This document discusses the development of countermeasures for self-disciplinary worms. It proposes a system to model and analyze such worms, which deliberately reduce propagation speed to avoid detection. The system would monitor worm behavior, detect dynamic and static worms, trace packets back to the original source, and eliminate attacking sources. It describes modules for worm propagation, spectrum analysis, worm detection, IP traceback, and attack source removal. Methodologies like Java, Swing, and SQL Server are discussed for implementation.

1.  Krishna Chaitanya Yarlagadda 011103105
INTERNAL GUIDE
Mr.J.Sethuraman

2. TITLE
Self-Disciplinary Worms and
Countermeasures : Modeling and Analysis

3. SCOPE
To develop the proper countermeasures
for defending against self-disciplinary
worm

4. THEORETICAL BACKGROUND
 Most previous work assumed that a worm always propagates
itself at the highest possible speed.
 Some newly developed worms (e.g.,“Atak” worm) contradict this
assumption by deliberately reducing the propagation speed in
order to avoid detection.
 As such, we study a new class of worms, referred to as self-
disciplinary worms. These worms adapt their propagation
patterns in order to reduce the probability of detection, and
eventually, to infect more computers. We demonstrate that
existing worm detection schemes based on traffic volume and
variance cannot effectively defend against these self-disciplinary
worms

5. EXISTING SYSTEM
In the existing system the worms infecting a number of
computers without being detected, the worm propagator can
remotely control the infected computers and use them as
stepping stones to launch further attacks (e.g., distributed
denial-of-service (DDOS) , phishing and spyware. In most of
the existing system, if a system is affected by worm it is cleared
by using antivirus software. But if the operating system of a
system gets affected by worm it is impossible to clear it.
As a result the operating system has to be formatted and a new
operating system only should be installed. If worm were found
out and cleared user might not know about the source node
which sent the worm file. This is major disadvantage in the
existing systems.

6. PROBLEM DEFINITION
In networks we have diversified applications like file sharing,
collaborations, and process sharing and distributed computing.
Over the years, worms have emerged as a main source of trouble
in P2P or client/server networks. If hackers’ identifies the
threshold value of any systems means they can easily spread the
worms among the network. Another problem is, it is difficult to
identify the original source.

7. PROPOSED SYSTEM
 In the proposed system, we can make a best identification of the
propagator based on their request. Whenever any node detects
any worms automatically the worm is detected by our proposed
system and deletes the worm file also. And with the help of the
patch framework, the worm in the affected system is cleared.
And also here we perform the IP trace back for finding out the
original source which produces the worms. Thus this proposed
system meets the following merits.
 Worm is detected dynamically
 Both dynamic and static worms are detected efficiently
 Alert the user
 Fetch out the worm source

8. MODULES
 Worm propagator.
 Spectrum Analysis.
 Worm detection.
 Trace back.
 Attack Source Elimination.

9. MODULE DESCRIPTION
Module 1:WORM PROPAGATOR
 Worm propagator is the attacker who spreads the worm in a
network. In common a worm propagator has two objectives:
 To maximize the number of infected computers.
 To avoid being traced back.

10. MODULE DESCRIPTION
Module 2:Spectrum Analysis
 In the Spectrum Analysis, the worm’s behavior is monitored
continuously. Based on the behavior of the worm for a period of
time, we could able to find whether the worm is static or
dynamic behavior.
 Usually the static behavior worms can be controlled by the usual
Traditional method. But this Spectrum method is used to find
out the dynamic behavior of the worms

11. MODULE DESCRIPTION
Module 3:Worm Detection
 Self disciplinary worms may be dynamic propagating worm or
static propagating worm. A major effort for detecting worm
propagation has been the Internet Threat Monitoring (ITM)
system.
 An ITM system consists of one centralized data center and a
number of monitors, which are distributed across the Internet at
hosts, routers, and firewalls, etc. Each monitor is responsible for
monitoring suspicious traffic and reporting them to the data
center. The data center then analyzes the collected traffic logs
and detects worm attacks.

12. MODULE DESCRIPTION
Module 4:IP Trace back
Another defensive countermeasure is trace back, which enables
law enforcement agencies to identify the original worm
propagators and punish them. A trace back scheme typically
involves a number of routers, which monitor all through-traffic
and store traffic logs in a storage server.
When a “trace back” order is given, the traffic logs (e.g., flow-level
recorded logged by the networks) are postmortem analyzed in
order to identify the origins of the worm propagator. When the
source of the worm is detected the system alerts the node about
the source and blocks all packets from that particular source.

13. MODULE DESCRIPTION
Module 5:Attack Source Elimination
 Once we apply the IP Trace back system, we can identify the
exact source of the system which is involved in spreading of the
worms. We are identifying the Source of the Worm creator & we
can eliminate that system from the network. This process of
elimination would create more secured communication.

14. DATAFLOW DIAGRAM

15. SEQUENCE DIAGRAM

16. USE CASE DIAGRAM

17. CLASS DIAGRAM

18. METHODOLOGY ADOPTED AND SYSTEM
IMPLEMENTATION
Module 1:
 The worm propagator is the one which spreads the worms across
the network to effect the more number of computers. This
module is implemented by sending the worm contained files
across the network.
Module2:
 The behavior of the system is monitored continuously and any
change in the behavior can be detected by the Spectrum
Analysis method.

19. METHODOLOGY ADOPTED AND SYSTEM
IMPLEMENTATION
Module 3:
 The worm detector identifies whether the type of file is an
ordinary file or worm affected file . The dummy worm files are
downloaded and kept in one folder to differentiate them from
ordinary ones.
Module4:
 The source node which sends the worm file across the network
is identified in this module.
Module 5:
 Here after we identify the source node we are eliminating the
source node from the network if is a worm contained file from
the node.

20. METHODOLOGY ADOPTED:
JDK 1.3 :
 we have made use of Java Development Kit JDK 1.3. As a result, the
various .java files of an applet must be compiled with this software.
Java swing :
 The Swing toolkit includes a rich set of components for building
GUIs and adding interactivity to Java applications.
 Swing includes all the components of a modern toolkit such as
table controls, list controls, tree controls, buttons, and labels.
MS SQL server 2000 :
 Microsoft SQL Server 2000 is a full-featured relational database
management system (RDBMS).
 It offers a variety of administrative tools to ease the burdens of
database development, maintenance and administration

21. SYSTEM PLANNING
 Create a GUI and enter the number of nodes and node names.
 Establish the connection between the nodes using their ports
and their IP addresses.
 The source and destination connections established are stored
in the database.
 Create one applet for each node in the network .Include the
options in it which are necessary for the nodes in the network to
communicate(example :to browse and send a file across the
established connection).
 The dummy worm files are downloaded and kept in a separate
folder.

22. SYSTEM PLANNING
 If the communication between the nodes is file which is an
ordinary file communication continues and so on.
 If the communication between the nodes is a worm contained
file then worm gets detected and the source node is identifies.
 After the source node is identified by using the Attack Source
Elimination the source node which spreads the worm is
disconnected from the network to provide a secured
communication.

23. CODING:
Code for connecting database
public void ConnectDB()
{
try{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
con=DriverManager.getConnection("jdbc:odbc:DRIVER=SQL
Server;Server=.;Database=dht1;UID=sa");
stmt= con.createStatement();
}catch(Exception ex){
ex.printStackTrace();
System.out.println(ex);
}
}.

24. HARDWARE REQUIREMENTS
 Processor : Pentium II 266 MHz
 RAM : 64 MB
 HDD : 2.1 GB
SOFTWARE REQUIREMENTS
 Platform : Windows Xp
 Front End : Java JDK 1.3,swings
 Back End : MS SQL Server

25. REFERENCE
 [1] D. Moore, C. Shannon, and J. Brown, “Code Red: A Case
Study on the Spread and Victims of an Internet Worm,” Proc.
Second Internet Measurement Workshop (IMW), Nov. 2002.
 [2] D. Moore, V. Paxson, and S. Savage, “Inside the Slammer
Worm,” IEEE Magazine of Security and Privacy, vol. 4, no. 1, pp.
33-39, July 2003.
 “The Security Essentials “ by local author.