Saturday, October 26, 2019
General Behavioral Characterization of Proximity Malware
General Behavioral Characterization of Proximity Malware CHAPTER 1 INTRODUCTION GENERAL A delay-tolerant network is anetworkdesigned to operate effectively over extreme distances such as those encountered in space communications or on an interplanetary scale. In such an environment, longlatency sometimes measured in hours or days is inevitable. The popularity of mobile consumer electronics, like laptop computers, PDAs, and more recently and prominently, smart phones, revives the delay-tolerant-network (DTN) model as an alternative to the traditional infrastructure model. The widespread adoption of these devices, coupled with strong economic incentives, induces a class of malware that specifically targets DTNs. We call this class of malware proximity malware. Proximity malware based on the DTN model brings unique security challenges that are not present in the infrastructure model. In the infrastructure model, the cellular carrier centrally monitors networks for abnormalities moreover the resource scarcity of individual nodes limits the rate of malware propagation. A pr erequisite to defending against proximity malware is to detect it. In this paper, we consider a general behavioral characterization of proximity malware. Behavioral characterization, in terms of system call and program flow, has been previously proposed as an effective alternative to pattern matching for malware detection. In our model, malware-infected nodes behaviors are observed by others during their multiple opportunistic encounters: Individual observations may be imperfect, but abnormal behaviors of infected nodes are identifiable in the long-run. OBJECTIVE Network is the combination of Nodes. Each node will communicate with its neighbors and share their data. If a node is affected by a malware itÃ¢â¬â¢s necessary to clear it else its neighbors will communicate with it and they also affected by malware. Hence detection of malware is important. Here we discuss some methods for the detection of malware. EXISTING SYSTEM Previous researches quantify the threat of proximity malware attack and demonstrate the possibility of launching such an attack, which is confirmed by recent reports on hijacking hotel Wi-Fi hotspots for drive-by malware attack. With the adoption of new short-range communication technologies such as NFC and Wi-Fi Direct that facilitate spontaneous bulk data transfer between spatially proximate mobile devices, the threat of proximity malware is becoming more realistic and relevant than ever. Proximity malware based on the DTN model brings unique security challenges that are not present in the model. EXISTING SYSTEM DISADVANTAGES Central monitoring and resource limits are absent in the DTN model. Very risk to collecting evidence and also having insufficient evidence. It is filter the false evidence in sequentially and distributed. 1.3.2. LITERATURE SURVEY LITERATURE SURVEY Title:Ã An Optimal Distributed Malware Defense System for Mobile Networks with Heterogeneous Devices Author: Yong Li, Pan Hui Year: 2011 Description: Consider a mobile network where a portion of the nodes are infected by malware. Our research problem is to deploy an efficient defense system to help the infected nodes to recover and prevent the healthy nodes from further infection. Typically, we should disseminate the content-based signatures of known malware to as many nodes as possible. The signature is obtained by using algorithms such as an MD5 hash over the malware content, and they are used by the mobile devices to detect various patterns in the malware and then to disable further propagation. Therefore, distributing these signatures into the whole network while avoiding unnecessary redundancy is our optimization goal. Title: On Modeling Malware Propagation in Generalized Social Networks Author: Shin-Ming Cheng Year : 2011 Description: This article proposes a novel analytical model to efficiently analyze the speed and severity for spreading the hybrid malware such as Commwarrior that targets multimedia messaging service (MMS) and BT. Validation against conducted simulation experiments reveals that our model developed from the Susceptible-Infected (SI) model in epidemiology accurately Approximates mixed spreading behaviors in large areas without the huge computational cost, which helps estimate the damages caused by the hybrid malware and aids in the development of detection and containment processes. Title: Scalable, Behavior-Based Malware Clustering Author: Ulrich Bayer Year : 2009 Description: In this research, we propose a scalable clustering approach to identify and group malware samples that exhibit similar behavior. For this, we first perform dynamic analysis to obtain the execution traces of malware programs. These execution traces are then generalized into behavioral profiles, which characterize the activity of a program in more abstract terms. The profiles serve as input to an efficient clustering algorithm that allows us to handle sample sets that are an order of magnitude larger than previous approaches. We have applied our system to real-world malware collections. The results demonstrate that our technique is able to recognize and group malware programs that behave similarly, achieving a better precision than previous approaches. To underline the scalability of the system, we clustered a set of more than 75 thousand samples in less than three hours. Title: Self-Policing Mobile Ad-Hoc Networks by Reputation Systems Author: Sonja Buchegger Year : 2005 Description: Node misbehavior due to selfish or malicious reasons or faulty nodes can significantly degrade the performance of mobile ad-hoc networks. To cope with misbehavior in such self-organized networks, nodes need to be able to automatically adapt their strategy to changing levels of cooperation. Existing approaches such as economic incentives or secure routing by cryptography alleviate some of the problems, but not all. We describe the use of a self-policing mechanism based on reputation to enable mobile ad-hoc networks to keep functioning despite the presence of misbehaving nodes. The reputation system in all nodes makes them detect misbehavior locally by observation and use of second-hand information. Once a misbehaving node is detected it is automatically isolated from the network. We classify the features of such reputation systems and describe possible implementations of each of them. We explain in particular how it is possible to use second-hand information while mitigat ing contamination by spurious ratings. Title: The EigenTrust Algorithm for Reputation Management in P2P Networks Author: Sepandar D. Kamvar, Mario T. Schlosser Year : 2003 Description: Peer-to-peer file-sharing networks are currently receiving much attention as a means of sharing and distributing information. However, as recent experience shows, the anonymous, open nature of these networks offers an almost ideal environment for the spread of Self-replicating inauthentic files. We describe an algorithm to decrease the number of downloads of inauthentic files in a peer-to-peer file-sharing network that assigns each peer a unique global trust value, based on the peerÃ¢â¬â¢s history of uploads. We present a distributed and secure method to compute global trust values, based on Power iteration. By having peers use these global trust values to choose the peers from whom they download, the network effectively identifies malicious peers and isolates them from the network. In simulations, this reputation system, called EigenTrust, has been shown to significantly decrease the number of inauthentic files on the network, even under a variety of conditions where malicious peers cooperate in an attempt to deliberately subvert the system. Title: When Gossip is Good: Distributed Probabilistic Inference for Detection of Slow Network Intrusions Author: Denver Dash, Branislav Kveton Year : 2006 Description: Intrusion attempts due to self-propagating code are becoming an increasingly urgent problem, in part due to the homogeneous makeup of the internet. Recent advances in anomaly based intrusion detection systems (IDSs) have made use of the quickly spreading nature of these attacks to identify them with high sensitivity and at low false positive (FP) rates. However, slowly propagating attacks are much more difficult to detect because they are cloaked under the veil of normal network traffic, yet can be just as dangerous due to their exponential spread pattern. We extend the idea of using collaborative IDSs to corroborate the likelihood of attack by imbuing end hosts with probabilistic graphical models and using random messaging to gossip state among peer detectors. We show that such a system is able to boost a weak anomaly Detector D to detect an order-of-magnitude slower worm, at false positive rates less than a few per week, than would be possible using D alone at the end-host or on a network aggregation point. Title: A Preliminary Investigation of Worm Infections in a Bluetooth Environment Author: Jing Su, Kelvin K. W. Chan Year : 2006 Description: Over the past year, there have been several reports of malicious code exploiting vulnerabilities in the Bluetooth protocol. While the research community has started to investigate a diverse set of Bluetooth security issues, little is known about the feasibility and the propagation dynamics of a worm in a Bluetooth environment. This paper is an initial attempt to remedy this situation. We start by showing that the Bluetooth protocol design and implementation is large and complex. We gather traces and we use controlled experiments to investigate whether a large-scale Bluetooth worm outbreak is viable today. Our data shows that starting a Bluetooth worm infection is easy, once vulnerability is discovered. Finally, we use trace-drive simulations to examine the propagation dynamics of Bluetooth worms. We find that Bluetooth worms can infect a large population of vulnerable devices relatively quickly, in just a few days. Title: An adaptive anomaly detector for worm detection Author: John Mark Agosta, Carlos Diuk-Wasser Year : 2007 Description: We present an adaptive end-host anomaly detector where a supervised classifier trained as a traffic predictor is used to control a time-varying detection threshold. Training and testing it on real traffic traces collected from a number of end-hosts, we show our detector dominates an existing fixed threshold detector. This comparison is robust to the choice of off-the-shelf classifier employed, and to a variety of performance criteria: the predictorÃ¢â¬â¢s error rate, the reduction in the Ã¢â¬Å"threshold gapÃ¢â¬ and the ability to detect the simulated threat of incremental worm traffic added to the traces. This detector is intended as a part of a distributed worm detection system that infers system-wide threats from end-host detections, thereby avoiding the sensing and resource limitations of conventional centralized systems. The distributed system places a constraint on this end host detector to appear consistent over time and machine variability. Title: CPMC: An Efficient Proximity Malware Coping Scheme in Smartphone-based Mobile Networks Author: Feng Li, Yinying Yang Year : 2010 Description: Many emerging malware can utilize the proximity of devices to propagate in a distributed manner, thus remaining unobserved and making detections substantially more challenging. Different from existing malware coping schemes, which are either totally centralized or purely distributed, we propose a Community-based Proximity Malware Coping scheme, CPMC. CPMC utilizes the social community structure, which reflects a stable and controllable granularity of security, in smart phone-based mobile networks. The CPMC scheme integrates short-term coping components, which deal with individual malware and long-term evaluation components, which offer vulnerability evaluation towards individual nodes. A closeness-oriented delegation forwarding scheme combined with a community level quarantine method is proposed as the short-term coping components. These components contain a proximity malware by quickly propagating the signature of a detected malware into all communities while avoiding u nnecessary redundancy. PROPOSED SYSTEM Behavioral characterization, in terms of system call and program flow, has been previously proposed as an effective alternative to pattern matching for malware detection. In our model, malware-infected nodesÃ¢â¬â¢ behaviors are observed by others during their multiple opportunistic encounters: Individual observations may be imperfect, but abnormal behaviors of infected nodes are identifiable in the long-run. We identify challenges for extending Bayesian malware detection to DTNs, and propose a simple yet effective method, look-ahead, to address the challenges. Furthermore, we propose two extensions to look-ahead, dogmatic filtering and adaptive look-ahead, to address the challenge of Ã¢â¬Å"malicious nodes sharing false evidenceÃ¢â¬ . PROPOSED SYSTEM ADVANTAGES Real mobile network traces are used to verify the effectiveness of the proposed methods. The proposed evidence consolidation strategies in minimizing the negative impact of liars on the shared evidenceÃ¢â¬â¢s quality. It is used to identify the abnormal behaviors of infected nodes in the long-run. . CHAPTER 2 PROJECT DESCRIPTION 2.1. GENERAL We analyze the problem of behavioral characterization of malware nodes in Delay Tolerant Network efficiently without affecting network performance. 2.2. PROBLEM DEFINITION Proximity malware is a malicious program that disrupts the host nodeÃ¢â¬â¢s normal function and has a chance of duplicating itself to other nodes during (opportunistic) contact opportunities between nodes in the DTN. When duplication occurs, the other node is infected with the malware. We present a general behavioral characterization of proximity malware, which captures the functional but imperfect nature in detecting proximity malware. Under the behavioral malware characterization, and with a simple cut-off malware containment strategy, we formulate the malware detection process as a distributed decision problem. We analyze the risk associated with the decision, and design a simple, yet effective, strategy, look-ahead, which naturally reflects individual nodesÃ¢â¬â¢ intrinsic risk inclinations against malware infection. We present two alternative techniques, dogmatic filtering and adaptive look-ahead, that naturally extend look-ahead to consolidate evidence provided by others, w hile containing the negative effect of false evidence. A nice property of the proposed evidence consolidation methods is that the results will not worsen even if liars are the majority in the neighborhood 2.3. METHODOLOGIES Methodologies are the process of analyzing the principles or procedure for behavioral characterizing of node with two methods, dogmatic filtering and adaptive look-ahead, for consolidating evidence provided by other nodes, while containing the negative impact of liars in delay tolerant network. 2.3.1. MODULES Authentication Network Nodes Malware Detection Evidence Analysis Evil Node Revocation 2.3.2 MODULE DESCRIPTION Authentication If you are the new user going to consume the service then they have to register first by providing necessary details. After successful completion of sign up process, the user has to login into the application by providing username and exact password. The user has to provide exact username and password which was provided at the time of registration, if login success means it will take up to main page else it will remain in the login page itself.. Network Nodes Under this module, the network nodes which are interconnected by local area network, that node ip address will be fetched in order to share the resources among the network. As well as the performance of individual system have been analyzed to assess the behavior Malware Detection Malware detection module helps to identify the evil node which is affected by malware program Evidence Analysis This module used to investigate about evidences of nodes by collecting assessments before a normal node get affected by malware program. Evidence aging process helps to discard outdated assessments of a node and evidence consolidation helps to filter negative assessments of a node provided by the other nodes. Evil Node Revocation After detection of evil node, we need to drop the communication with that in order to prevent from malware spreading and the evil node details are transferred to database for further reference. Finally evil node gets revoked from the network computer list. 2.3.3. MODULE DIAGRAM: Authentication Network Nodes Malware Detection Evidence Analysis Evil Node Revocation 2.3.4. GIVEN INPUT EXPECTED OUTPUT AUTHENTICATION Input: Give username and password Output: Allow to your personal details NETWORK NODES Input: Connect to network Output: Communicate between client server MALWAER DETECTION Input: Transfer your file to another node Output: Identifying malicious node EVIDENCE ANALYSES Input: Communicate with other node before affect by malware node then collect evidences Output: Showing all evidence analysis report EVIL NODE REVOCATION Input: Communication with malware node till collect full evidences Output: Malware node has been removed 2.4. TECHNIQUE USED Dogmatic filtering Dogmatic filtering is based on the observation that oneÃ¢â¬â¢s own assessments are truthful and therefore, can be used to bootstrap the evidence consolidation process. A node shall only accept evidence that will not sway its current opinion too much. We call this observation the dogmatic principle. Adaptive look-ahead Adaptive look ahead takes a different approach towards evidence consolidation. Instead of deciding whether to use the evidence provided by others directly in the cut-off decision, adaptive look ahead indirectly uses the evidence by adapting the steps to look ahead to the diversity of opinion.