2011 modeling and detection of camouflaging worm

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON DEPEDABLE AND SECURE COMPUTING

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING ,VOL. 8, NO. 3, MAY-JUNE 2011 1

Modeling and Detection of Camouflaging Worm
Wei Yu, Xun Wang, Prasad Calyam, Dong Xuan, and Wei Zhao

Abstract—Active worms pose major security threats to the Internet. This is due to the ability of active worms to propagate in an
automated fashion as they continuously compromise computers on the Internet. Active worms evolve during their propagation and thus
pose great challenges to defend against them. In this paper, we investigate a new class of active worms, referred to as Camouflaging
Worm (C-Worm in short). The C-Worm is different from traditional worms because of its ability to intelligently manipulate its scan
traffic volume over time. Thereby, the C-Worm camouflages its propagation from existing worm detection systems based on analyzing
the propagation traffic generated by worms. We analyze characteristics of the C-Worm and conduct a comprehensive comparison
between its traffic and non-worm traffic (background traffic). We observe that these two types of traffic are barely distinguishable in
the time domain. However, their distinction is clear in the frequency domain, due to the recurring manipulative nature of the C-Worm.
Motivated by our observations, we design a novel spectrum-based scheme to detect the C-Worm. Our scheme uses the Power Spectral
Density (PSD) distribution of the scan traffic volume and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm
traffic from background traffic. Using a comprehensive set of detection metrics and real-world traces as background traffic, we conduct
extensive performance evaluations on our proposed spectrum-based detection scheme. The performance data clearly demonstrates
that our scheme can effectively detect the C-Worm propagation. Furthermore, we show the generality of our spectrum-based scheme
in effectively detecting not only the C-Worm, but traditional worms as well.

Index Terms—Worm, Camouflage, Anomaly Detection.

✦

1 I NTRODUCTION attacks of unprecedented scale [10]. For an adversary, super-
An active worm refers to a malicious software program that botnets would also be extremely versatile and resistant to
propagates itself on the Internet to infect other computers. The countermeasures.
propagation of the worm is based on exploiting vulnerabilities Due to the substantial damage caused by worms in the
of computers on the Internet. Many real-world worms have past years, there have been significant efforts on developing
caused notable damage on the Internet. These worms include detection and defense mechanisms against worms. A network-
“Code-Red” worm in 2001 [1], “Slammer” worm in 2003 [2], based worm detection system plays a major role by moni-
and “Witty”/“Sasser” worms in 2004 [3]. Many active worms toring, collecting, and analyzing the scan traffic (messages to
are used to infect a large number of computers and recruit identify vulnerable computers) generated during worm attacks.
them as bots or zombies, which are networked together to form In this system, the detection is commonly based on the self-
botnets [4]. These botnets can be used to: (a) launch massive propagating behavior of worms that can be described as
Distributed Denial-of-Service (DDoS) attacks that disrupt the follows: after a worm-infected computer identifies and infects
Internet utilities [5], (b) access confidential information that a vulnerable computer on the Internet, this newly infected
can be misused [6] through large scale traffic sniffing, key computer1 will automatically and continuously scan several IP
logging, identity theft etc, (c) destroy data that has a high addresses to identify and infect other vulnerable computers. As
monetary value [7], and (d) distribute large-scale unsolicited such, numerous existing detection schemes are based on a tacit
advertisement emails (as spam) or software (as malware). assumption that each worm-infected computer keeps scanning
There is evidence showing that infected computers are being the Internet and propagates itself at the highest possible speed.
rented out as “Botnets” for creating an entire black-market Furthermore, it has been shown that the worm scan traffic
industry for renting, trading, and managing “owned” com- volume and the number of worm-infected computers exhibit
puters, leading to economic incentives for attackers [4], [8], exponentially increasing patterns [2], [11], [12], [13], [14].
[9]. Researchers also showed possibility of “super-botnets,” Nevertheless, the attackers are crafting attack strategies that
networks of independent botnets that can be coordinated for intend to defeat existing worm detection systems. In particular,
‘stealth’ is one attack strategy used by a recently-discovered
• Wei Yu is with the Department of Computer and Information Sciences, active worm called “Atak” worm [15] and the “self-stopping”
Towson University, Towson, MD 21252. E-mail: wyu@towson.edu. worm [16] circumvent detection by hibernating (i.e., stop
• Xun Wang is with Cisco Systems Inc, San Jose, CA 95134. propagating) with a pre-determined period. Worm might also
Email: xunwang.osu@gmail.com
• Prasad Calyam is with OARnet, The Ohio State University, Columbus, OH use the evasive scan [17] and traffic morphing technique to
43210. Email: pcalyam@oar.net. hide the detection [18].
• Dong Xuan is with the Dept. of Computer Science and Engineering,
The Ohio State University, Columbus, OH 43210. Email: xuan@cse.ohio-
This worm attempts to remain hidden by sleeping (suspend-
state.edu. ing scans) when it suspects it is under detection. Worms that
• Wei Zhao is with Department of Computer and Information Science,
University of Macau, Macau, China. E-mail: weizhao@umac.mo.
1. In this paper, we interchangeably use the terms - worm-infected computer
and worm instance.

Authorized licensed use limited to: Universidade de Macau. Downloaded on July 16,2010 at 02:00:53 UTC from IEEE Xplore. Restrictions apply.
Digital Object Indentifier 10.1109/TDSC.2010.13 1545-5971/10/$26.00 © 2010 IEEE


adopt such smart attack strategies could exhibit overall scan Furthermore, we demonstrate the effectiveness of our
traffic patterns different from those of traditional worms. Since spectrum-based detection scheme in comparison with existing
the existing worm detection schemes will not be able to detect worm detection schemes. We define several new metrics.
such scan traffic patterns, it is very important to understand Maximal Infection Ratio (MIR) is the one to quantify the
such smart-worms and develop new countermeasures to defend infection damage caused by a worm before being detected.
against them. Other metrics include Detection Time (DT) and Detection
In this paper, we conduct a systematic study on a new Rate (DR). Our evaluation data clearly demonstrate that our
class of such smart-worms denoted as Camouflaging Worm (C- spectrum-based detection scheme achieves much better detec-
Worm in short). The C-Worm has a self-propagating behavior tion performance against the C-Worm propagation compared
similar to traditional worms, i.e., it intends to rapidly infect with existing detection schemes. Our evaluation also shows
as many vulnerable computers as possible. However, the C- that our spectrum-based detection scheme is general enough
Worm is quite different from traditional worms in which it to be used for effective detection of traditional worms as well.
camouflages any noticeable trends in the number of infected The remainder of the paper is organized as follows. In
computers over time. The camouflage is achieved by manip- Section 2, we introduce the background and review the related
ulating the scan traffic volume of worm-infected computers. work. In Section 3, we introduce the propagation model of
Such a manipulation of the scan traffic volume prevents exhibi- the C-Worm. We present our spectrum-based detection scheme
tion of any exponentially increasing trends or even crossing of against the C-Worm in Section 4. The performance evaluation
thresholds that are tracked by existing detection schemes [19], results of our spectrum-based detection scheme is provided in
[20], [21]. We note that the propagation controlling nature Section 5. We conclude this paper in Section 6.
of the C-Worm (and similar smart-worms, such as “Atak”)
cause a slow down in the propagation speed. However, by
carefully controlling its scan rate, the C-Worm can: (a) still 2 BACKGROUND AND R ELATED WORK
achieve its ultimate goal of infecting as many computers as
2.1 Active Worms
possible before being detected, and (b) position itself to launch
subsequent attacks [4], [5], [6], [7]. Active worms are similar to biological viruses in terms of their
We comprehensively analyze the propagation model of the infectous and self-propagating nature. They identify vulnerable
C-Worm and corresponding scan traffic in both time and computers, infect them and the worm-infected computers
frequency domains. We observe that although the C-Worm propagate the infection further to other vulnerable computers.
scan traffic shows no noticeable trends in the time domain, In order to understand worm behavior, we first need to model
it demonstrates a distinct pattern in the frequency domain. it. With this understanding, effective detection and defense
Specifically, there is an obvious concentration within a narrow schemes could be developed to mitigate the impact of the
range of frequencies. This concentration within a narrow worms. For this reason, tremendous research effort has focused
range of frequencies is inevitable since the C-Worm adapts on this area [12], [24], [14], [25], [16].
to the dynamics of the Internet in a recurring manner for Active worms use various scan mechanisms to propagate
manipulating and controlling its overall scan traffic volume. themselves efficiently. The basic form of active worms can be
The above recurring manipulations involve steady increase, categorized as having the Pure Random Scan (PRS) nature. In
followed by a decrease in the scan traffic volume, such that the PRS form, a worm-infected computer continuously scans
the changes do not manifest as any trends in the time domain a set of random Internet IP addresses to find new vulnerable
or such that the scan traffic volume does not cross thresholds computers. Other worms propagate themselves more effec-
that could reveal the C-Worm propagation. tively than PRS worms using various methods, e.g., network
Based on the above observation, we adopt frequency domain port scanning, email, file sharing, Peer-to-Peer (P2P) networks,
analysis techniques and develop a detection scheme against and Instant Messaging (IM) [26], [27]. In addition, worms use
wide-spreading of the C-Worm. Particularly, we develop a different scan strategies during different stages of propagation.
novel spectrum-based detection scheme that uses the Power In order to increase propagation efficiency, they use a local
Spectral Density (PSD) distribution of scan traffic volume in network or hitlist to infect previously identified vulnerable
the frequency domain and its corresponding Spectral Flatness computers at the initial stage of propagation [12], [28]. They
Measure (SFM) to distinguish the C-Worm traffic from non- may also use DNS, network topology and routing information
worm traffic (background traffic). Our frequency domain anal- to identify active computers instead of randomly scanning IP
ysis studies use the real-world Internet traffic traces (Shield addresses [11], [21], [27], [29]. They split the target IP address
logs dataset) provided by SANs Internet Storm Center (ISC) space during propagation in order to avoid duplicate scans
[22], [23]2 . Our results reveal that non-worm traffic (e.g., [21]. Li et al. [30] studied a divide-conquer scanning technique
port-scan traffic for port 80, 135 and 8080) has relatively that could potentially spread faster and stealthier than a
larger SFM values for their PSD distributions. Whereas, the traditional random-scanning worm. Ha et al. [31] formulated
C-Worm traffic shows comparatively smaller SFM value for the problem of finding a fast and resilient propagation topology
its respective PSD distribution. and propagation schedule for Flash worms. Yang et al. [32]
studied the worm propagation over the sensor networks.
2. ISC monitors and collects port-scan traffic data from around 1 million IP
addresses spanning several thousands of organizations in different geograph- Different from the above worms, which attempt to accelerate
ical regions. the propagation with new scan schemes, the Camouflaging



Worm (C-Worm) studied in this paper aims to elude the de- rules for detecting the worm propagation. For example,
tection by the worm defense system during worm propagation. Venkataraman et al. and Wu et al. in [20], [21] proposed
Closely related, but orthogonal to our work, are the evolved schemes to examine statistics of scan traffic volume, Zou et
active worms that are polymorphic [33], [34] in nature. Poly- al. presented a trend-based detection scheme to examine the
morphic worms are able to change their binary representation exponential increase pattern of scan traffic [19], Lakhina et al.
or signature as part of their propagation process. This can in [40] proposed schemes to examine other features of scan
be achieved with self-encryption mechanisms or semantics- traffic, such as the distribution of destination addresses. Other
preserving code manipulation techniques. The C-Worm also works study worms that attempt to take on new patterns to
shares some similarity with stealthy port-scan attacks. Such avoid detection [39].
attacks try to find out available services in a target system, Besides the above detection schemes that are based on
while avoiding detection [35], [36]. It is accomplished by the global scan traffic monitor by detecting traffic anoma-
decreasing the port scan rate, hiding the origin of attackers, lous behavior, there are other worm detection and defense
etc. Due to the nature of self-propagation, the C-Worm must schemes such as sequential hypothesis testing for detecting
use more complex mechanisms to manipulate the scan traffic worm-infected computers [44], payload-based worm signature
volume over time in order to avoid detection. detection [34], [45]. In addition, Cai et al. in [46] presented
both theoretical modeling and experimental results on a col-
laborative worm signature generation system that employs
2.2 Worm Detection
distributed fingerprint filtering and aggregation and multiple
Worm detection has been intensively studied in the past and edge networks. Dantu et al. in [47] presented a state-space
can be generally classified into two categories: “host-based” feedback control model that detects and control the spread
detection and “network-based” detection. Host-based detection of these viruses or worms by measuring the velocity of the
systems detect worms by monitoring, collecting, and analyzing number of new connections an infected computer makes.
worm behaviors on end-hosts. Since worms are malicious Despite the different approaches described above, we believe
programs that execute on these computers, analyzing the that detecting widely scanning anomaly behavior continues to
behavior of worm executables plays an important role in host- be a useful weapon against worms, and that in practice multi-
based detection systems. Many detection schemes fall under faceted defence has advantages.
this category [37], [38]. In contrast, network-based detection
systems detect worms primarily by monitoring, collecting,
3 M ODELING OF THE C-WORM
and analyzing the scan traffic (messages to identify vulner-
able computers) generated by worm attacks. Many detection 3.1 C-Worm
schemes fall under this category [19], [20], [21], [39], [40]. The C-Worm camouflages its propagation by controlling scan
Ideally, security vulnerabilities must be prevented to begin traffic volume during its propagation. The simplest way to
with, a problem which must addressed by the programming manipulate scan traffic volume is to randomly change the
language community. However, while vulnerabilities exist and number of worm instances conducting port-scans.
pose threats of large-scale damage, it is critical to also focus As other alternatives, a worm attacker may use an open-loop
on network-based detection, as this paper does, to detect wide- control (non-feedback) mechanism by choosing a randomized
spreading worms. and time related pattern for the scanning and infection in order
In order to rapidly and accurately detect Internet-wide to avoid being detected. Nevertheless, the open-loop control
large scale propagation of active worms, it is imperative to approach raises some issues of the invisibility of the attack.
monitor and analyze the traffic in multiple locations over First, as we know, worm propagation over the Internet can
the Internet to detect suspicious traffic generated by worms. be considered a dynamic system. When an attacker launches
The widely adopted worm detection framework consists of worm propagation, it is vey challenging for the attacker to
multiple distributed monitors and a worm detection center know the accurate parameters for worm propagation dynamics
that controls the former [23], [41]. This framework is well over the Internet. Given the inaccurate knowledge of worm
adopted and similar to other existing worm detection systems, propagation over the Internet, the open-loop control system
such as the Cyber center for disease controller [11], Internet will not be able to stabilize the scan traffic. This is a known
motion sensor [42], SANS ISC (Internet Storm Center) [23], result from control system theory [48]. Consequently, the
Internet sink [41], and network telescope [43]. The monitors overall worm scan traffic volume in the open-loop control
are distributed across the Internet and can be deployed at end- system will expose a much higher probability to show an
hosts, router, or firewalls etc. Each monitor passively records increasing trend with the progress of worm propagation. As
irregular port-scan traffic, such as connection attempts to a more and more computers get infected, they, in turn, take
range of void IP addresses (IP addresses not being used) and part in scanning other computers. Hence, we consider the C-
restricted service ports. Periodically, the monitors send traffic worm as a worst case attacking scenario that uses a closed-
logs to the detection center. The detection center analyzes the loop control for regulating the propagation speed based on the
traffic logs and determines whether or not there are suspicious feedback propagation status.
scans to restricted ports or to invalid IP addresses. In order to effectively evade detection, the overall scan
Network-based detection schemes commonly analyze the traffic for the C-Worm should be comparatively slow and
collected scanning traffic data by applying certain decision variant enough to not show any notable increasing trends over



time. On the other hand, a very slow propagation of the C- B has been infected. Through validating such marks during
Worm is also not desirable, since it delays rapid infection the propagation, a C-Worm infected computer can estimate
damage to the Internet. Hence, the C-Worm needs to adjust its M (t). Appendix A discusses one alternative how the C-
propagation so that it is neither too fast to be easily detected, ¯
Worm could estimate M (t) to obtain M (t) as the propagation
nor too slow to delay rapid damage on the Internet. proceeds. There are other approaches to achieve this goal, such
To regulate the C-Worm scan traffic volume, we introduce as incorporating the Peer-to-Peer techniques to disseminate
a control parameter called attack probability P (t) for each information through secured IRC channels [49], [50].
worm-infected computer. P (t) is the probability that a C-
Worm instance participates in the worm propagation (i.e., 3.2 Propagation Model of the C-Worm
scans and infects other computers) at time t. Our C-Worm
model with the control parameter P (t) is generic. P (t) = 1 To analyze the C-Worm, we adopt the epidemic dynamic
represents the cases for traditional worms, where all worm model for disease propagation, which has been extensively
instances actively participate in the propagation. For the C- used for worm propagation modeling [2], [12]. Based on
Worm, P (t) needs not be a constant value and can be set as existing results [2], [12], this model matches the dynamics
a time varying function. of real worm propagation over the Internet quite well. For this
In order to achieve its camouflaging behavior, the C-Worm reason, similar to other publications, we adopt this model in
needs to obtain an appropriate P (t) to manipulate its scan our paper as well. Since our investigated C-Worm is a novel
traffic. Specifically, the C-Worm will regulate its overall scan attack, we modified the original Epidemic dynamic formula
traffic volume such that: (a) it is similar to non-worm scan to model the propagation of the C-Worm by introducing the
traffic in terms of the scan traffic volume over time, (b) it P (t) - the attack probability that a worm-infected computer
does not exhibit any notable trends, such as an exponentially participates in worm propagation at time t. We note that there
increasing pattern or any mono-increasing pattern even when is a wide scope to notably improve our modified model in
the number of infected hosts increases (exponentially) over the future to reflect several characteristics that are relevant in
time, and (c) the average value of the overall scan traffic real-world practice.
volume is sufficient to make the C-Worm propagate fast Particularly, the epidemic dynamic model assumes that any
enough to cause rapid damage on the Internet3. given computer is in one of the following states: immune,
We assume that a worm attacker intends to manipulate vulnerable, or infected. An immune computer is one that
scan traffic volume so that the number of worm instances cannot be infected by a worm; a vulnerable computer is one
participating in the worm propagation follow a random distri- that has the potential of being infected by a worm; an infected
¯ ¯
bution with mean MC . This MC can be regulated in a random computer is one that has been infected by a worm. The simple
fashion during worm propagation in order to camouflage the epidemic model for a finite population of traditional PRS
propagation of C-Worm. Correspondingly, the worm instances worms can be expressed as4 ,
need to adjust their attack probability P (t) in order to ensure dM (t)
= β · M (t) · [N − M (t)], (1)
that the total number of worm instances launching the scans dt
¯
is approximately MC . where M (t) is the number of infected computers at time t;
¯
To regulate MC , it is obvious that P (t) must be decreased N (= T · P1 · P2 ) is the number of vulnerable computers on
over time since M (t) keeps increasing during the worm the Internet; T is the total number of IP addresses on the
propagation. We can express P (t) using a simple function Internet; P1 is the ratio of the total number of computers on the
¯ ¯
as follows: P (t) = min( M(t) , 1), where M (t) represents the
MC
¯ Internet over T ; P2 is the ratio of total number of vulnerable
estimation of M (t) at time t. From the above expression, we computers on the Internet over the total number of computers
¯
know that the C-Worm needs to obtain the value of M (t) (as on the Internet; β = S/V is called the pairwise infection rate
close to M (t) as possible) in order to generate an effective [51]; S is the scan rate defined as the number of scans that
P (t). Here, we discuss one approach for the C-Worm to an infected computer can launch in a given time interval. We
estimate M (t). The basic idea is as follows: A C-Worm could assume that at t = 0, there are M (0) computers being initially
estimate the percentage of computers that have already been infected and N − M (0) computers being susceptible to further
infected over the total number of IP addresses as well as M (t), worm infection.
through checking a scan attempt as a new hit (i.e., hitting The C-Worm has a different propagation model compared
an uninfected vulnerable computer) or a duplicate hit (i.e., to traditional PRS worms because of its P (t) parameter.
hitting an already infected vulnerable computer). This method Consequently, Formula (1) needs to be rewritten as,
requires each worm instance (i.e., infected computer) to be
dM (t)
marked indicating that this computer has been infected. Thus, = β · M (t) · P (t) · [N − M (t)]. (2)
when a worm instance (for example, computer A) scans one dt
¯ ¯
infected computer (for example, computer B), then computer A Recall that P (t) = M (t) , M (t) is the estimation of M (t) at
MC
¯
will detect such a mark, thereby becoming aware that computer ¯
time t, and assuming that M (t) = (1 + ) · M (t), where is

3. Note that if chooses P (t) below a certain (very low) level, other 4. We would like to remark that we use the PRS worms to compare C-
human-scale countermeasures (e.g., signature-based virus detection, machine Worm performance, but our work can be easily extended to compare with
quarantine) may become effective to disrupt the propagation. other worm scan techniques, such as hitlist.


IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING ,VOL. 8, NO. 3, MAY-JUNE 2011
5

Num ber of Detected Scanning Hosts on Cam ouflaging Worm
the estimation error, the Formula (2) can be rewritten as, 100

¯

# of Detected Scanning Hosts
dM (t) β · MC 90

= · [N − M (t)]. (3) 80

dt 1 + (t) 70
60
50
With Formula (3), we can derive the propagation model 40
¯
β·MC
for the C-Worm as M (t) = N − e− 1+ (t)·t (N − M (0)),
30
20

where M (0) is the number of infected computers at time 10
0
0. Assume that the worm detection system can monitor Pm 200 2000 4000 6000 8000 9000 10000 11000 12000 13000 14000

(Pm ∈ [0, 1]) of the whole Internet IP address space. Without Time (min)
PRS C-Worm 1 C-Worm 2 C-Worm 3
loss of generality, the probability that at least one scan from a
worm-infected computer (it generates S scans in unit time Fig. 1. Observed infected instance number for the C-
on average) will be observed by the detection system is Worm and PRS worm
1 − (1 − Pm )P (t)·S . We define that MA (t) is the number of
Infection Ratio on Camouflaging Worms
worm instances that have been observed by the worm detection 1
system at time t, then there are M (t) − MA (t) unobserved 0.9
0.8
infected instances at time t. At the worm propagation early 0.7

stage, M (t) − MA (t) M (t). The expected number of newly
0.6

IR
0.5

observed infected instances at t + δ (where δ is the interval 0.4
0.3
of monitoring) is (M (t) − MA (t)) · [1 − (1 − Pm )P (t)·S ] 0.2
0.1
M (i)[1 − (1 − Pm )P (t)·S ]. Thus, we have MA (t + δ) = 0
200 2000 4000 5000 7000 8100 9100 10200 11800 14000
MA (t)+M (t)[1−(1−Pm )P (t)·S ]. Using simple mathematical Time (min)

manipulations, the number of worm instances observed by the PRS C-Worm 1 C-Worm 2 C-Worm 3

worm detection system at time t is, Fig. 2. Infected ratio for the C-Worm and PRS-Worm
Pm · MC¯
MA (t) = P (t) · M (t) · Pm = . (4)
1 + (t)
For the C-Worm, the trend of observed number of worm
instances over time (MA (t)) (defined in Formula (4)) is much
3.3 Effectiveness of the C-Worm different from that of the traditional PRS worm as shown in
Fig. 2. This clearly demonstrates how the C-Worm success-
We now demonstrate the effectiveness of the C-Worm in evad- fully camouflages its increase in the number of worm instances
ing worm detection through controlling P (t). Given random (MA (t)) and avoids detection by worm detection systems
¯
selection of Mc , we generate three C-Worm attacks (viz., C- that expect exponential increases in worm instance numbers
Worm 1, C-Worm 2 and C-Worm 3) that are characterized during large-scale worm propagation. Fig. 3 shows the number
by different selections of mean and variance magnitudes of scanning computers from normal non-worm port-scanning
¯
for MC . In our simulations, we assume that the scan rate traffic (background traffic) for several well-known ports, (i.e.,
of the traditional PRS worm follow a normal distribution 25, 53, 135, and 8080) obtained over several months by the
Sn = N (40, 40) (note that if the scan rate generated by above ISC. Comparing Fig. 3 with Fig. 1, we can observe that it is
distribution is less than 0 , we set the scan rate as 0). We also hard to distinguish the C-Worm port traffic from background
set the total number of vulnerable computers on the Internet port-scanning traffic in the time domain.
as 360,000, which is the total number of infected computers
From above Figs. 1 and 2, we also observe that the C-
in “Code-Red” worm incident [1]. Worm is still able to maintain a certain magnitude of scan
Fig. 1 shows the observed number of worm-infected com- traffic so as to cause significant infection on the Internet. As
puters over time for the PRS worm and the above three C- a note regarding the speed of C-Worm propagation, we can
Worm attacks. Fig. 2 shows the infection ratio for the PRS observe from Fig. 1 that the C-Worm takes approximately 10
worm and the above three C-Worm attacks. These simulations days to infect 75% of total vulnerable hosts in comparison
are for a worm detection system discussed in Section 2.2 that with the 3.3 days taken by a PRS worm5 . Hence, the C-Worm
covers a 220 IPv4 address space on the Internet. The reason for could potentially adjust its propagation speed such that it is
choosing 220 IP addresses as the coverage space of the worm still effective in causing wide-spreading propagation, while
detection system is due to the fact that the SANs Internet avoiding being detected by the worm detection schemes.
Storm Center (ISC), a representative ITM system, has similar We discussed the “Atak” worm in Section I and mentioned
coverage space [23]. In the ITM systems, a large number of that it is similar to the C-Worm since it tries to avoid being
monitors are commonly deployed all over the Internet and detected, when it suspects that it is being detected by anti-
each monitor collects the traffic directed to a small set of IP worm software. However, it differs from the C-Worm in its
address spaces which are not commonly used (also called dark behavior. The “Atak” worm attempts to hide only during
IP addresses). Therefore, the address space of ITM system is times it suspects its propagation will be detected by anti-worm
not a narrow range address space, rather a large number of
small chunks of addresses randomly spread across the global 5. Our simulated PRS worm has less scan rate (mean value of 40) than
IP address space. “Code-Red” (mean value of 358).


6

Scanning Traffic Volume: port 25 Scanning Traffic Volume: port 53
2500 500
control transfers into signals (traps) and inserting dummy
Number of Scans 2000 400
control transfers and “junk” instructions after the signals.

Number of Scans
1500 300
The resulting code can significantly reduce the chance to be
1000 200
detected. Recent studies also showed that existing commercial
500 100
anti-worm detection systems fail to detect brand new worms
0
0 500 1000 1500 2000 2500
0
0 500 1000 1500 2000 2500 and can also be easily circumvented by worms that use simple
Time (unit − 20 min) Time (unit − 20 min)

Scanning Traffic Volume: port 135 Scanning Traffic Volume: port 8080
mutation techniques to manipulate their payload [58].
3500 3000

3000
Although in this paper we only demonstrate effectiveness
2500
of the C-Worm against existing traffic volume-based detection
Number of Scans)
Number of Scans

2500
2000
2000
1500
schemes, the design principle of the C-Worm can be extended
1500

1000
1000 to defeat other newly developed detection schemes, such
500 500 as destination distribution-based detection [39], [40]. In the
0 0
0 500 1000 1500
Time (unit − 20 min)
2000 2500 0 500 1000 1500
Time (unit − 20 min)
2000 2500 following, we discuss this preliminary concept. Recall that the
Fig. 3. Observed infected instance number for back- attack target distribution based schemes analyze the distribu-
ground scanning reported by ISC tion of attack targets (the scanned destination IP addresses)
as basic detection data to capture the fundamental features
of worm propagation, i.e., they continuously scan different
software. Whereas, the C-Worm proactively camouflages itself targets, which is not the expected behavior of non-worm
at all times. In addition, the “Self-stopping” worm attempts to scan traffic. However, our initial investigation shows that the
hide by co-ordinating with its members to halt propagation worm attacker is still able to defeat such a countermeasure
activity only after the vulnerable population is subverted [16]. via manipulating the attack target distribution. For example,
This behavior leaves enough evidence for worm detection the attacker may launch a portion of scan traffic bound for
systems to recognize its propagation. The C-Worm, on the some IP addresses monitored by ITM system. Recall that
other hand, hides itself even during its propagation and thus those dedicated IP addresses monitored by ITM system can
keeps the worm detection schemes completely unaware of its be obtained via probing attacks or other means [59], [60],
propagation. The C-Worm also has some similarity in spirit [61].
with polymorphic worms that manipulate the byte stream of Using port 135 reported by SANs ISC as an example, we
worm payload in order to avoid the detection of signature analyze the traces and obtain the traffic target distribution in a
(payload)-based detection scheme [33], [34]. The manipulation window lasting 10 mins. Following existing work [39], [40],
of worm payload can be achieved by various mechanisms: (a) we use entropy as the metric to measure the attack target
interleaving meaningful instructions with NOP (no operation), distribution. Fig. 4 shows the Probability Density Function
(b) using different instructions to achieve the same results, (c) (PDF) of background traffic’s entropy values. We also simulate
shuffling the register set in each worm propagation program the worm propagation traffic, which allocates a portion of
code copy, and (d) using cryptography mechanisms to change scan traffic bound for IP addresses monitored by the ITM
worm payload signature with every infection attempt [33], system. Following this, we obtain the PDF of the entropy
[34]. In contrast, the C-Worm tries to manipulate the scan value for combined traffic including both worm propagation
traffic pattern to avoid detection. and background traffic. From Fig. 4, we know that when
the attacker uses a portion of attack traffic to manipulate
the target distribution, the entropy-based detection scheme
3.4 Discussion can degrade significantly. For example, when the attacker
In this paper, we focus on a new class of worms, referred to as uses 10% traffic to manipulate the traffic’s entropy value, the
the camouflaging worm (C-Worm). The C-Worm adapts their false positive rate of entropy-based detection scheme is 14%.
propagation traffic patterns in order to reduce the probability When the attacker uses 30% traffic to manipulate the traffic’s
of detection, and to eventually infect more computers. The entropy value, the false positive rate becomes 40%. Hence,
C-Worm is different from polymorphic worms that delib- in order to preserve the performance, entropy-based detection
erately change their payload signatures during propagation scheme needs to evolve correspondingly and integrate with
[34], [52]. For example, MetaPHOR [53] and Zmist [54] other detection schemes. We will perform a more detailed
worms intensively metamorphose their payload signature to study of this aspect in our future work.
hide themselves from detection schemes that rely on expensive
packet payload analysis. Bethencourt et al. [55] studied the
4 D ETECTING THE C-WORM
worm which employs private information retrieval techniques 4.1 Design Rationale
to find and retrieve specific pieces of sensitive information In this section, we develop a novel spectrum-based detection
from compromised computers while hiding its search criteria. scheme. Recall that the C-Worm goes undetected by detection
Sharif et al. [56] presented an obfuscation-based technique that schemes that try to determine the worm propagation only in
automatically conceals specific condition dependent malicious the time domain. Our detection scheme captures the distinct
behavior from virus detectors that have no prior knowledge of pattern of the C-Worm in the frequency domain, and thereby
program inputs. Popov et al. [57] investigated a technique that has the potential of effectively detecting the C-Worm propa-
allows the worm programs to be obfuscated by changing many gation.


7

PDF of C-Worm SFM
100
90
80

Probability Density
70
60
50
40
30
20
10
0
0 0.04 0.08 0.11 0.15 0.19 0.23 0.27 0.3 0.34 0.38 0.42 0.48 0.72 0.96

SFM Value

Fig. 5. PDF of SFM on C-Worm traffic
Fig. 4. Manipulation of attack target distribution entropy
PDF of Norm al Non-worm Scanning Traffic
70

In order to identify the C-Worm propagation in the fre- 60

quency domain, we use the distribution of Power Spectral Den- 50

Probability Density
sity (PSD) and its corresponding Spectral Flatness Measure 40

(SFM) of the scan traffic. Particularly, PSD describes how the 30

power of a time series is distributed in the frequency domain. 20

10
Mathematically, it is defined as the Fourier transform of the
0
auto-correlation of a time series. In our case, the time series 0 0.15 0.3 0.4 0.43 0.47 0.5 0.54 0.57 0.61 0.64 0.68 0.71 0.75 0.8 0.96
corresponds to the changes in the number of worm instances SFM Value

that actively conduct scans over time. The SFM of PSD is Fig. 6. PDF of SFM on normal non-worm traffic
defined as the ratio of geometric mean to arithmetic mean of
the coefficients of PSD. The range of SFM values is [0, 1]
and a larger SFM value implies flatter PSD distribution and followed by a decrease in the scan traffic volume.
vice versa. Notice that the frequency domain analysis will require
To illustrate SFM values of both the C-Worm and normal more samples in comparison with the time domain analysis,
non-worm scan traffic, we plot the Probability Density Func- since the frequency domain analysis technique such as the
tion (PDF) of SFM for both C-Worm and normal non-worm Fourier transform, needs to derive power spectrum amplitude
scan traffic as shown in Fig. 5 and Fig. 6, respectively. The for different frequencies. In order to generate the accurate
normal non-worm scan traffic data shown in Fig. 6 is based spectrum amplitude for relatively high frequencies, a high
on real-world traces collected by the ISC 6 . Note that we granularity of data sampling will be required. In our case, we
only show the data for port 8080 as an example, and other rely on Internet threat monitoring (ITM) systems to collect
ports show similar observations. From this figure, we know traffic traces from monitors (motion sensors) in a timely
that the SFM value for normal non-worm traffic is very small manner. As a matter of fact, other existing detection schemes
(e.g., SFM ∈ (0.02, 0.04) has much higher density compared based on the scan traffic rate [20], variance [21] or trend [19]
with other magnitudes). The C-Worm data shown in Fig. 5 is will also demand a high sampling frequency for ITM systems
based on 800 C-Worms attacks generated by varying attack in order to accurately detect worm attacks. Enabling the ITM
parameters defined in Section 3 such as P (t) and Mc (t). system with timely data collection will benefit worm detection
From this figure, we know that the SFM value of the C-Worm in real-time.
attacks is high (e.g., SFM ∈ 0.5, 0.6 has high density). From 4.2 Spectrum-based Detection Scheme
the above two figures, we can observe that there is a clear
demarcation range of SFM ∈ (0.3, 0.38) between the C-Worm We now present the details of our spectrum-based detection
and normal non-worm scan traffic. As such, the SFM can be scheme. Similar to other detection schemes [19], [21], we use
used to sensitively detect the C-Worm scan traffic. a “destination count” as the number of the unique destination
IP addresses targeted by launched scans during worm propaga-
The large SFM values of normal non-worm scan traffic
tion. To understand how the destination count data is obtained,
can be explained as follows. The normal non-worm scan
we recall that an ITM system collects logs from distributed
traffic does not tend to concentrate at any particular frequency
monitors across the Internet. On a side note, Internet Threat
since its random dynamics is not caused by any recurring
Monitoring (ITM) systems are a widely deployed facility to
phenomenon. The small value of SFM can be reasoned by
detect, analyze, and characterize dangerous Internet threats
the fact that the power of C-Worm scan traffic is within a
such as worms. In general, an ITM system consists of one
narrow-band frequency range. Such concentration within a
centralized data center and a number of monitors distributed
narrow range of frequencies is unavoidable since the C-Worm
across the Internet. Each monitor records traffic that addressed
adapts to the dynamics of the Internet in a recurring manner
to a range of IP addresses (which are not commonly used IP
for manipulating the overall scan traffic volume. In reality,
address also called the dark IP addresses) and periodically
the above recurring manipulations involve steady increase
sends the traffic logs to the data center. The data center then
6. The traces used in this paper contain log files which have over 100 analyzes the collected traffic LOGS and publishes reports (e.g.,
million records and the total size exceeds 40 GB. statistics of monitored traffic) to ITM system users. Therefore


8

the baseline traffic in our study is scan traffic. With reports in expressed as,
a sampling window Ws , the source count X(t) is obtained by n 1
[ k=1 S(fk )]
n
counting the unique source IP addresses in received logs. SF M = 1 n , (7)
To conduct spectrum analysis, we consider a detection n k=1 S(fk )
sliding window Wd in the worm detection system. Wd consists where S(fk ) is an PSD coefficient for the PSD obtained from
of q (> 1) continuous detection sampling windows and each the results in Formula (6). SFM is a widely existing measure
sampling window lasts Ws . The detection sampling window for discriminating frequencies in various applications such
is the unit time interval to sample the detection data (e.g., the as voiced frame detection in speech recognition [63], [64].
destination count). Hence, at time i, within a sliding window In general, small values of SFM imply the concentration of
Wd , there are q samples denoted by (X(i − q − 1), X(i − data at narrow frequency spectrum ranges. Note that the C-
q − 2), . . . , X(i)), where X(i − j − 1) (j ∈ (1, q)) is the j-th Worm has unpreventable recurring behavior in its scan traffic;
destination count from time i − j − 1 to i − j. consequently its SFM values are comparatively smaller than
In our spectrum-based detection scheme, the distribution of the SFM values of normal non-worm scan traffic. To be useful
PSD and its corresponding SFM are used to distinguish the C- in detecting C-Worms, we introduce a sliding window to
Worm scan traffic from the non-worm scan traffic. Recall that capture a noticeably higher concentrations at a small range of
the definition of PSD distribution and its corresponding SFM spectrum. When such noticeably concentration is recognized,
are introduced in Section 4.1. In our worm detection scheme, we derive the SFM within a wider frequency range. From
the detection data (e.g., destination counter), is further pro- Fig. 5, we can observe that the SFM value for the C-Worm is
cessed in order to obtain its PSD and SFM. In the following, very small (e.g., with a mean value of approximately 0.075).
we detail how the PSD and SFM are determined during the A formal analysis of SFM for the C-Worm is presented in the
processing of the detection data. Appendix B.

4.2.1 Power Spectral Density (PSD) 4.2.3 Detection Decision Rule
To obtain the PSD distribution for worm detection data, We now describe the method of applying an appropriate
we need to transform data from the time domain into the detection rule to detect C-Worm propagation. As the SFM
frequency domain. To do so, we use a random process value can be used to sensitively distinguish the C-Worm
X(t), t ∈ [0, n] to model the worm detection data. Assuming and normal non-worm scan traffic, the worm detection is
X(t) is the source count in time period [t − 1, t] (t ∈ [1, n]), performed by comparing the SFM with a predefined threshold
we define the auto-correlation of X(t) by Tr . If the SFM value is smaller than a predefined threshold
RX (L) = E[X(t)X(t + L)]. (5) Tr , then a C-Worm propagation alert is generated. The value
of the threshold Tr used by the C-Worm detection can be
In Formula (5), RX (L) is the correlation of worm detection fittingly set based on the knowledge of statistical distribution
data in an interval L. If a recurring behavior exists, a Fourier (e.g., PDF) of SFM values that correspond to the non-worm
transform of the auto-correlation function of RX (L) can reveal scan traffic. Notice that the Tr value for the non-worm traffic
such behavior. Thus, the PSD function (also represented by can be derived by analyzing the historical data provided by
SX (f ); where f refers to frequency) of the scan traffic data SANs Internet Storm Center (ISC). In the worm detection
is determined using the Discrete Fourier Transform (DFT) of systems, monitors collect port-scan traffic to certain area of
its auto-correlation function as follows, dark IP addresses and periodically reports scan traffic log to
N −1 the data center. Then the data center aggregates the data from
ψ(RX [L], K) = (RX [L]) · e−j2πKn/N , (6) different monitors on the same port and publishes the data.
n=0 Based on the historical data for different ports, we can build
where K = 0, 1, . . . , N − 1. the statistical profiles of port-scan traffic on different ports and
then derive the Tr value for the non-worm traffic. Based on
As the PSD inherently captures any recurring pattern in the
the continuous reported data, the value of Tr will be tuned
frequency domain, the PSD function shows a comparatively
and adaptively used to carry out worm detection.
even distribution across a wide spectrum range for the normal
non-worm scan traffic. The PSD of C-Worm scan traffic shows If we can obtain the PDF of SFM values for the C-
spikes or noticeably higher concentrations at a certain range Worm through comprehensive simulations and even real-world
of the spectrum. profiled data in the future, the optimal threshold can be
obtained by applying the Bayes classification [65]. If the PDF
of SFM values for the C-Worm is not available, based on the
4.2.2 Spectral Flatness Measure (SFM) PDF of SFM values of the normal non-worm scan traffic, we
We measure the flatness of P SD to distinguish the scan traffic can set an appropriate Tr value. For example, the Tr value
of the C-Worm from the normal non-worm scan traffic. For can be determined by the Chebyshev inequality [65] in order
this, we introduce the Spectral Flatness Measure (SFM), which to obtain a reasonable false positive rate for worm detection.
can capture anomaly behavior in certain range of frequencies. Hence in Section 5, we evaluate our spectrum-based detection
The SFM is defined as the ratio of the geometric mean to the scheme against the C-Worm on two cases: (a) the PDF of SFM
arithmetic mean of the PSD coefficients [62], [63]. It can be values are known for both the normal non-worm scan traffic




and the C-Worm scan traffic, (b) the PDF of SFM values is the detection speed of a detection scheme. M IR defines the
only known for the normal non-worm scan traffic. ratio of an infected computer number over the total number
In addition, our spectrum-based scheme is also generic for of vulnerable computers up to the moment when the worm
detecting the PRS worms. This is due to the fact that propa- spreading is detected. It quantifies the damage caused by a
gation traffic of PRS worms has an exponentially increasing worm before being detected. The objective of any detection
pattern. Thus, in the propagation traffic of PRS worms, the scheme is to minimize the damage caused by a rapid worm
PSD values in the low frequency range are much higher propagation. Hence, M IR and DT can be used to quantify
compared with other frequency ranges. A formal analysis of the effectiveness of any worm detection scheme. The higher
SFM for the PRS worm is presented in Appendix C. the values, the more effective the worm attack and the less
Notice that even if the C-Worm monitors the port-scan effective the detection. In addition, we use two more metrics -
traffic report, it will be hard for the C-Worm to make the Detection Rate (PD ) and False Positive Rate (PF ). The PD is
SFM similar to the background traffic. This can be reasoned defined as the probability that a detection scheme can correctly
by two factors. First, the low value of SFM is mainly caused by identify a worm attack. The PF is defined as the probability
the closed-loop control nature of C-worm. The concentration that a detection scheme mistakenly identifies a non-existent
within a narrow range of frequencies is unavoidable since the worm attack.
C-Worm adapts to the dynamics of the Internet in a recurring
manner for manipulating the overall scan traffic volume. Based 5.1.2 Simulation Setup
on our analysis, the non-worm traffic on a port is rather random In our evaluation we considered both experiments with real-
and its SFM has a flat pattern. That means that the non-worm world “non-worm” traffic and simulated c-worm traffic. To
traffic on the port distributes similar power across different make our experiments reflect real-world practice, some key
frequencies. Second, as we indicated in other responses, with- parameters that we used to generate C-worm traffic in our
out introducing the closed-loop control, it will be difficult for simulation were based on previous results from a real-worm
the attacker to hide the irregularity of worm propagation traffic incidence - “Code-Red” worm in 2001 [1]. Specifically, we
in the time domain. When the worm attacks incorporate the set the total number of vulnerable computers on the Internet
closed-loop control mechanism to camouflage their traffic, it as 360,000, which is the maximum number of computers
will expose a relative small value of SFM. Hence, integrating which could be infected by “Code-Red” worm. Additionally,
our spectrum-based detection with existing traffic rate-based we set the scan rate S (number of scans per minute) to
anomaly detection in the time domain, we can force the worm be variable within a range, this allows us to emulate the
attacker into a dilemma: if the worm attacker does not use the infected computers in different network environments. In our
closed-loop control, the existing traffic rate-based detection evaluation, the scan rates are predetermined and follow a
2 2
scheme will be able to detect the worm; if the worm attacker Gaussian distribution S = N (Sm , Sσ ), where Sm and Sσ are
adopt the closed-loop control, it will cause the relatively small in [(20, 70], similar to those used in [19]. In our evaluation,
SFM due to the process of closed-loop control. This makes we merged the simulated C-worm attack traffic into replayed
the worm attack to be detected by our spectrum-based scheme “non-worm” traffic traces and carried out evaluation study.
along with other existing traffic-rate based detection schemes. We simulate the C-Worm attacks by varying the attack
parameters, such as attack probability (P (t)) and the number
5 P ERFORMANCE E VALUATION ¯
of worm instances participating in the scan (MC ) defined in
¯
Section 3. The MC follows the Gaussian distribution N (m, σ)
In this section, we report our evaluation results that illustrate
the effectiveness of our spectrum-based detection scheme and are changed dynamically by the C-Worm during its
against both the C-Worm and the PRS worm in comparison propagation. Particularly, for N (m, σ), m is randomly selected
with existing representative detection schemes for detecting in (12000, 75000) and σ is randomly selected in (0.2, 100).
wide-spreading worms. In addition, we also take into consid- We simulate different C-Worm attacks by varying the values
eration destination distribution based detection schemes and of m and σ. The detection sampling window Ws is set to
evaluate their performance against the C-Worm. 5 minutes and the detection sliding window Wd is set to
be incremental from 80 min to 800 min. The incremental
selection of Ws from a comparatively small window to a large
5.1 Evaluation Methodology
window can adaptively reflect the worm scan traffic dynamics
5.1.1 Evaluation Metrics caused by the C-Worm propagation at various speeds. We
In order to evaluate the performance of any given detection choose the setting of the detection sampling window to be
scheme against the C-Worm, we use the following three short enough in order to provide enough sampling accuracy
metrics listed in Table II. The first metric is the worm Infection as prescribed by Nyquist’s sampling theory. Also, we choose
Ratio (IR), which is defined as the ratio of the number of the detection sliding window to be long enough to capture
infected computers to the total number of vulnerable comput- adequate information for spectrum-based analysis [63].
ers, assuming there is no worm detection/defense system in In practice, since detection systems analyze port scan traffic
place. The other two metrics are the Detection Time (DT ) blended with the non-worm scan traffic, we replay the real-
and the Maximal Infection Ratio (M IR). DT is defined as world traces as non-worm scan traffic (background noise to
the time taken to successfully detect a wide-spreading worm attack traffic) in our simulations. In particular, we used the
from the moment the worm propagation starts. It quantifies ISC real-world trace (Shield logs dataset) from 01/01/2005


10

TABLE 1
Evaluation Metrics

Notation Definition
Infection Ratio (IR) Ratio of worm-infection over time without the presence of detection/defense system
Maximal Infection Ratio (M IR) Ratio of worm infection at the moment that worm is being detected
Detection time (DT ) Time taken to successfully detect a wide-spreading worm from its birth

to 01/15/2005. Note that SANs ISC, maintained by the SANs comparison between traffic volume based detection and traffic
Institute, have gained popularity among the Internet security distribution based detection.
community in recent years. ISC collects firewall and Intrusion
detection system logs, which indicate port-scan trends from 5.2.1 Detection Performance for C-Worm Attacks
approximately 2000 organizations that monitor up to 1 million Table 2 shows the detection results of different detection
IP addresses. We choose the scan traffic logs for port 8080 as schemes against the C-Worm. The results have been averaged
an example for profiling the non-worm scan traffic. over 500 C-Worm attacks. From this table, we can observe
In order to provide the creditability of such data, we did the that existing detection schemes are not able to effectively
following effort before using the data in our experiments. First, detect the C-Worm and their detection rate (PD ) values are
we had the 15 days traces from 01/01/2005 to 01/15/2005 significantly lower in comparison with our spectrum-based
provided by SANs ISC. We checked with the SANs website detection schemes (SPEC and SPEC(W)). For example, SPEC
and found that there were no worm attack incidents within achieves the detection rate of 99%, which is at least 3-4
those 15 days. Second, we obtained the statistical profile of times more accurate than detection schemes such as VAR and
traffic traces, including the mean value and standard deviation MEAN that achieve detection rate values of only 48% and
of traffic rates. Based on the statistical profile, we set a 14%, respectively.
threshold which is the summary of mean value and four times
Our SPEC and SPEC(W) detection schemes also achieve
that of the standard derivation, and filtered out some data
good detection time (DT ) performance in addition to the high
which had unusual large values. Third, we conducted our
detection rate values indicated above. In contrast, the detection
evaluation 15 times based on data randomly combined with
time of existing detection schemes have relatively larger
different dates. The results we showed in the paper are the
values. As a consequence of the detection time values, we can
mean values of experimental results from different rounds.
see that the C-Worm propagation is effectively contained by
SPEC and SPEC(W), as demonstrated by the lower values of
5.2 Performance of Detection Schemes maximal infection ratio (M IR) for the SPEC and SPEC(W).
We evaluate our proposed spectrum-based detection scheme by Since the detection rate values for the existing detection
comparing its performance with three existing representative schemes are relatively small, obtaining low values of M IR
traffic volume-based detection schemes. The first scheme is for those schemes are not as significant as those for SPEC
the volume mean-based (MEAN) detection scheme which uses and SPEC(W). Furthermore, we can notice that the detection
mean of scan traffic to detect worm propagation [20]; the performance of the SPEC(W) is worse than the SPEC. This is
second scheme is the trend-based (TREND) detection scheme because the SPEC(W) lacks off-line training knowledge for the
which uses the increasing trend of scan traffic to detect worm C-Worm scan traffic. Nonetheless, the SPEC(W) still performs
propagation [19]; and the third scheme is the victim number much better than existing detection schemes.
variance based (VAR) detection scheme which uses the vari-
ance of the scan traffic to detect worm propagation [21]. 5.2.2 Detection Performance for Traditional PRS Worms
We define our spectrum-based detection scheme as SPEC.
We evaluate the detection performance of different detection
We evaluate two types of SPEC: one has no knowledge of
schemes for traditional PRS worm attacks. The detection per-
any C-Worm attacks or C-Worm scan traffic (denoted by
formance results have been averaged over 500 PRS worm at-
SPEC(W)) and the other has knowledge of C-Worm attacks
tacks. We observe that both our SPEC and SPEC(W) schemes
through an off-line training process (denoted by SPEC). For
achieve 100% detection rate (PD ) while detecting traditional
the off-line training, we use 1000 worm attacks that include
PRS worms in comparison with the existing worm detection
both the C-Worm (800 C-Worm attacks) and PRS worms
schemes that have been specifically designed for detecting the
(200 PRS worm attacks). For fairness, we set the detection
traditional PRS worms.
parameters for our SPEC scheme and the other three detection In view of emphasizing the relative performance of our
schemes, so that all detection schemes achieve a similar false SPEC and SPEC(W) schemes with the existing worm de-
positive rate (PF ) below 1%. tection schemes, we plot the M IR and DT results in Figs.
In the following subsections, we first evaluate the perfor- 7 and 8 for different scan rates S. We can observe from
mance of our spectrum-based detection scheme in the context these figures that the M IR and DT results of our spectrum-
of detecting C-Worm attacks. We then evaluate the perfor- based scheme (shown only for SPEC(W)) are comparable
mance of our spectrum-based detection scheme in the context or better than the existing worm detection schemes. For a
of detecting traditional PRS worms, followed by performance mean scan rate of 70/min, our SPEC(W) scheme achieves


11

TABLE 2
Detection results for the C-Worm
Schemes VAR TREND MEAN SPEC(W) SPEC
Detection Rate (DR) 48% 0% 14% 96.4% 99.3%
Maximal Infection Ratio (MIR) 14.4% 100% 7.5% 4.4% 2.8%
Detection Time (DT) in minutes 2367 ∞ 1838 1707 1460

Maxim al Infection Ratio of of PRS Worm the C-Worm in comparison with existing representative de-
0.1
0.09
tection schemes. This paper lays the foundation for ongoing
0.08 studies of “smart” worms that intelligently adapt their propa-
0.07
0.06
gation patterns to reduce the effectiveness of countermeasures
MIR

0.05
0.04
0.03
0.02
ACKNOWLEDGMENTS
0.01
0
We thank the anonymous reviewers for their invaluable feed-
20 30 40
Scan Rate
50 60 70
back. This work was supported in part by the US National
VAR TREND MEAN SPEC(W) Science Foundation (NSF) under grants No. CNS-0916584,
Fig. 7. Maximal Infection Ratio of detection schemes CAREER Award CCF-0546668, and the Army Research Of-
against PRS worm fice (ARO) under grant No. AMSRD-ACC-R 50521-CI; by
the National Science Foundation (NSF) under grants No.
Detection Tim e of PRS Worm 0963973 and No. 0963979 and by the University of Macau,
2900
and Macao Science and Technology Development Foundation.
Any opinions, findings, conclusions, and recommendations in
2500
this paper are those of the authors and do not necessarily reflect
2100 the views of the funding agencies. The authors would like
DT

1700 to acknowledge Ms. Larisa Archer for her dedicated help to
improve the paper.
1300

900
20 30 40
Scan Rate
50 60 70
R EFERENCES
VAR TREND MEAN SPEC(W)
[1] D. Moore, C. Shannon, and J. Brown, “Code-red: a case study on the
Fig. 8. Detection Time of detection schemes against PRS spread and victims of an internet worm,” in Proceedings of the 2-th
Internet Measurement Workshop (IMW), Marseille, France, November
worm 2002.
[2] D. Moore, V. Paxson, and S. Savage, “Inside the slammer worm,” in
IEEE Magazine of Security and Privacy, July 2003.
a detection time of 1024 mins, which is faster than that [3] CERT, CERT/CC advisories, http://www.cert.org/advisories/.
of VAR and MEAN schemes, whose values are 1239 min [4] P. R. Roberts, Zotob Arrest Breaks Credit Card Fraud Ring, http:
//www.eweek.com/article2/0,1895,1854162,00.asp.
and 1161 min, respectively. For the same mean scan rate of [5] W32/MyDoom.B Virus, http://www.us-cert.gov/cas/techalerts/
70/min, SPEC(W) achieves a maximal infection ratio of 0.03, TA04-028A.html.
which is comparable to TREND’s M IR value and is less than [6] W32.Sircam.Worm@mm, http://www.symantec.com/avcenter/venc/data/
w32.sircam.worm@mm.html.
50% of the M IR value for the VAR and MEAN detection [7] Worm.ExploreZip, http://www.symantec.com/avcenter/venc/data/worm.
schemes. The effectiveness of our spectrum-based scheme is explore.zip.html.
based on the fact that traditional PRS worm scanning traffic [8] R. Naraine, Botnet Hunters Search for Command and Control Servers,
http://www.eweek.com/article2/0,1759,1829347,00.asp.
shows a constantly rapid increase. Thus, SFM values are [9] T. Sanders, Botnet operation controlled 1.5m PCs Largest zom-
relatively small due to PSD concentration at the low frequency bie army ever created, http://www.vnunet.com/vnunet/news/2144375/
bands in the case of the traditional PRS worm scanning. botnet-operation-ruled-million, 2005.
[10] R. Vogt, J. Aycock, and M. Jacobson, “Quorum sensing and self-
stopping worms,” in Proceedings of 5th ACM Workshop on Recurring
6 F INAL R EMARKS [11]
Malcode (WORM), Alexandria VA, October 2007.
S. Staniford, V. Paxson, and N. Weaver, “How to own the internet in your
In this paper, we studied a new class of smart-worm called C- spare time,” in Proceedings of the 11-th USENIX Security Symposium
(SECURITY), San Francisco, CA, August 2002.
Worm, which has the capability to camouflage its propagation [12] Z. S. Chen, L.X. Gao, and K. Kwiat, “Modeling the spread of
and further avoid the detection. Our investigation showed that, active worms,” in Proceedings of the IEEE Conference on Computer
although the C-Worm successfully camouflages its propagation Communications (INFOCOM), San Francisco, CA, March 2003.
[13] M. Garetto, W. B. Gong, and D. Towsley, “Modeling malware spreading
in the time domain, its camouflaging nature inevitably mani- dynamics,” in Proceedings of the IEEE Conference on Computer
fests as a distinct pattern in the frequency domain. Based on Communications (INFOCOM), San Francisco, CA, March 2003.
observation, we developed a novel spectrum-based detection [14] C. C. Zou, W. Gong, and D. Towsley, “Code-red worm propagation
modeling and analysis,” in Proceedings of the 9-th ACM Conference
scheme to detect the C-Worm. Our evaluation data showed that on Computer and Communication Security (CCS), Washington DC,
our scheme achieved superior detection performance against November 2002.


12

[15] Zdnet, Smart worm lies low to evade detection, http://news.zdnet.co.uk/ [38] X. Wang, W. Yu, A. Champion, X. Fu, and D. Xuan, “Detecting
internet/security/0,39020375,39160285,00.htm. worms via mining dynamic program execution,” in Proceedings of IEEE
[16] J. Ma, G. M. Voelker, and S. Savage, “Self-stopping worms,” in Pro- International Conference on Security and Privacy in Communication
ceedings of the ACM Workshop on Rapid Malcode (WORM), Washington Networks (SECURECOMM), Nice, France, September 2007.
D.C, November 2005. [39] W. Yu, X. Wang, D. Xuan, and D. Lee, “Effective detection of active
[17] Min Gyyng Kang, Juan Caballero, and Dawn Song, “Distributed evasive worms with varying scan rate,” in Proceedings of IEEE International
scan techniques and countermeasuress,” in Proceedings of International Conference on Security and Privacy in Communication Networks (SE-
Conference on Detection of Intrusions & Malware, and Vulnerability CURECOMM), Baltimore, MD, August 2006.
Assessment (DIMVA), Lucerne, Switzerland, July 2007. [40] A. Lakhina, M. Crovella, and C. Diot, “Mining anomalies using traffic
[18] Charles Wright, Scott Coull, and Fabian Monrose, “Traffic morphing: feature distribution,” in Proceedings of ACM SIGCOMM, Philadelphia,
An efficient defense against statistical traffic analysis,” in Proceedings PA, August 2005.
of the 15th IEEE Network and Distributed System Security Symposium [41] V. Yegneswaran, P. Barford, and D. Plonka, “On the design and
(NDSS), San Diego, CA, Febrary 2008. utility of internet sinks for network abuse monitoring,” in Proceeding
[19] C. Zou, W. B. Gong, D. Towsley, and L. X. Gao, “Monitoring of Symposium on Recent Advances in Intrusion Detection (RAID),
and early detection for internet worms,” in Proceedings of the 10- Pittsburgh, PA, September 2003.
th ACM Conference on Computer and Communication Security (CCS), [42] M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson, “The
Washington DC, October 2003. internet motion sensor: A distributed blackhole monitoring system,” in
[20] S. Venkataraman, D. Song, P. Gibbons, and A. Blum, “New streaming Proceedings of the 12-th IEEE Network and Distributed Systems Security
algorithms for superspreader detection,” in Proceedings of the 12-th Symposium (NDSS), San Diego, CA, February 2005.
IEEE Network and Distributed Systems Security Symposium (NDSS), [43] D. Moore, “Network telescopes: Observing small or distant security
San Diego, CA, Febrary 2005. events,” in Invited Presentation at the 11th USENIX Security Symposium
[21] J. Wu, S. Vangala, and L. X. Gao, “An effective architecture and (SECURITY)), San Francisco, CA, August 2002.
algorithm for detecting worms with various scan techniques,” in [44] J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, “Fast portscan
Proceedings of the 11-th IEEE Network and Distributed System Security detection using sequential hypothesis testing,” in Proceedings of the
Symposium (NDSS), San Diego, CA, Febrary 2004. 25-th IEEE Symposium on Security and Privacy (S&P), Oakland, CA,
[22] Dshield.org, Distributed Intrusion Detection System, http://www.dshield. May 2004.
org/, 2005. [45] H. Kim and B. Karp, “Autograph: Toward automated, distributed worm
[23] SANS, Internet Storm Center, http://isc.sans.org/. signature detection,” in Proceedings of the 13-th USENIX Security
[24] C. C. Zou, W. Gong, and D. Towsley, “Worm propagation modeling Symposium (SECURITY), San Diego, CA, August 2004.
and analysis under dynamic quarantine defense,” in Proceedings of the [46] M. Cai, K. Hwang, J. Pan, and C. Papadopoulos, “Wormshield: Fast
1-th ACM CCS Workshop on Rapid Malcode (WORM), Washington DC, worm signature generation with distributed fingerprint aggregation,”
October 2003. IEEE Transactions on Dependable and Secure Computing, vol. 4, no.
2, pp. 88–104, 2007.
[25] C. C. Zou, D. Towsley, and W. Gong, “Modeling and simulation
[47] R. Dantu, J. W. Cangussu, and S. Patwardhan, “Fast worm containment
study of the propagation and defense of internet e-mail worm,” IEEE
using feedback control,” IEEE Transactions on Dependable and Secure
Transactions on Dependable and Secure Computing, vol. 4, no. 2, pp.
Computing, vol. 4, no. 2, pp. 119–136, 2007.
105–118, 2007.
[48] K. Ogata, MOdern Control Engineering, Pearson Prentice Hall, 2002.
[26] C. Zou, Don Towsley, and Weibo Gong, “Email worm modeling
[49] J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon,
and defense,” in Proceedings of the 13-th International Conference
“Peer-to-peer botnets: Overview and case study,” in Proceedings of
on Computer Communications and Networks (ICCCN), Chicago, IL,
USENIX Workshop on Hot Topics in Understanding Botnets (HotBots),
October 2004.
Cambridge, MA, April 2007.
[27] W. Yu, S. Chellappan C. Boyer, and D. Xuan, “Peer-to-peer system-
[50] P. Wang, S. SParka, and C. Zou, “An advanced hybrid peer-to-
based active worm attacks: Modeling and analysis,” in Proceedings of
peer botnet,” in Proceedings of USENIX Workshop on Hot Topics in
IEEE International Conference on Communication (ICC), Seoul, Korea,
Understanding Botnets (HotBots), Cambridge, MA, April 2007.
May 2005.
[51] D. J. Daley and J. Gani, Epidemic Modeling: an Introduction, Cam-
[28] Dynamic Graphs of the Nimda Worm, http://www.caida.org/dynamic/ bridge University Press, 1999.
analysis/security/nimda. [52] D. Bruschi, L. Martignoni, and M. Monga, “Detecting self-mutating
[29] S. Staniford, D. Moore, V. Paxson, and N. Weaver, “The top speed of malware using control flow graph matching,” in Proceedings of the
flash worms,” in Proceedings of the 2-th ACM CCS Workshop on Rapid Conference on Detection of Intrusions and Malware & Vulnerability
Malcode (WORM), Fairfax, VA, October 2004. Assessment (DIMVA), Berlin, Germany, July 2006.
[30] Yubin Li, Zesheng Chen, and Chao Chen, “Understanding divide- [53] MetaPHOR, http://securityresponse.symantec.com/avcenter/venc/data/
conquer-scanning worms,” in Proceedings of International Performance w32.simile.html.
Computing and Communications Conference (IPCCC), Austin, TX, [54] P. Ferrie and P. Sz¨ r. Zmist, Zmist opportunities, Virus Bullettin, http:
o
December 2008. //www.virusbtn.com.
[31] D. Ha and H. Ngo, “On the trade-off between speed and resiliency [55] John Bethencourt, Dawn Song, and Brent Waters, “Analysis-resistant
of flash worms and similar malcodes,” in Proceedings of 5th ACM malware,” in Proceedings of the 15th IEEE Network and Distributed
Workshop on Recurring Malcode (WORM), Alexandria VA, October System Security Symposium (NDSS), San Diego, CA, Febrary 2008.
2007. [56] Monirul Sharif, Jonathon Giffin, Wenke Lee, and Andrea Lanzi, “Im-
[32] Y. Yang, S. Zhu, and G. Cao, “Improving sensor network immunity peding malware analysis using conditional code obfuscation,” in
under worm attacks: A software diversity approach,” in Proceedings Proceedings of the 15th IEEE Network and Distributed System Security
of ACM International Symposium on Mobile Ad Hoc Networking and Symposium (NDSS), San Diego, CA, Febrary 2008.
Computing (MobiHoc), Hong Kong, May 2008. [57] Igor V. Popov, Saumya K. Debray, and Gregory R. Andrews, “Binary
[33] L. Martignoni D. Bruschi and M. Monga, “Detecting self-mutating obfuscation using signals,” in Proceedings of the 17th USENIX Security
malware using control flow graph matching,” in Proceedings of the Symposium (SECURITY), San Jose, CA, July 2008.
Conference on Detection of Intrusions and Malware and Vulnerability [58] M. Christodorescu and S. Jha, “Testing malware detectors,” in
Assessment (DIMVA), Berlin, Germany, 2006 July. Proceedings of the 2004 ACM SIGSOFT International Symposium on
[34] R. Perdisci, O. Kolesnikov, P. Fogla, M. Sharif, and W. Lee, “Polymor- Software Testing and Analysis (ISSTA), Boston, MA, July 2004.
phic blending attacks,” in Proceedings of the 15-th USENIX Security [59] X. Wang, W. Yu, X. Fu, D. Xuan, and W. Zhao, “iloc: An invisible local-
Symposium (SECURITY), Vancouver, B.C., August 2006. ization attack to internet threat monitoring systems,” in Proceedings of
[35] Linux.com, Understanding Stealth Scans: Forewarned is Forearmed, the 27th IEEE International Conference on Computer Communications
http://security.itworld.com/4363/LWD010321vcontrol3/page1.html. (INFOCOM) Mini-conference, Phoenix, AZ, April 2008.
[36] Solar Designer, Designing and Attacking Port Scan Detection Tools, [60] J. Bethencourt, J. Frankin, and M. Vernon, “Mapping internet sensors
http://www.phrack.org/phrack/53/P53-13. with probe response attacks,” in Proceedings of the 14-th USNIX
[37] J. Z. Kolter and M. A. Maloof, “Learning to detect malicious executables Security Symposium, Baltimore, MD, July-August 2005.
in the wild,” in Proceedings of the 10th ACM International Conference [61] Y. Shinoda, K. Ikai, and M. Itoh, “Vulnerabilities of passive internet
on Knowledge Discovery and Data Mining (SIGKDD), Seattle, WA, threat monitors,” in Proceedings of the 14-th USNIX Security Sympo-
August 2004. sium, Baltimore, MD, July-August 2005.



[62] S. Soundararajan and D. L. Wang, “A schema-based model for phonemic propagation status and can be integrated with other strategies
restoration,” Tech. Report, OSU-CISRC-1/04-TR03, Department of to improve the accuracy of tracking worm propagation status.
Computer Science and Engineering, The Ohio State University, January
2004.
[63] N. S. Jayant and P. Noll, Digital Coding of Waveforms, Prentice-Hall, Appendix B: SFM of the C-Worm
1984.
[64] R. E. Yantorno, K. R. Krishnamachari, J. M. Lovekin, D. S. Benincasa, We present a formal analysis of SFM for the C-Worm as
and S. J. Wenndt, “The spectral autocorrelation peak valley ratio (sapvr) follows: Let the observation Z1 be given by Z1 = X1 + Y1 ,
- a usable speech measure employed as a co-channel detection system,” where X1 is the random variable representing the C-Worm
in Proceedings of IEEE International Workshop on Intelligent Signal
Processing (WISP), Budapest, Hungary, May 2001. scanning traffic (e.g., volume, destination counter) in one
[65] S. Theodoridis and K. Koutroumbas, Pattern Recognition, Second sampling window and Y1 is the random variable representing
Edition, Elsevier Science, 2003. the background scanning traffic (e.g., volume, source counter)
in one sampling window. We define X = X1 − E[X1 ], where
A PPENDIX E[X1 ] is the mean value of X1 and Y = Y − E[Y1 ]. Thus,
Appendix A: Estimation of M (t) we have Z = X + Y , where X and Y are independent zero-
mean random variables. We assume that the total frequency is
We now discuss how the C-Worm can estimate M (t) (number
of worm instances or infected computers) during run-time (i.e, within the −W ≤ f ≤ W range.
Based on the observations in Section 4.1, we approximately
during C-Worm propagation). While there are many possible
represent Y1 (t) by white Gaussian noise, which is widely
ways to estimate M (t), we only discuss one approach the C-
used in modeling wide-band noise in communication systems.
Worm could use based on the limited network and computing
Thus, Y can be approximately represented by a Gaussian white
resources available during its propagation. There are other
noise with zero mean and a variance of σ. Thus, in the total
approaches, such as incorporating the Peer-to-Peer techniques
frequency band limited within the range ∈ [−W ≤ f ≤ W ],
to disseminate information through secured IRC channels [49],
the PSD of Y is SY (f ) = σ shows that Y has a constant
[50]. Actually, a worm could take advantage of the knowledge
power spectrum and each frequency has the average power
that an infection attempt was a new hit (reaching a previously
value σ.
uninfected vulnerable computer) and duplicate hit (reaching a
Considering the fact that all C-Worm instances adopt a
previously infected vulnerable computer).
similar control mechanism strategy to manipulate the overall
To estimate M (t), we use an approach that is similar in
scanning traffic volume, we explained how a distinct trend
nature to the approach used by the “self-stopping” worms
can be noticed in the frequency domain, i.e., the trend being
that do not require a global overlay control network [16] for
a concentration in the scanning traffic frequency of the C-
realizing their behavior in practice. We call our approach to
Worm within a narrow range of frequencies. Assume that C-
estimate M (t) as the Distributed Co-ordination method. In this
Worm scanning traffic counter is referred as m (denoted by
method, there is no centralized co-ordination between the C-
fk , where k = 1, . . . , m and m < W ) in the total (narrow-
Worm instances to obtain feedback information about the value
band) frequency range. Without loss of generality, X(t) is ap-
of M (t). The distributed co-ordination requires each C-Worm 2m
proximately represented by X(t) = k=1 ak cos(2πfk t + θ),
infected computer to be marked with a watermark indicating
where θ is uniformly distributed in the interval [0, 2π]) and
that the C-Worm infection code has already been installed
ak is uniformly distributed in the interval [−l, l]. Based on
on the scanned host as with “Code-Red” worms. Thus, when
the relationship among autocorrelation, mean, and autoconva-
an already infected computer (say for example, host A) scans
riance, we have RX (τ ) = CX (t1 , t2 ) + E[X(t1 )]E[X(t2 )],
another infected computer (say for example, computer B), then
where τ = t2 − t1 , E[X(t1 )] = E[X(t2 )] = 0, and
computer A will detect the watermark and know that computer
CX (t1 , t2 ) = E[(X(t1 ) − EX (t1 ))(X(t2 ) − EX (t2 ))] is
B has already been infected. By scanning vulnerable computers
the auto-covariance of a random process X(t). Thus, it
and obtaining the watermarks information during the scanning, m ak 2
a C-Worm instance can estimate M (t) at run-time as follows. is easy to verify that RX (τ ) = k=1 [ 2 cos(2πfk τ )].
Let us assume that T , which refers to the whole Internet Thus, the PSD of X(t) can be represented by SX (f ) =
k=m ak 2 ak 2
IP address space, is the C-Worm scanning target space. In k=1 [ 4 δ(f − fk ) + 4 δ(f + fk )]. As X(t) and Y (t)
this scanning target space, assume we have the case where are independent random process (SY (f ) = σ), we have
k=m 2 2
H(t) number of scans in time t resulted in K(t) number SZ (f ) = k=1 [ ak δ(f − fk ) + ak δ(f + fk )] + σ.
4 4
2
of infected computers indicated by presence of watermarks Define ak 4σ k ) = R(
δ(f
1), SZ (f ) can be rewritten
k=m
(identified by duplicate hits). We model the number of infected by SZ (f ) = σ{ k=1 [Rδ(f − fk ) + Rδ(f + fk )] + 1}
computers indicated by watermarks during the scanning pro- and the SFM of Z(t) can be represented by SZ (f ) =
1 m
cess as binomial process. Then H(t) scanning tries and each σ2W −2m Rσ 2m 2W
= RW
We can rewrite SZ (f )
¯ (t) 1
[2mσR+σ(2W −2m)] m
(R−1)+1 .
scanning try has successful probability MT to be indicated 2W W
xt
¯
by watermarks, where M (t) is the estimated M (t) at time in above formula as the function of R as F (x) = t(x−1)+1 ,
¯ (t) txt−1 (x−1)(t−1)
t. Thus K(t) = H(t) · MT . With the above equation, we where x = R, t = W < 1. As F (x) =
m
[t(x−1)+1]2 < 0,
¯ ·K(t)
have M (t) = TH(t) . Note that the above watermarking-based the function SZ (f ) is a decreasing function of x (= R) and it
2
method might lack the accuracy for the worm propagator to is observable that R1 = ak 4δ(f ) + 1
σ 1 (due to the Dirac’s
track the accurate status of worm propagation. Nevertheless, δ function property), SZ (f ) → 0. Thus, the SFM of C-Worm
this approach can provide a rough estimation for the worm is close to 0.



Appendix C: SFM of PRS Worm Prasad Calyam Dr. Prasad Calyam received
the BS degree in Electrical and Electronics
In the following, we conduct analysis on the spectrum-based Engineering from Bangalore University, India,
detection scheme to detection PRS worms. Let the input for and the MS and Ph.D. degrees in Electrical
detection data Z1 in one sample window be given by Z1 = and Computer Engineering from The Ohio State
University, in 1999, 2002, and 2007 respec-
X1 + Y1 , where X1 is the random variable representing the tively. He is currently a Senior Systems Devel-
attack traffic (e.g., scan volume) for PRS worms and Y1 is oper/Engineer at the Ohio Supercomputer Cen-
the random variable representing the background traffic (e.g., ter, The Ohio State University. His current re-
search interests include multimedia networking,
scan volume). We define X = X1 − E[X1 ], where E[X1 ] is cyber security, cyber infrastructure systems, and
the mean value of X1 . We also define Y = Y1 − E[Y1 ], where network management.
E[Y1 ] is the mean value of Y1 . Thus, we have Z = X + Y ,
where X and Y are independent zero-mean random variables.
We assume the overall frequency is within −W ≤ F ≤ W
range. Similarly, we approximately represent Y1 (t) by white
Gaussian noise. Thus, Y can be approximately represented by
a white noise with zero mean and a standard derivation of σ.
Thus, in the frequency band limited within [−W ≤ F ≤ W ],
the PSD of Y is SY (F ) = σ, which shows that frequency Dong Xuan Dr. Dong Xuan received the BS
Y ∈ [−W, W ] has a constant power spectrum. Based on the and MS degrees in electronic engineering from
SFM definition, it is easy to observe that SFM of Y is close Shanghai Jiao Tong University (SJTU), China, in
1990 and 1993, and the PhD degree in computer
to 1. engineering from Texas A&M University in 2001.
According to PRS worm propagation dynamics in For- Currently, he is an associate professor in the De-
mula (1), the result is M (t) eβ·N ·t at the early stage partment of Computer Science and Engineering,
The Ohio State University. He was on the faculty
of worm propagation. As β · N · t 1 at the early stage, of Electronic Engineering at SJTU from 1993 to
M (t) 1 + β · N · t. Follow the similar procedure, the PSD of 1997. In 1997, he worked as a visiting research
1
X = f (t)−E(f (t)) can be represented by SX (F ) = β·N · F 2 , scholar in the Department of Computer Science,
1 City University of Hong Kong. From 1998 to 2001, he was a research
where F ∈ [−W, W ]. Thus, the PSD of Z is β · N · F 2 + σ. assistant/associate in Real-Time Systems Group of the Department
According to Formula (7), we can observe that the value of of Computer Science, Texas A&M University. He is a recipient of the
SFM for PRS worms is close to 0. It indicates that spectrum- US National Science Foundation (NSF) CAREER award. His research
interests include distributed computing, computer networks and cyber
based scheme can detect the PRS worm propagation at the space security.
early stage as well.

Wei Yu Dr. Wei Yu is an assistant professor
in the Department of Computer and Informa-
tion Sciences, Towson University, Towson, MD
21252. Before that, He worked for Cisco Sys- Wei Zhao Dr. Wei Zhao is currently the Rector
tems Inc. for almost nine years. He received of the University of Macau. Before joining the
the BS degree in Electrical Engineering from University of Macau, he served as the Dean of
Nanjing University of Technology in 1992, the the School of Science at Rensselaer Polytechnic
MS degree in Electrical Engineering from Tongji Institute. Between 2005 and 2006, he served as
University in 1995, and the PhD degree in com- the director for the Division of Computer and
puter engineering from Texas A&M University in Network Systems in the US National Science
2008. His research interests include cyber space Foundation when he was on leave from Texas
security, computer network, and distributed systems. A&M University, where he served as Senior As-
sociate Vice President for Research and Profes-
sor of Computer Science. He was the founding
director of the Texas A&M Center for Information Security and Assur-
ance, which has been recognized as a Center of Academic Excellence
in Information Assurance Education by the National Security Agency.
Dr. Zhao completed his undergraduate program in physics at Shaanxi
Normal University, Xian, China, in 1977. He received the MS and PhD
Xun Wang Dr. Xun Wang received the BS and degrees in Computer and Information Sciences at the University of
MS in computer engineering from The East Massachusetts at Amherst in 1983 and 1986, respectively. Since then,
China Normal University, Shanghai, China, in he has served as a faculty member at Amherst College, the University
1999 and 2002, and the PhD degree in Com- of Adelaide, and Texas A&M University. As an elected IEEE fellow, Wei
puter Science and Engineering from The Ohio Zhao has made significant contributions in distributed computing, real-
State University in 2007. He has been working time systems, computer networks, and cyber space security.
for Cisco Systems, Inc. since 2007. His research
interests include network security, overlay net-
works, and wireless sensor networks.


2011 modeling and detection of camouflaging worm

More Related Content

What's hot (18)

Similar to 2011 modeling and detection of camouflaging worm (20)

Recently uploaded (20)

2011 modeling and detection of camouflaging worm