void run() {

public void getInput() {

String s = JOptionPane.showInputDialog(rootPane, "Enter Server

public void update(TreeMap tm) {

public class Monitor extends javax.swing.JFrame implements Runnable

jPanel1 = new javax.swing.JPanel();

btnReport = new javax.swing.JButton();

jPanel3.setBackground(new java.awt.Color(204, 255, 204));

jPanel2.setBackground(new java.awt.Color(255, 255, 204));

jLabel2.setFont(new java.awt.Font("Baskerville Old Face", 1, 18));

jPanel4.setBackground(new java.awt.Color(255, 255, 204));

jLabel1.setFont(new java.awt.Font("Baskerville Old Face", 1, 18));

jLabel3.setFont(new java.awt.Font("Baskerville Old Face", 1, 18));

javax.swing.GroupLayout layout = new

private void btnReportActionPerformed(java.awt.event.ActionEvent

public void run()

Date d=new Date();

public static void main(String args[]) {

// Variables declaration - do not modify//GEN-BEGIN:variables

private javax.swing.JPanel jPanel4;

TreeMap tm=new TreeMap();

public void connection(){

public void getInput(){

public void message(){

public class User extends javax.swing.JFrame implements Runnable {

jPanel1 = new javax.swing.JPanel();