Active worms pose major security threats to the Internet. This is due to the ability of active worms to propagate in an automated fashion as they continuously compromise computers on the Internet. Active wo rms evolve during their propagation and thus pose great challenges to defend against them. In this paper , we investigate a new class of active worms, referred to as Tarnen Worm (C Worm in short). The C Worm is different from traditional worms because of it s ability to intelligently manipulate its scan traffic volume over time. Thereby, the C Worm camouflages its propagation from existing worm exploration systems based on analyzing the propagation traffic generated by worms. We analyze characteristics of the C Worm and conduct a comprehensive comparison between its traf fic and non worm traffic (background traffic). We observe that these two types of traffic are barely distinguishable in the time domain. However, their distinction is cl ear in the frequency dom ain, due to the recurring manipulative nature of the C Worm. Motivated by our observations, we design a novel spectrum based scheme to detect the C Worm. Our scheme uses the Power Spectral Density (PSD) distribution of the scan traffic volume and its corre sponding Spectral Flatness Measure (SFM) to distinguish the C Worm traffic from background traf fic. Using a comprehensive set of exploration metric s and real world traces as background traffic, we conduct extensive pe rformance evaluations on our pr oposed spec trum based exploration scheme. Th e performance data clearly demonstrates that our scheme can effectively de tect the C Worm propagation. Fu rthermore, we show the generality of our spectrum based scheme in effectively detecting not only the C Worm, but t raditional worms as well
展开▼
