29-03-2011, 02:02 PM
Presented by:
R.Arthi
R.suganya
R.Punitha Priyadarshini
[attachment=11249]
Abstract
Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormously adverse impact on the Internet. Thus, there is great interest in the research community in modeling the spread of worms and in providing adequate defense mechanisms against them. In this paper, we present a (stochastic) branching process model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms and then extended to preference scanning worms. This model leads to the development of an automatic worm containment strategy that prevents the spread of a worm beyond its early stage. Specifically, for uniform scanning worms, we are able to determine whether the worm spread will eventually stop. We then extend our results to contain preference scanning worms. Our automatic worm containment schemes effectively contain both uniform scanning worms and local preference scanning worms, and it is validated through simulations and real trace data to be non intrusive.
Introduction
The goal of our research is to provide a model for the propagation of random scanning worms and the corresponding development of automatic containment mechanisms that prevent the spread of worms beyond their early stages. This containment scheme is then extended to protect an enterprise network from a preference scanning worm. A host infected with random scanning worms finds and infects other vulnerable hosts by scanning a list of randomly generated IP addresses. Worms using other strategies to find vulnerable hosts to infect are not within the scope of this work. Some examples of nonrandom-scanning worms are e-mail worms, peer-to-peer worms, and worms that search the local host for addresses to scan.
In this paper, we propose a stochastic branching process model for the early phase of worm propagation.1Weconsider the generation-wise evolution of worms, with the hosts that are infected at the beginning of the propagation forming generation zero. The hosts that are directly infected by hosts in generation n are said to belong to generation n þ 1. Our model captures the worm spreading dynamics for worms of arbitrary scanning rate, including stealth worms that may turn themselves off at times.
Data Flow Diagram
Modules of the Project
Module Description
Branching Process Model
To the problem of combating worms, we have developed a branching process model to characterize the propagation of Internet worms. Unlike deterministic epidemic models studied in the literature, this model allows us to characterize the early phase of worm propagation.
Scanning for worms
Our strategy is based on limiting the number of scans to dark-address space. The limiting value is determined by our analysis. Our automatic worm containment schemes effectively contain both uniform scanning worms and local preference scanning worms, and it is validated through simulations and real trace data to be non-intrusive.
Module Description
Detecting and categorizing worms
The model is developed for uniform scanning worms and then extended to preference scanning worms. We detect these two worms and categorize it in this module.
Containment of worms
This model leads to the development of an automatic worm containment strategy that prevents the spread of a worm beyond its early stage. Specifically, for uniform scanning worms, we are able to 1) provide a precise condition that determines whether the worm spread will eventually stop and 2) obtain the distribution of the total number of hosts that the worm infects.
Existing System
• In an Existing system the complexity of the general stochastic epidemic model makes it difficult to derive insightful results that could be used to contain the worm.
• In a previous study it is used to detect the presence of a worm by detecting the trend, not the rate, of the observed illegitimate scan traffic.
• The filter is used to separate worm traffic from background non worm scan traffic.
Proposed System
System Requirement Specification
Hardware:
PROCESSOR : PENTIUM IV 2.6 GHz
RAM : 512 MB
MONITOR : 15”
HARD DISK : 20 GB
CDDRIVE : 52X
KEYBOARD : STANDARD 102 KEYS
MOUSE : 3 BUTTONS
Software:
FRONT END : JAVA, SWING
BACK END : SQL SERVER
TOOLS USED : JFRAME BUILDER
OPERATING SYSTEM: WINDOWS XP
Conclusion
In this paper, we have studied the problem of combating Internet worms. To that end, we have developed a branching process model to characterize the propagation of Internet worms. Unlike deterministic epidemic models studied in the literature, this model allows us to characterize the early phase of worm propagation. Using the branching process model, we are able to provide a precise bound M on the total number of scans that ensure that the worm will eventually die out. Further, from our model, we also obtain the probability that the total number of hosts that the worm infects is below a certain level, as a function of the scan limit . The insights gained from analyzing this model also allow us to develop an effective and automatic worm containment strategy that does not let the worm propagate beyond the early stages of infection. Our strategy can effectively contain both fast scan worms and slow scan worms without knowing the worm signature in advance or needing to explicitly detect the worm. We show via simulations and real trace data that the containment strategy is both effective and non-intrusive.
