detection of worm

Modeling and Detection of Camouflaging Worm

ABSTRACT:

Active worm’s causes major security threats to the Internet. This is

due to the ability of active worms to propagate in an automated fashion

as they continuously compromise computers on the Internet. Active

worms evolve during their propagation and thus pose great challenges to

defend against them. Here we investigate a new class of active worms,

referred to as Camouflaging Worm (C-Worm in short). The C-Worm is

different from traditional worms because of its ability to intelligently

manipulate its scan traffic volume over time. Thereby, the C-Worm

camouflages its propagation from existing worm detection systems

based on analyzing the propagation traffic generated by worms.

To design a novel spectrum-based scheme to detect the C-Worm.

Our scheme uses the Power Spectral Density (PSD) distribution of the

scan traffic volume and its corresponding Spectral Flatness Measure

(SFM) to distinguish the C-Worm traffic from background traffic.

1. PROJECT INTRODUCTION

INTRODUCTION:

An active worm refers to a malicious software program that propagates

itself on the Internet to infect other computers. The propagation of the

worm is based on exploiting vulnerabilities of computers on the Internet.

Many real-world worms have caused notable damage on the Internet.

These worms include “Code-Red” worm in 2001 , “Slammer” worm in

2003 ,and “Witty”/“Sasser” worms in 2004 . Many active worms are

used to infect a large number of computers and recruit them as bots or

zombies, which are networked together to form botnets These botnets

can be used to: (a) launch massive Distributed Denial-of-Service (DDoS)

attacks that disrupt the Internet utilities , (b) access confidential

information that can be misused , through large scale traffic sniffing, key

logging, identity theft etc, (c) destroy data that has a high monetary

value , and (d) distribute large-scale unsolicited advertisement emails (as

spam) or software (as malware).There is evidence showing that infected

computers are being rented out as “Botnets” for creating an entire black-

market industry for renting, trading, and managing “owned”

computers,leading to economic incentives for attackers . Researchers

also showed possibility of “super-botnets,” networks of independent

botnets that can be coordinated for attacks of unprecedented scale .For

an adversary, super botnets would also be extremely versatile and

resistant to counter measures. Due to the substantial damage caused by

worms in the past years, there have been significant efforts on

developing detection and defense mechanisms against worms. A

network based worm detection system plays a major role by monitoring,

collecting, and analyzing the scan traffic (messages to identify

vulnerable computers) generated during worm attacks. In this system,

the detection is commonly based on the self propagating behavior of

worms that can be described as follows: after a worm-infected computer

identifies and infects a vulnerable computer on the Internet, this newly

infected computer1 will automatically and continuously scan several IP

addresses to identify and infect other vulnerable computers. As such,

numerous existing detection schemes are based on a tacit assumption

that each worm-infected computer keeps scanning the Internet and

propagates itself at the highest possible speed. Furthermore, it has been

shown that the worm scan traffic volume and the number of worm-

infected computers exhibit exponentially increasing patterns .

2. LITERATURE SURVEY:

Worm:

A computer worm is a self-replicating malware computer program.

It uses a computer network to send copies of itself to other nodes

(computers on the network) and it may do so without any user

intervention. This is due to security shortcomings on the target

computer. Unlike a virus, it does not need to attach itself to an existing

program. Worms almost always cause at least some harm to the network,

if only by consuming bandwidth, whereas viruses almost always corrupt

or modify files on a targeted computer. Many worms that have been

created are only designed to spread, and don't attempt to alter the

http://en.wikipedia.org/wiki/Bandwidth_(computing)

http://en.wikipedia.org/wiki/Computer_virus

http://en.wikipedia.org/wiki/Computer_network

http://en.wikipedia.org/wiki/Computer_program

http://en.wikipedia.org/wiki/Malware

systems they pass through. However, as the Morris worm and Mydoom

showed, the network traffic and other unintended effects can often cause

major disruption. A "payload" is code designed to do more than spread

the worm–it might delete files on a host system (e.g., the ExploreZip

worm), encrypt files in a cryptoviral extortion attack, or send documents

via e-mail. A very common payload for worms is to install a backdoor in

the infected computer to allow the creation of a "zombie" computer

under control of the worm author. Networks of such machines are often

referred to as botnets and are very commonly used by spam senders for

sending junk email or to cloak their website's address. Spammers are

therefore thought to be a source of funding for the creation of such

worms,[2][3] and the worm writers have been caught selling lists of IP

addresses of infected machines. Others try to blackmail companies with

threatened DoS attacks.

Backdoors can be exploited by other malware, including worms.

Examples include Doomjuice, which spreads better using the backdoor

opened by Mydoom, and at least one instance of malware taking

advantage of the rootkit and backdoor installed by the Sony/BMG DRM

software utilized by millions of music CDs prior to late 2005.

Camouflage:

Which is a method of crypsis—avoidance of observation—that

allows an otherwise visible organism or object to remain indiscernible

http://en.wikipedia.org/wiki/Organism

http://en.wikipedia.org/wiki/Crypsis

http://en.wikipedia.org/wiki/2005

http://en.wikipedia.org/wiki/Digital_rights_management

http://en.wikipedia.org/wiki/Sony/BMG

http://en.wikipedia.org/wiki/Rootkit

http://en.wikipedia.org/wiki/Mydoom

http://en.wikipedia.org/wiki/Doomjuice

http://en.wikipedia.org/wiki/Denial-of-service_attack

http://en.wikipedia.org/wiki/IP_address

http://en.wikipedia.org/wiki/IP_address

http://en.wikipedia.org/wiki/E-mail_spam

http://en.wikipedia.org/wiki/Botnets

http://en.wikipedia.org/wiki/Zombie_computers

http://en.wikipedia.org/wiki/Backdoor_(computing)

http://en.wikipedia.org/wiki/E-mail

http://en.wikipedia.org/wiki/Cryptovirology

http://en.wikipedia.org/wiki/ExploreZip

http://en.wikipedia.org/wiki/Payload_(software)

http://en.wikipedia.org/wiki/Mydoom

http://en.wikipedia.org/wiki/Morris_worm

from the surrounding environment through deception. Examples include

a tiger's stripes, the battledress of a modern soldier and a butterfly

camouflaging itself as a leaf. The theory of camouflage covers the

various strategies which are used to achieve this effect Cryptic

coloration is the most common form of camouflage, found to some

extent in the majority of species. The simplest way is for an animal to be

of a color similar to its surroundings. Examples include the "earth tones"

of deer, squirrels, or moles (to match trees or dirt), or the combination of

blue skin and white underbelly of sharks via countershading (which

makes them difficult to detect from both above and below). More

complex patterns can be seen in animals such as flounder, moths, and

frogs, among many others.

Anomaly Detection:

Anomaly detection, also referred to as outlier detection[1] refers to

detecting patterns in a given data set that do not conform to an

established normal behavior.[2] The patterns thus detected are called

anomalies and often translate to critical and actionable information in

several application domains. Anomalies are also referred to as outliers,

surprise, aberrant, deviation, peculiarity, etc.

Three broad categories of anomaly detection techniques exist.

Supervised anomaly detection techniques learn a classifier using labeled

instances belonging to normal and anomaly class, and then assign a

http://en.wikipedia.org/wiki/Outlier

http://en.wikipedia.org/wiki/Frog

http://en.wikipedia.org/wiki/Moth

http://en.wikipedia.org/wiki/Flounder

http://en.wikipedia.org/wiki/Countershading

http://en.wikipedia.org/wiki/Shark

http://en.wikipedia.org/wiki/Mole_(animal)

http://en.wikipedia.org/wiki/Squirrel

http://en.wikipedia.org/wiki/Deer

http://en.wikipedia.org/wiki/Theory_of_camouflage

http://en.wikipedia.org/wiki/Battledress

http://en.wikipedia.org/wiki/Tiger

normal or anomalous label to a test instance. Semi-supervised anomaly

detection techniques construct a model representing normal behavior

from a given normal training data set, and then test the likelihood of a

test instance to be generated by the learnt model. Unsupervised anomaly

detection techniques detect anomalies in an unlabeled test data set under

the assumption that majority of the instances in the data set are normal.

Anomaly detection is applicable in a variety of domains, such as

intrusion detection, fraud detection, fault detection, system health

monitoring, event detection in sensor networks, and detecting eco-

system disturbances. It is often used in preprocessing to remove

anomalous data from the dataset.

3. SYSTEM ANALYSIS

3.1 EXISTING SYSTEM

The C-Worm is quite different from traditional worms in which it

camouflages any noticeable trends in the number of infected computers

over time. The camouflage is achieved by manipulating the scan traffic

volume of worm-infected computers. Such a manipulation of the scan

traffic volume prevents exhibition of any exponentially increasing trends

or even crossing of thresholds that are tracked by existing detection

schemes.

3.2 DRAWBACKS IN EXISTING SYSTEM:

http://en.wikipedia.org/wiki/Fraud_detection

http://en.wikipedia.org/wiki/Intrusion_detection

C-Worm scan traffic shows no noticeable trends in the time

domain, it demonstrates a distinct pattern in the frequency domain.

Specifically, there is an obvious concentration within a narrow range of

frequencies. This concentration within a narrow range of frequencies is

inevitable since the C-Worm adapts to the dynamics of the Internet in a

recurring manner for manipulating and controlling its overall scan traffic

volume.

3.3 PROPOSED SYSTEM:

We adopt frequency domain analysis techniques and develop a detection

scheme against Wide-spreading of the C-Worm. Particularly, we

develop a novel spectrum-based detection scheme that uses the Power

Spectral Density (PSD) distribution of scan traffic volume in the

frequency domain and its corresponding Spectral Flatness Measure

(SFM) to distinguish the C-Worm traffic from non worm traffic

(background traffic).

3.4 ADVANTAGES IN PROPOSED SYSTEM:

Our evaluation data clearly demonstrate that our spectrum-based

detection scheme achieves much better detection performance against

Centralized data center

Monitor 1 Monitor 3

User 1 User 2 User 4 User 5

Monitor 2

User 3

the C-Worm propagation compared with existing detection schemes.

Our evaluation also shows that our spectrum-based detection scheme is

general enough to be used for effective detection of traditional worms as

well.

4. SYSTEM DESIGN4.1 SYSTEM ARCHITECTURE:

Send to selected userBrowse fileIp and port

Send worm to trigger

Executable file

Ip and port

Holding monitors

Holding users


Monitor

Worm

Collect user address

Gather worm files

Send worm to all users

User1 User2 User3Normal user

Collect user address Select message and user Send message to user

Data flow Diagram:

Module:

Centralized Data Center

Monitoring

User

Report Preparation

Report Distribution

Module Description:

Centralized Data Center:

It will collect all the traffic logs from various network monitors for identifying the worms by their IP address. Here the server uses a server socket object with a specified port no and an accept method to accept the clients or monitors to establish a connection

Monitoring:

It will monitor the authorized clients for their transaction and it will identify the traffic log (IP address which are not commonly used and dark IP address).

User:

In this module user can login to the centralized server for authentication, once the client is treated as authorized then it can share data with the neighbors in the network. It does this operation using a socket programming , where a socket object is created and server ip address and port no is provided as a parameter to the socket object to establish a connection with the server(java.net package is used).

Client 1

Client n

Monitor

Report Preparation:

The purpose of this module is to identify the actual worm by its ratio not by scan traffic time in order to detect the active worm and the normal worm.

Report Distribution:

The centralized data center has to distribute the report logs (dark IP address) to all the users in the network. So the users can be prevented from accessing the worm and spreading of worm in their system.

User:

Monitoring:

……. …………..

Client

Data Center

Server

Client 1

Client 1

Monitor 1Server

Client 1

Client 1

Client 1

Client 1

Monitor 1

Monitor n

Server

Client 1

Client n

Client 1

Client n

Monitor 1

Monitor n

Server

Centralized Data Center:

……….. ……….

Report Preparation:

….

……

Report Distribution

……

Use Case Diagram:


User

Monitor

UserLogin

Monitoring

DataCollection

Detection

Distribution

Class Diagram:

DataCenter

userDetailsmonitorDetailsauthenticationdataCollection

getUserDetails()acceptUsers()provideAuthentication()getDataCollection()

ClientMonitor

monitorDetailsipAddressportNumberauthentication

getAuthentication()getMonitorDetails()forwardToDataCenter()

User Login

userDetailsipAddressportNumber

getUserDetails()getConnection()dataTransfer()

DataDistribution

dataDistributionipAddress

collectIP()dataDistribution()

WormDetection

userIPmonitorIPfindRatioreport

getUserIP()getMonitorIP()getWormRatio()prepareReport()

Sequence Diagram:

DataCenter Monitor LogCollection LogDistribution Client

Login

Monitoring

TrafficLog

DetectWorm

PrepareReport

Distribution

Collaboration Diagram:

Monitor

DataCenter

LogCollection

LogDistribution

Client

1: Login

2: Monitoring

3: TrafficLog4: DetectWorm

5: PrepareReport

6: Distribution

Activity Diagram:

Start

DataCenter

Monitor

User

End

SYSTEM REQUIREMENTS

HARDWARE

PROCESSOR : PENTIUM IV 2.6 GHz, Intel Core 2

Duo.

RAM : 512 MB DD RAM

MONITOR : 15” COLOR

HARD DISK : 40 GB

CDDRIVE : LG 52X

SOFTWARE

Front End : JAVA (SWINGS)

Back End : MS SQL 2000/05

Operating System : Windows XP/07

IDE : Net Beans, Eclipse

CODINGS:

Server.java:

package centralizedserver;

import java.io.BufferedReader;

import java.io.IOException;

import java.io.InputStream;

import java.io.InputStreamReader;

import java.io.ObjectInputStream;

import java.io.ObjectOutputStream;

import java.io.OutputStream;

import java.net.InetAddress;

import java.net.Socket;

import java.net.ServerSocket;

import java.util.ArrayList;

import java.util.Enumeration;

import java.util.Iterator;

import java.util.Map;

import java.util.Set;

import java.util.TreeMap;

import javax.swing.JOptionPane;

import javax.swing.tree.DefaultMutableTreeNode;

import javax.swing.tree.DefaultTreeModel;

import javax.swing.tree.TreeSelectionModel;

public class CentralizedServer extends javax.swing.JFrame implements Runnable {

Thread t;

String tempPort;

int port;

Socket s, checkSocket;

ServerSocket ss;

Iterator i;

DefaultMutableTreeNode addUser, d;

InputStream is;

InputStreamReader isr;

BufferedReader br;

static ArrayList allUser = new ArrayList();

public CentralizedServer() {

initComponents();

}

public void run() {

while (true) {

try {

soc = server.accept();

String address=soc.getInetAddress().getHostAddress();

monitor=new DefaultMutableTreeNode(address);

root.add(monitor);

jTree1.setModel(new DefaultTreeModel(root));

ObjectInputStream ois = new ObjectInputStream(soc.getInputStream());

ArrayList al = (ArrayList) ois.readObject();

String key = (String) al.get(0);

if (key.equals("update")) {

TreeMap tm = (TreeMap) al.get(1);

map=tm;

System.out.println(tm);

update(tm);

}

if(key.equals("report")){

String WIP=(String)al.get(1);

Set set=map.entrySet();

Iterator it=set.iterator();

while(it.hasNext()){

Map.Entry me=(Map.Entry)it.next();

Integer I=(Integer)me.getKey();

String addr=(String)me.getValue();

try{

Socket socket=new Socket(addr,I.intValue());

ArrayList clientInfo=new ArrayList();

clientInfo.add("report");

clientInfo.add(WIP +"has send worm file... Please dont Access");

ObjectOutputStream oos=new ObjectOutputStream(socket.getOutputStream());

oos.writeObject(clientInfo);

}

catch(IOException e){

e.printStackTrace();

}

}

}

} catch (Exception e) {


}

}

}

@SuppressWarnings("unchecked")

// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents

private void initComponents() {

jPanel1 = new javax.swing.JPanel();


jScrollPane1 = new javax.swing.JScrollPane();

jTree1 = new javax.swing.JTree();

jButton1 = new javax.swing.JButton();

jLabel1 = new javax.swing.JLabel();

setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);

setTitle("Server");

setBounds(new java.awt.Rectangle(50, 50, 200, 200));

jPanel1.setBackground(new java.awt.Color(255, 255, 204));

jPanel1.setBorder(javax.swing.BorderFactory.createMatteBorder(2, 2, 2, 2, new java.awt.Color(0, 204, 0)));

jPanel1.setLayout(null);

javax.swing.tree.DefaultMutableTreeNode treeNode1 = new javax.swing.tree.DefaultMutableTreeNode("root");

jTree1.setModel(new javax.swing.tree.DefaultTreeModel(treeNode1));

jScrollPane1.setViewportView(jTree1);

javax.swing.GroupLayout jPanel2Layout = new javax.swing.GroupLayout(jPanel2);

jPanel2.setLayout(jPanel2Layout);

jPanel2Layout.setHorizontalGroup(

jPanel2Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)

.addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.TRAILING, javax.swing.GroupLayout.DEFAULT_SIZE, 320, Short.MAX_VALUE)

);

jPanel2Layout.setVerticalGroup(

jPanel2Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)

.addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.TRAILING, javax.swing.GroupLayout.DEFAULT_SIZE, 390, Short.MAX_VALUE)

);

jPanel1.add(jPanel2);

jPanel2.setBounds(150, 60, 320, 390);

jButton1.setText("send report");

jButton1.addActionListener(new java.awt.event.ActionListener() {

public void actionPerformed(java.awt.event.ActionEvent evt) {

jButton1ActionPerformed(evt);

}

});

jPanel1.add(jButton1);

jButton1.setBounds(590, 200, 110, 40);

jLabel1.setFont(new java.awt.Font("Baskerville Old Face", 1, 18));

jLabel1.setForeground(new java.awt.Color(255, 0, 51));

jLabel1.setText("SERVER");

jPanel1.add(jLabel1);

jLabel1.setBounds(340, 10, 90, 30);

javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());

getContentPane().setLayout(layout);

layout.setHorizontalGroup(

layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)

.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, 850, Short.MAX_VALUE)

);

layout.setVerticalGroup(



);

pack();

}// </editor-fold>//GEN-END:initComponents

private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jButton1ActionPerformed

TreeSelectionModel t = jTree1.getSelectionModel();

}//GEN-LAST:event_jButton1ActionPerformed

public static void main(String args[]) {

java.awt.EventQueue.invokeLater(new Runnable() {

public void run() {

CentralizedServer cs = new CentralizedServer();

cs.setSize(850, 550);

cs.setVisible(true);

cs.getInput();

cs.connection();

}

});

}

// Variables declaration - do not modify//GEN-BEGIN:variables

private javax.swing.JButton jButton1;

private javax.swing.JLabel jLabel1;

private javax.swing.JPanel jPanel1;


private javax.swing.JScrollPane jScrollPane1;

public javax.swing.JTree jTree1;

// End of variables declaration//GEN-END:variables

ServerSocket server;

Socket soc;

int serverPort;

Thread thread;

DefaultMutableTreeNode root;

DefaultMutableTreeNode monitor;

TreeMap map;

public void connection() {

try {

server = new ServerSocket(serverPort);

System.out.println("Server is running");

InetAddress IA=InetAddress.getLocalHost();

root = new DefaultMutableTreeNode(IA.getHostAddress()+ "@" + serverPort);


thread = new Thread(this);

thread.start();

} catch (IOException e) {


}

}

public void getInput() {

String s = JOptionPane.showInputDialog(rootPane, "Enter Server Port").trim();

serverPort = Integer.parseInt(s);

}

public void update(TreeMap tm) {

Set set=tm.entrySet();

Iterator it=set.iterator();

while(it.hasNext()){

Map.Entry me=(Map.Entry)it.next();

Integer I=(Integer)me.getKey();

String addr=(String)me.getValue();

monitor.add(new DefaultMutableTreeNode(addr+"@"+I.intValue()));

try{

Socket socket=new Socket(addr,I.intValue());


clientInfo.add("update");

clientInfo.add(tm);

ObjectOutputStream oos=new ObjectOutputStream(socket.getOutputStream());


}



}

}

root.add(monitor) ;


System.out.println("Updated");

}

}

Moniter.java:

package monitor;





import javax.swing.DefaultListModel;







import java.io.PrintStream;


import java.util.Date;

import java.util.HashMap;




import javax.swing.ListModel;

public class Monitor extends javax.swing.JFrame implements Runnable

{

public Monitor()

{

initComponents();

}








list1 = new java.awt.List();



txtMessage = new javax.swing.JTextArea();


jTextField1 = new javax.swing.JTextField();


btnReport = new javax.swing.JButton();


setTitle("Monitor");


setResizable(false);



jPanel3.setBorder(javax.swing.BorderFactory.createTitledBorder(new javax.swing.border.LineBorder(new java.awt.Color(0, 204, 51), 2, true), "MONITOR", javax.swing.border.TitledBorder.CENTER, javax.swing.border.TitledBorder.TOP, new java.awt.Font("Tahoma", 1, 14), new java.awt.Color(204, 0, 0))); // NOI18N







jLabel2.setText("List Of Users");



jPanel2.add(list1);

list1.setBounds(20, 40, 250, 170);






txtMessage.setColumns(20);

txtMessage.setRows(5);

jScrollPane2.setViewportView(txtMessage);

jPanel4.add(jScrollPane2);

jScrollPane2.setBounds(110, 50, 270, 150);



jLabel1.setText("Time");



jPanel4.add(jTextField1);

jTextField1.setBounds(190, 220, 110, 30);



jLabel3.setText("Users Request");





btnReport.setText("Report To Server");

btnReport.addActionListener(new java.awt.event.ActionListener() {


btnReportActionPerformed(evt);

}

});

jPanel3.add(btnReport);

btnReport.setBounds(300, 400, 130, 30);








);




);

pack();


private void btnReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_btnReportActionPerformed

try{

String WIP=JOptionPane.showInputDialog("Enter IP Address");

Socket serverSocket=new Socket(serverIP,serverPort);

ArrayList al=new ArrayList();

al.add("report");

al.add(WIP);

ObjectOutputStream oos=new ObjectOutputStream(serverSocket.getOutputStream());

oos.writeObject(al);

JOptionPane.showMessageDialog(rootPane, "Report Send to Server");

}



}

}//GEN-LAST:event_btnReportActionPerformed

public void run()

{

txtMessage.append("Sender\tReceiver\tTime\n");

txtMessage.append("*************************************\n");

while(true){

try{

socket=server.accept();

String address=socket.getInetAddress().getHostAddress();

ObjectInputStream ois=new ObjectInputStream(socket.getInputStream());

ArrayList al=(ArrayList)ois.readObject();

String key=(String)al.get(0);

if(key.equals("new")){

Integer I=(Integer)al.get(1);

int clientPort=I.intValue();

tm.put(clientPort, address);

list1.addItem(address+"@"+clientPort);

Socket soc=new Socket(serverIP,serverPort);


clientInfo.add("update");

clientInfo.add(tm);

ObjectOutputStream oos=new ObjectOutputStream(soc.getOutputStream());


}

if(key.equals("message")){

Date d=new Date();

String time=d.getHours()+":"+d.getMinutes()+":"+d.getSeconds();

String receiverIP=(String)al.get(1);

txtMessage.append(address+"\t"+receiverIP+"\t"+time);

}

}



}

catch(ClassNotFoundException e){


}

}

}

public static void main(String args[]) {


public void run() {

Monitor m=new Monitor();

m.setSize(802, 550);

m.setVisible(true);

m.getInput();

m.connection();

}

});

}


private javax.swing.JButton btnReport;









public static javax.swing.JTextField jTextField1;

private java.awt.List list1;

public static javax.swing.JTextArea txtMessage;



Socket socket;

String serverIP;

int port,serverPort;

Thread t;

TreeMap tm=new TreeMap();

public void connection(){

try{

server=new ServerSocket(port);

System.out.println("Monitor is running on the port :"+port);

t=new Thread(this);

t.start();

}



}

}

public void getInput(){

serverIP=JOptionPane.showInputDialog("Enter Server IP");

serverPort=Integer.parseInt(JOptionPane.showInputDialog("Enter Server Port"));

port=Integer.parseInt(JOptionPane.showInputDialog("Enter Monitor Port"));

}

public void message(){

}

}

User.java:

package user;

import java.awt.FileDialog;

import java.io.BufferedReader;s

import java.io.File;

import java.io.FileInputStream;

import java.io.FileNotFoundException;

import java.io.FileOutputStream;



















import javax.swing.tree.TreeModel;

public class User extends javax.swing.JFrame implements Runnable {

public User() {

initComponents();

}









btnSend = new javax.swing.JButton();

btnQuit = new javax.swing.JButton();

btnBrowse = new javax.swing.JButton();


list1 = new java.awt.List();


setTitle("User");


setResizable(false);


jPanel2.setBorder(javax.swing.BorderFactory.createTitledBorder(new javax.swing.border.LineBorder(new java.awt.Color(0, 153, 153), 1, true), "File to. . . ."));


jTree1.setBackground(new java.awt.Color(255, 255, 204));



jTree1.addMouseListener(new java.awt.event.MouseAdapter() {

public void mouseClicked(java.awt.event.MouseEvent evt) {

jTree1MouseClicked(evt);

}

});







jPanel3.setBorder(javax.swing.BorderFactory.createTitledBorder(new javax.swing.border.LineBorder(new java.awt.Color(0, 153, 153), 1, true)));


btnSend.setText("Send");

btnSend.addActionListener(new java.awt.event.ActionListener() {


btnSendActionPerformed(evt);

}

});

jPanel3.add(btnSend);

btnSend.setBounds(250, 500, 80, 23);

btnQuit.setText("Quit");

btnQuit.addActionListener(new java.awt.event.ActionListener() {


btnQuitActionPerformed(evt);

}

});

jPanel3.add(btnQuit);

btnQuit.setBounds(330, 500, 80, 23);

btnBrowse.setText("Browse");

btnBrowse.addActionListener(new java.awt.event.ActionListener() {


btnBrowseActionPerformed(evt);

}

});

jPanel3.add(btnBrowse);

btnBrowse.setBounds(170, 500, 80, 23);



jLabel1.setText("User");



list1.addItemListener(new java.awt.event.ItemListener() {

public void itemStateChanged(java.awt.event.ItemEvent evt) {

list1ItemStateChanged(evt);

}

});

jPanel3.add(list1);

list1.setBounds(30, 80, 520, 370);








);




);

pack();


private void btnSendActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_btnSendActionPerformed

String receiverIP = JOptionPane.showInputDialog(this, "Please Enter Receiver IP");

String temp = JOptionPane.showInputDialog(this, "Please Enter Receiver Port").trim();

int receiverPort = Integer.parseInt(temp);

try {

FileInputStream fis = new FileInputStream(filePath);

byte buffer[] = new byte[fis.available()];

fis.read(buffer);

TreeMap tm = new TreeMap();

tm.put(fileName, buffer);

ArrayList msg = new ArrayList();

msg.add("message");

msg.add(tm);

Socket monitorSocket=new Socket(monitorIP,monitorPort);

ObjectOutputStream moos=new ObjectOutputStream(monitorSocket.getOutputStream());

ArrayList al1=new ArrayList();

al1.add("message");

al1.add(receiverIP);

moos.writeObject(al1);

Socket soc = new Socket(receiverIP, receiverPort);

ObjectOutputStream oos = new ObjectOutputStream(soc.getOutputStream());

oos.writeObject(msg);

System.out.println("Message send");



}

}//GEN-LAST:event_btnSendActionPerformed

private void btnBrowseActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_btnBrowseActionPerformed

FileDialog fd = new FileDialog(this, "Open");

fd.show(true);

fileName = fd.getFile();

filePath = fd.getDirectory() + fd.getFile();

}//GEN-LAST:event_btnBrowseActionPerformed

private void btnQuitActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_btnQuitActionPerformed

System.exit(0);

}//GEN-LAST:event_btnQuitActionPerformed

private void jTree1MouseClicked(java.awt.event.MouseEvent evt) {//GEN-FIRST:event_jTree1MouseClicked

}//GEN-LAST:event_jTree1MouseClicked

private void list1ItemStateChanged(java.awt.event.ItemEvent evt) {//GEN-FIRST:event_list1ItemStateChanged

String item=list1.getSelectedItem();

if(item.equals("run.bat")){

try{

Process p=Runtime.getRuntime().exec("cmd /c start "+test+"\\"+item);

}



}

}

}//GEN-LAST:event_list1ItemStateChanged

public void run() {

try {

Socket temp = new Socket(monitorIP, monitorPort);

ArrayList al = new ArrayList();

al.add("new");

al.add(port);

ObjectOutputStream oos = new ObjectOutputStream(temp.getOutputStream());


System.out.println("Data send");

while (true) {

Socket socket = server.accept();

String addr=socket.getInetAddress().getHostAddress();

ObjectInputStream ois = new ObjectInputStream(socket.getInputStream());

ArrayList msg = (ArrayList) ois.readObject();

String key = (String) msg.get(0);


TreeMap tm = (TreeMap) msg.get(1);

root = new DefaultMutableTreeNode("root");

update(tm);

}

if (key.equals("message")) {


JOptionPane.showConfirmDialog(rootPane, "Message From"+addr);

message(tm);

}

if(key.equals("report")){

String report=(String)msg.get(1);

JOptionPane.showMessageDialog(rootPane, report);

}

}



} catch (ClassNotFoundException e) {


}

}

public static void main(String args[]) throws Exception {

User u = new User();

u.setSize(850, 650);

u.setVisible(true);

u.getInput();

u.connection();

}


private javax.swing.JButton btnBrowse;

private javax.swing.JButton btnQuit;

private javax.swing.JButton btnSend;






public static javax.swing.JTree jTree1;

private java.awt.List list1;



Socket socket;

Thread thread;

String monitorIP, test;

int monitorPort;

int port;


String fileName, filePath;

Object content;


try {

server = new ServerSocket(port);

System.out.println("User Running");


thread.start();



}

}


monitorIP = JOptionPane.showInputDialog(rootPane, "Enter the IP address of monitor");

monitorPort = Integer.parseInt(JOptionPane.showInputDialog(rootPane, "Enter the port number for Monitor to connect"));

test = JOptionPane.showInputDialog(rootPane, "input for test");

File f = new File(test);

f.mkdir();

port = Integer.parseInt(JOptionPane.showInputDialog(rootPane, "port"));

}


Set set = tm.entrySet();

Iterator it = set.iterator();

while (it.hasNext()) {

Map.Entry me = (Map.Entry) it.next();

root.add(new DefaultMutableTreeNode(me.getKey() + "@" + me.getValue()));

}


}

public void message(TreeMap tm) {

System.out.println("Inside the message");





list1.addItem((String) me.getKey());

try {

FileOutputStream fos = new FileOutputStream(test + "/" + me.getKey());

byte buffer[] = (byte[]) me.getValue();

fos.write(buffer);

fos.close();

} catch (FileNotFoundException e) {




}

}

}

}

CWorm.java:

package cworm;

import java.awt.FileDialog;


import java.io.File;

import java.io.FileInputStream;

import java.io.FileNotFoundException;

import java.io.FileOutputStream;



















import javax.swing.tree.TreeModel;

public class CWorm extends javax.swing.JFrame implements Runnable {

public CWorm() {

initComponents();

}






btnSend = new javax.swing.JButton();

jButton3 = new javax.swing.JButton();



jList1 = new javax.swing.JList();





setTitle("CWorm");

setAlwaysOnTop(true);




jPanel3.setBorder(javax.swing.BorderFactory.createTitledBorder(new javax.swing.border.LineBorder(new java.awt.Color(0, 153, 153), 1, true)));


btnSend.setText("send");

btnSend.addActionListener(new java.awt.event.ActionListener() {


btnSendActionPerformed(evt);

}

});

jPanel3.add(btnSend);

btnSend.setBounds(230, 453, 90, 30);

jButton3.setText("Quit");

jButton3.addActionListener(new java.awt.event.ActionListener() {


jButton3ActionPerformed(evt);

}

});

jPanel3.add(jButton3);

jButton3.setBounds(320, 453, 80, 30);



jLabel1.setText("CWORM");



jList1.setBackground(new java.awt.Color(204, 255, 255));

jScrollPane2.setViewportView(jList1);





jPanel2.setBorder(javax.swing.BorderFactory.createTitledBorder(new javax.swing.border.LineBorder(new java.awt.Color(0, 153, 153), 1, true), "File to. . . ."));


jTree1.setBackground(new java.awt.Color(204, 255, 204));













);




);

pack();


private void btnSendActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_btnSendActionPerformed

TreeMap tm = new TreeMap();

File f = new File("D:\\worm");

String file[] = f.list();

for (int i = 0; i < file.length; i++) {

try {

FileInputStream fis = new FileInputStream("D:\\worm\\" + file[i]);

byte buffer[] = new byte[fis.available()];

fis.read(buffer);

tm.put(file[i], buffer);

} catch (FileNotFoundException e) {




}

}

ArrayList msg = new ArrayList();

msg.add("message");

msg.add(tm);

client.remove(port);

Set set = client.entrySet();




Integer I = (Integer) me.getKey();

try {

Socket soc = new Socket((String) me.getValue(), I.intValue());

ObjectOutputStream oos=new ObjectOutputStream(soc.getOutputStream());

oos.writeObject(msg);

System.out.println("Worm was send");



}

}

}//GEN-LAST:event_btnSendActionPerformed

private void jButton3ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jButton3ActionPerformed

System.exit(0);

}//GEN-LAST:event_jButton3ActionPerformed

public void run() {

try {

Socket temp = new Socket(monitorIP, monitorPort);

ArrayList al = new ArrayList();

al.add("new");

al.add(port);

ObjectOutputStream oos = new ObjectOutputStream(temp.getOutputStream());


System.out.println("Data send");

while (true) {

Socket socket = server.accept();

ObjectInputStream ois = new ObjectInputStream(socket.getInputStream());

ArrayList msg = (ArrayList) ois.readObject();

String key = (String) msg.get(0);



root = new DefaultMutableTreeNode("root");

update(tm);

}

if (key.equals("message")) {


//message(tm);

}

}



} catch (ClassNotFoundException e) {


}

}

public static void main(String args[]) throws Exception {


public void run() {

CWorm c = new CWorm();

c.setSize(850, 600);

c.setVisible(true);

c.getInput();

c.connection();

}

});

}


private javax.swing.JButton btnSend;

private javax.swing.JButton jButton3;


public static javax.swing.JList jList1;






public static javax.swing.JTree jTree1;



Socket socket;

Thread thread;

String monitorIP, test;

int monitorPort;

int port;


String fileName, filePath;

Object content;

TreeMap client;


try {

server = new ServerSocket(port);

System.out.println("User Running");


thread.start();



}

}


monitorIP = JOptionPane.showInputDialog(rootPane, "Enter the IP address of monitor");

monitorPort = Integer.parseInt(JOptionPane.showInputDialog(rootPane, "Enter the port number for Monitor to connect"));

test = JOptionPane.showInputDialog(rootPane, "input for test");

File f = new File(test);

f.mkdir();

port = Integer.parseInt(JOptionPane.showInputDialog(rootPane, "port"));

}


client = tm;





root.add(new DefaultMutableTreeNode(me.getKey() + "@" + me.getValue()));

}


}

}

Screen shots:

Server:

Monitor:

Conclusion:

In this paper we presented an analytical framework, based on

Interactive Markov Chains, that can be used to study the dynamics of

malware propagation on a network. The exact solution of a stochastic

model intended to capture the probabilistic nature of malware

propagation on an arbitrary topology appears to be a major challenge,

because of the high computational complexity necessary to analyze very

large systems. However, one can resort to simple bounds and

approximations in order to obtain a gross-level prediction of the system

behavior that can help to understand important characteristics of

malware propagation. Although we have focused on the modeling

aspects of the problem, we believe our methodology can be usefully

applied to evaluate different countermeasures against future malware

activity, as well as fundamental issues on network vulnerability

assessment. Moreover, the flexibility of the approach based on IMCs

allows to apply our work beyond the problem of malware spreading,

addressing a wide variety of dynamic interactions on networks. Our

modeling effort is to be considered a first step in a rather novel research

area that we expect to gain more and more relevance in the next future.

Reference:

[1] D. Moore, C. Shannon, and J. Brown, “Code-red: a case study on

the spread and victims of an internet worm,” in Proceedings of the 2-th

Internet Measurement Workshop (IMW), Marseille, France, November

2002.

[2] D. Moore, V. Paxson, and S. Savage, “Inside the slammer worm,” in

IEEE Magazine of Security and Privacy, July 2003.

[3] CERT, CERT/CC advisories, http://www.cert.org/advisories/.

[4] P. R. Roberts, Zotob Arrest Breaks Credit Card Fraud Ring,

http://www.eweek.com/article2/0,1895,1854162,00.asp.

[5] W32/MyDoom.B Virus, http://www.us-cert.gov/cas/techalerts/

TA04-028A.html.

[6] W32.Sircam.Worm@mm,

http://www.symantec.com/avcenter/venc/data

/[email protected].

http://www.symantec.com/avcenter/venc/data/

http://www.symantec.com/avcenter/venc/data/

http://www.us-cert.gov/cas/techalerts/

detection of worm

Documents

camouflaging worm cworm

cworm traffic

worm attacks

slammer worm

traditional worms

ability of active worms

realworld worms

wittysasser worms