International Journal of Research in Computer and Communication Technology, Vol 2, Issue 10, October- 2013
ISSN (Online) 2278- 5841 ISSN (Print) 2320- 5156
Securing a Network by Modeling and Containment of Worms Using Preference Scanning Rohitkumar R. Wagdarikar, Ramkrushna C. Maheshwar , Manik A. Raichurakar Department of Computer Science and Engineering, Symbiosis Institute of Technology and Science. J NTU, Hyderabad, India. Bandari Srinivas Institute of Technology, Chevella, Hyderabad,India.
[email protected],
[email protected],
[email protected]
Abstract:-Self-propagating codes, called worms. In this paper, we present an inclination branching process model for characterizing the propagation of Internet worms. Basically user knows the name and the definition of worms, but sometimes due to the validity of the worm containment system, system cannot find the worms. The model is developed for preference scanning worms and then extended to inclination scanning worms. This model leads to the development of an inclination worm containment strategy that prevents the spread of a worm beyond its early stage. Specifically, for preference scanning worms, we are able to provide a precise condition that determines whether the worm spread will eventually stop and obtain the distribution of the total number of hosts that the worm infects. We then extend our results to contain inclination scanning worms. Our strategy is based on limiting the number of scans to dark-address space. Our inclination worm containment schemes effectively contain both uniform scanning worms and local preference scanning worms, and it is validated through simulations and real trace data to be nonintrusive. We also show that our worm strategy, when used with traditional firewalls, can be deployed incrementally to provide worm containment for the local network and benefit the Internet Index Terms— Inclination branching process model, Internet scanning worms, Preference scanning worms, Automatic worm containment, Active Worms.
I. INTRODUCTION The Internet has become critically important to the financial viability of the national and the global economy. Meanwhile, we are witnessing an upsurge in the incidents of malicious code in the form of computer viruses and worms. One class of such malicious code, known as random scanning worms, spreads itself without human intervention by using a scanning strategy to find vulnerable hosts to infect. As shown in figure 1. The worm is send by a user to a victim1. Later on that worm is spreading over the network. The goal of our research is to provide a model for the inclination branching process model for characterizing the propagation of Internet worms. Basically user knows the name and the definition of worms, but sometimes due to the WWW.IJRCCT.ORG
validity or the lack if latest updates of the worm containment system, system cannot find the worms.
Figure 1. The life of Worm
Then these worms are start spreading into the network. The model is developed for preference scanning worms and then extended to inclination scanning worms. This model leads to the development of an inclination worm containment strategy that prevents the spread of a worm beyond its early stage. Specifically, for preference scanning worms, we are able to provide a precise condition that determines whether the worm spread will eventually stop and obtain the distribution of the total number of hosts that the worm infects. We then extend our results to contain inclination scanning worms. Propagation of random scanning worms and the corresponding development of inclination containment mechanisms is that prevent the spread of worms beyond their early stages. This containment scheme is then extended to protect an enterprise network from a preference scanning worm. A host infected with random scanning worms finds and infects other vulnerable hosts by scanning a list of randomly generated IP addresses. Worms using other strategies to find vulnerable hosts to infect are not within the scope of this work. Some examples of nonrandom-scanning worms are e-mail worms, peer-to-peer worms, and worms that search the local host for addresses to scan. The aggressive scanning traffic generated by the infected hosts Page 959
International Journal of Research in Computer and Communication Technology, Vol 2, Issue 10, October- 2013 has caused network congestion, equipment failure, and blocking of physical facilities such as subway stations, 911 call centers, etc. consider code red worm version 2that exploit buffer overflow vulnerability in Microsoft IISWebserver, over the period of less than 14 hours it infected 359,000 machines it cost near about $1.2billion. II. RELATED WORK The following list of papers shows the relative work carried out for Securing a Network by Inclination Branching process model and possible solutions given. 1. S. Sellke, N. Shroff, and S. Bagchi, “Modeling and Automated Containment of Worms,” Proc. IEEE Int’l Conf. Dependable Systems and Networks, pp. 528-537, 2005.[1] This paper focuses on Modeling and Automated containment of Worms at early phase. 2. H.Andersson and T. Britton, “Stochastic Epidemic Models and Their Statistical Analysis,” Lecture Notes in Statistics, vol. 151, 2000.[2] This paper focus on branching process model for characterizing the propagation of Internet worms. 3. “The Cost of Code Red: $1.2 Billion,” USA Today News, http:// www.usatoday.com/tech/news/2001-08-01code-red-costs.htm, 2001.[3]This paper focusing on code red worm version 2that exploit buffer overflow vulnerability in Microsoft IISWebserver. 4. N. Weaver, S. Staniford, and V. Paxson, “Very Fast Containment of Scanning Worms,” Proc. Usenix Security Symp., pp. 29-44, 2004.Z Z [4]This Paper focusing on very fast Containment of Scanning Worms. 5. Z. Chen, L. Gao, and K. Kwiat, “Modeling the Spread of Active Worms,” Proc. IEEE INFOCOM ’03, pp. 1890-1900, 2003.[5] This Paper focusing on Modeling the Spread of Active Worms. III. PROPOSED SYSTEM Most of the times due to the lack of updates of the worm containment system, system is not able to detect that worm. The Inclination branching process model allows the user to select the type of the worms that is currently present the system. Past Trends: Few years ago, Random scanning of worms is performed. In this model system will generate random IP address for scanning, most of the time this system will generate dark IP address, and this system even start scanning on this dark IP addresses. It will take a long time to detect a worm in the Network. Scanning a worm in the dark IP address space is total west of time. Scanning performing in the dark IP address space worm will get infect the other system present the Network. Current trends: Now days, organizations became large so they must require good application which manages the security of whole organization. Inclination branching process model gives flexible facilities to the network with WWW.IJRCCT.ORG
ISSN (Online) 2278- 5841 ISSN (Print) 2320- 5156
better performance. We provide the facilities that needed for the organization. Future Trends: This model provides the facility that makes a flexible and reliable network system. We have to provide some future trends such give a powerful network system that contains a worm in inclination basis. Those give strong algorithm for worm containment technique. Goals: The goal of “Securing a Network by modeling and containment of worms by preference scanning” is to secure the network get infected by worms in early phase by providing a inclination branching process model. Problem Definition: The Internet has become critically important to the financial viability of the national and the global economy. Meanwhile, we are witnessing an upsurge in the incidents of malicious code in the form of computer viruses and worms that affects the performance of the network. An Example is code red worm version 2that exploit buffer overflow vulnerability in Microsoft IISWebserver, over the period of less than 14 hours it infected 359,000 machines it cost near about $1.2billion. IV. SYSTEM MODEL The modules are as follows: Inclination Module, Network Module, Spreading Module, Report Generation and Containment Module. The main focus of this is on an Inclination Module i.e., that allows the user to select a worm based on inclination/preference branching process. Inclination Module: In an Inclination branching process module, user select a worm that is not identified by currently running worm containment system but present on the system. This will happen because of lack of updates of the worm containment system. Network Module: All the nodes are interconnected by each other, and while performing task execution, some of the node will communicate with each other, while communicating spreading of worm over the network must be possible. Containment Module: In this module it starts searching for user selected worm that is specified in Inclination branching process module. While searching, it will search in all file and folders of the system through advance search system. Spread Module: when containment module detect the worm type that is specified in inclination branching process module, it will start the spread of worm name over the network, and other node when receive this message from a infected node, it will start containment for that node in that system. Simulator Module: This module maintains information of worms present in the network. In this module we created simulator to show our output graphically. In existing system Active worms are similar to biological viruses in terms of their infectious and self-propagating nature. They identify vulnerable computers, infect them and the worm-infected computers propagate the infection further Page 960
International Journal of Research in Computer and Communication Technology, Vol 2, Issue 10, October- 2013 to other vulnerable computers. In order to understand worm behavior, I first need to model it. With this understanding, effective detection and defense schemes could be developed to mitigate the impact of the worms. Active worms use various scan mechanisms to propagate themselves efficiently. The basic form of active worms can be categorized as having the Pure Random Scan (PRS) nature. In the PRS form, a worm-infected computer continuously scans a set of random Internet IP addresses to find new vulnerable computers. Other worms propagate themselves more effectively than PRS worms using various methods. In order to increase propagation efficiency, they use a local network or hit list to infect previously identified vulnerable computers at the initial stage of propagation. They may also use DNS, network topology and routing information to identify active computers instead of randomly scanning IP addresses. As shown in figure 2. Random scanning mechanism containment system select Machine Count is equal to 10,000. The total number of scans for each host is monitored. The monitoring system can be implemented on each host or on the edge router of a local network. The two hosts marked are removed from the network automatically because their total number of scans (counter) has reached 10,000. This technique is very tedious. To overcome this problem preference scanning system is developed.
ISSN (Online) 2278- 5841 ISSN (Print) 2320- 5156
Figure3. Preference scanning mechanism
V. ALGORITHM FOR INCLINATION BRANCH PROCESSING: 1. First initialize all hosts in the Network and Initialization Worm Name. Consider 4 Host are present in the Network i.e Host1,Host2,Host3 and Host 4. 2. Select the Worm to spread over the Network from any one Host through Inclination branch process model. 3.
Worm_Name=Trojan.xff . Spread the Worm in the Network through Inclination branch process model. i. Host1=Trojan.xff ii. Host2=Trojan.xff iii. Host3=Trojan.xff iv. Host4=Trojan.xff
Figure 2. Random scanning mechanism
Worm containment systems for the preference scan worms. The value Machine count is chosen to be 20. Two hosts are disconnected from the network because their total dark-address space scan has reached 20.Our strategy can effectively contain both fast scan worms and slow scan worms without knowing the worm signature in advance or needing to explicitly detect the worm. Our automatic worm containment schemes effectively contain the worms and stop its spreading.
4.
Trojan.xff worm is spreads over the network i.e Host1,Host2,Host3 and Host 4. Stop Spreading of worm from Host through Inclination branch process model.
Host1 spreads the worm in the network so Host1 will stop spreading of Worms. 5. Start Containment Module for the entire Host. In this module the entire Host in the network starts scanning for Trojan.xff file. i. In Host1 if(worm_file==Trojan.xff) { Worm Found
WWW.IJRCCT.ORG
Host 1} Page 961
International Journal of Research in Computer and Communication Technology, Vol 2, Issue 10, October- 2013
ISSN (Online) 2278- 5841 ISSN (Print) 2320- 5156
ii. In Host2 if(worm_file==Trojan.xff) { Worm Found Host 2} iii. In Host3 if(worm_file==Trojan.xff) { Worm Found Host 3} iv. In Host4 if(worm_file==Trojan.xff) { Worm Found
in Host 4}
VI. Report generation. In this module it will report the detected worms. I.
GUI SNAPSHOTS
Figure 5. Containment Module
VII. VALIDATION TESTING:
Figure 4. Inclination Module
WWW.IJRCCT.ORG
This phase of testing validates fields of the forms that are to be input by the user. This includes checking if necessary fields have been left empty and performing data type validation checks, e.g. without selecting a type or the name of the worm will start the spreading. 1. Test case 1: Test for Selection of type or the name of Worm Aim: Worm Name must be selected Method: User must select the name of the worm from combo box Expected result: Worn Name Selected. Actual result: same as expected. 2. Test case 2: Test for Spreading of selected Worm. Aim: Selected Worm must be spread over the network. Method: Click on Spread Button. Expected result: Worm reached at all the host in the network. Actual result: same as expected. 3. Test case 3: Test for Containment of selected Worm. Aim: Selected Worm must be detected on each Host. Method: Click on start scanning Button. Expected result: Worm detected. Page 962
International Journal of Research in Computer and Communication Technology, Vol 2, Issue 10, October- 2013 Actual result: same as expected. VIII. RESULT AND FUTURE SCOPE: A host infected with random scanning worms finds and infects other vulnerable hosts by scanning a list of randomly generated IP addresses. The Project “Securing a Network by Modeling & Containment of Worm using Preference Scanning” leads to the development of an inclination worm containment strategy that prevents the spread of a worm beyond its early stage
ISSN (Online) 2278- 5841 ISSN (Print) 2320- 5156
6.
C.C. Zou, W. Gong, and D. Towsley, “Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense,” Proc. ACM Workshop Rapid Malcode, pp. 51-60, 2003.
7.
D.J. Daley and J. Gani, Epidemic Modelling, An Introduction. Cambridge Univ. Press, 1999.Computer Economics, “Economic Impact of Malicious Code Attacks,” http://www.computereconomics.com/cei/press/ pr92101.html, 2001.
IX.CONCLUSION In this paper, we have studied the problem of combating Internet worms. To that end, we have developed a Inclination branching process model to characterize the propagation of Internet worms. Unlike random scanning model and deterministic epidemic models studied in the literature, this model allows us to characterize the early phase of worm propagation. Using the Inclination branching process model, we able to provide a precise bound on the total number of scans that ensure that the worm will eventually die out. Further, from our model, we also obtain the probability that the total number of hosts that the worm infects is below a certain level, as a function of the scan limit. The insights gained from analyzing this model also allow us to develop an effective and automatic worm containment strategy that does not let the worm propagate beyond the early stages of infection. Our strategy can effectively contain both fast scan worms and slow scan worms with knowing the worm signature in advance to explicitly detect the worm. We show via simulations and real trace data that the containment strategy is both effective and non-intrusive. REFERENCES 1. S. Sellke, N. Shroff, and S. Bagchi, “Modeling and Automated Containment of Worms,” Proc. IEEE Int’l Conf. Dependable Systems and Networks, pp. 528-537, 2005. 2.
H.Andersson and T. Britton, “Stochastic Epidemic Models and Their Statistical Analysis,” Lecture Notes in Statistics, vol. 151, 2000.
3.
“The Cost of Code Red: $1.2 Billion,” USA Today News, http:// www.usatoday.com/tech/news/200108-01-code-red-costs.htm, 2001.
4.
N. Weaver, S. Staniford, and V. Paxson, “Very Fast Containment of Scanning Worms,” Proc. Usenix Security Symp., pp. 29-44, 2004.Z Z
5.
Z. Chen, L. Gao, and K. Kwiat, “Modeling the Spread of Active Worms,” Proc. IEEE INFOCOM ’03, pp. 1890-1900, 2003.
WWW.IJRCCT.ORG
Page 963
