General Behavioral Characterization of Proximity Malware
Disclaimer: This work has been submitted by a student. This is not an example of the work written by our professional academic writers. You can view samples of our professional work here.
Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.
Published: Wed, 04 Apr 2018
A delay-tolerant network is anetworkdesigned to operate effectively over extreme distances such as those encountered in space communications or on an interplanetary scale. In such an environment, longlatency– sometimes measured in hours or days — is inevitable. The popularity of mobile consumer electronics, like laptop computers, PDAs, and more recently and prominently, smart phones, revives the delay-tolerant-network (DTN) model as an alternative to the traditional infrastructure model. The widespread adoption of these devices, coupled with strong economic incentives, induces a class of malware that specifically targets DTNs. We call this class of malware proximity malware. Proximity malware based on the DTN model brings unique security challenges that are not present in the infrastructure model. In the infrastructure model, the cellular carrier centrally monitors networks for abnormalities moreover the resource scarcity of individual nodes limits the rate of malware propagation. A prerequisite to defending against proximity malware is to detect it. In this paper, we consider a general behavioral characterization of proximity malware. Behavioral characterization, in terms of system call and program flow, has been previously proposed as an effective alternative to pattern matching for malware detection. In our model, malware-infected nodes behaviors are observed by others during their multiple opportunistic encounters: Individual observations may be imperfect, but abnormal behaviors of infected nodes are identifiable in the long-run.
Network is the combination of Nodes. Each node will communicate with its neighbors and share their data. If a node is affected by a malware it’s necessary to clear it else its neighbors will communicate with it and they also affected by malware. Hence detection of malware is important. Here we discuss some methods for the detection of malware.
- EXISTING SYSTEM
Previous researches quantify the threat of proximity malware attack and demonstrate the possibility of launching such an attack, which is confirmed by recent reports on hijacking hotel Wi-Fi hotspots for drive-by malware attack. With the adoption of new short-range communication technologies such as NFC and Wi-Fi Direct that facilitate spontaneous bulk data transfer between spatially proximate mobile devices, the threat of proximity malware is becoming more realistic and relevant than ever. Proximity malware based on the DTN model brings unique security challenges that are not present in the model.
- EXISTING SYSTEM DISADVANTAGES
- Central monitoring and resource limits are absent in the DTN model.
- Very risk to collecting evidence and also having insufficient evidence.
- It is filter the false evidence in sequentially and distributed.
1.3.2. LITERATURE SURVEY
Title: An Optimal Distributed Malware Defense System for Mobile Networks with Heterogeneous Devices
Author: Yong Li, Pan Hui
Description: Consider a mobile network where a portion of the nodes are infected by malware. Our research problem is to deploy an efficient defense system to help the infected nodes to recover and prevent the healthy nodes from further infection. Typically, we should disseminate the content-based signatures of known malware to as many nodes as possible. The signature is obtained by using algorithms such as an MD5 hash over the malware content, and they are used by the mobile devices to detect various patterns in the malware and then to disable further propagation. Therefore, distributing these signatures into the whole network while avoiding unnecessary redundancy is our optimization goal.
Title: On Modeling Malware Propagation in Generalized Social Networks
Author: Shin-Ming Cheng
Year : 2011
Description: This article proposes a novel analytical model to efficiently analyze the speed and severity for spreading the hybrid malware such as Commwarrior that targets multimedia messaging service (MMS) and BT. Validation against conducted simulation experiments reveals that our model developed from the Susceptible-Infected (SI) model in epidemiology accurately
Approximates mixed spreading behaviors in large areas without the huge computational cost, which helps estimate the damages caused by the hybrid malware and aids in the development of detection and containment processes.
Title: Scalable, Behavior-Based Malware Clustering
Author: Ulrich Bayer
Year : 2009
Description: In this research, we propose a scalable clustering approach to identify and group malware samples that exhibit similar behavior. For this, we first perform dynamic analysis to obtain the execution traces of malware programs. These execution traces are then generalized into behavioral profiles, which characterize the activity of a program in more abstract terms. The profiles serve as input to an efficient clustering algorithm that allows us to handle sample sets that are an order of magnitude larger than previous approaches. We have applied our system to real-world malware collections. The results demonstrate that our technique is able to recognize and group malware programs that behave similarly, achieving a better precision than previous approaches. To underline the scalability of the system, we clustered a set of more than 75 thousand samples in less than three hours.
Title: Self-Policing Mobile Ad-Hoc Networks by Reputation Systems
Author: Sonja Buchegger
Year : 2005
Description: Node misbehavior due to selfish or malicious reasons or faulty nodes can significantly degrade the performance of mobile ad-hoc networks. To cope with misbehavior in such self-organized networks, nodes need to be able to automatically adapt their strategy to changing levels of cooperation. Existing approaches such as economic incentives or secure routing by cryptography alleviate some of the problems, but not all. We describe the use of a self-policing mechanism based on reputation to enable mobile ad-hoc networks to keep functioning despite the presence of misbehaving nodes. The reputation system in all nodes makes them detect misbehavior locally by observation and use of second-hand information. Once a misbehaving node is detected it is automatically isolated from the network. We classify the features of such reputation systems and describe possible implementations of each of them. We explain in particular how it is possible to use second-hand information while mitigating contamination by spurious ratings.
Title: The EigenTrust Algorithm for Reputation Management in P2P Networks
Author: Sepandar D. Kamvar, Mario T. Schlosser
Year : 2003
Description: Peer-to-peer file-sharing networks are currently receiving much attention as a means of sharing and distributing information. However, as recent experience shows, the anonymous, open nature of these networks offers an almost ideal environment for the spread of Self-replicating inauthentic files. We describe an algorithm to decrease the number of downloads of inauthentic files in a peer-to-peer file-sharing network that assigns each peer a unique global trust value, based on the peer’s history of uploads. We present a distributed and secure method to compute global trust values, based on Power iteration. By having peers use these global trust values to choose the peers from whom they download, the network effectively identifies malicious peers and isolates them from the network. In simulations, this reputation system, called EigenTrust, has been shown to significantly decrease the number of inauthentic files on the network, even under a variety of conditions where malicious peers cooperate in an attempt to deliberately subvert the system.
Title: When Gossip is Good: Distributed Probabilistic Inference for Detection of Slow Network Intrusions
Author: Denver Dash, Branislav Kveton
Year : 2006
Description: Intrusion attempts due to self-propagating code are becoming an increasingly urgent problem, in part due to the homogeneous makeup of the internet. Recent advances in anomaly based intrusion detection systems (IDSs) have made use of the quickly spreading nature of these attacks to identify them with high sensitivity and at low false positive (FP) rates. However, slowly propagating attacks are much more difficult to detect because they are cloaked under the veil of normal network traffic, yet can be just as dangerous due to their exponential spread pattern. We extend the idea of using collaborative IDSs to corroborate the likelihood of attack by imbuing end hosts with probabilistic graphical models and using random messaging to gossip state among peer detectors. We show that such a system is able to boost a weak anomaly
Detector D to detect an order-of-magnitude slower worm, at false positive rates less than a few per week, than would be possible using D alone at the end-host or on a network aggregation point.
Title: A Preliminary Investigation of Worm Infections in a Bluetooth Environment
Author: Jing Su, Kelvin K. W. Chan
Year : 2006
Description: Over the past year, there have been several reports of malicious code exploiting vulnerabilities in the Bluetooth protocol. While the research community has started to investigate a diverse set of Bluetooth security issues, little is known about the feasibility and the propagation dynamics of a worm in a Bluetooth environment. This paper is an initial attempt to remedy this situation. We start by showing that the Bluetooth protocol design and implementation is large and complex. We gather traces and we use controlled experiments to investigate whether a large-scale Bluetooth worm outbreak is viable today. Our data shows that starting a Bluetooth worm infection is easy, once vulnerability is discovered. Finally, we use trace-drive simulations to examine the propagation dynamics of Bluetooth worms. We find that Bluetooth worms can infect a large population of vulnerable devices relatively quickly, in just a few days.
Title: An adaptive anomaly detector for worm detection
Author: John Mark Agosta, Carlos Diuk-Wasser
Year : 2007
Description: We present an adaptive end-host anomaly detector where a supervised classifier trained as a traffic predictor is used to control a time-varying detection threshold. Training and testing it on real traffic traces collected from a number of end-hosts, we show our detector dominates an existing fixed threshold detector. This comparison is robust to the choice of off-the-shelf classifier employed, and to a variety of performance criteria: the predictor’s error rate, the reduction in the “threshold gap” and the ability to detect the simulated threat of incremental worm traffic added to the traces. This detector is intended as a part of a distributed worm detection system that infers system-wide threats from end-host detections, thereby avoiding the sensing and resource limitations of conventional centralized systems. The distributed system places a constraint on this end host detector to appear consistent over time and machine variability.
Title: CPMC: An Efficient Proximity Malware Coping Scheme in Smartphone-based Mobile Networks
Author: Feng Li, Yinying Yang
Year : 2010
Description: Many emerging malware can utilize the proximity of devices to propagate in a distributed manner, thus remaining unobserved and making detections substantially more challenging. Different from existing malware coping schemes, which are either totally centralized or purely distributed, we propose a Community-based Proximity Malware Coping scheme, CPMC. CPMC utilizes the social community structure, which reflects a stable and controllable granularity of security, in smart phone-based mobile networks. The CPMC scheme integrates short-term coping components, which deal with individual malware and long-term evaluation components, which offer vulnerability evaluation towards individual nodes. A closeness-oriented delegation forwarding scheme combined with a community level quarantine method is proposed as the short-term coping components. These components contain a proximity malware by quickly propagating the signature of a detected malware into all communities while avoiding unnecessary redundancy.
- PROPOSED SYSTEM
Behavioral characterization, in terms of system call and program flow, has been previously proposed as an effective alternative to pattern matching for malware detection. In our model, malware-infected nodes’ behaviors are observed by others during their multiple opportunistic encounters: Individual observations may be imperfect, but abnormal behaviors of infected nodes are identifiable in the long-run. We identify challenges for extending Bayesian malware detection to DTNs, and propose a simple yet effective method, look-ahead, to address the challenges. Furthermore, we propose two extensions to look-ahead, dogmatic filtering and adaptive look-ahead, to address the challenge of “malicious nodes sharing false evidence”.
- PROPOSED SYSTEM ADVANTAGES
- Real mobile network traces are used to verify the effectiveness of the proposed methods.
- The proposed evidence consolidation strategies in minimizing the negative impact of liars on the shared evidence’s quality.
- It is used to identify the abnormal behaviors of infected nodes in the long-run.
We analyze the problem of behavioral characterization of malware nodes in Delay Tolerant Network efficiently without affecting network performance.
2.2. PROBLEM DEFINITION
Proximity malware is a malicious program that disrupts the host node’s normal function and has a chance of duplicating itself to other nodes during (opportunistic) contact opportunities between nodes in the DTN. When duplication occurs, the other node is infected with the malware. We present a general behavioral characterization of proximity malware, which captures the functional but imperfect nature in detecting proximity malware. Under the behavioral malware characterization, and with a simple cut-off malware containment strategy, we formulate the malware detection process as a distributed decision problem. We analyze the risk associated with the decision, and design a simple, yet effective, strategy, look-ahead, which naturally reflects individual nodes’ intrinsic risk inclinations against malware infection. We present two alternative techniques, dogmatic filtering and adaptive look-ahead, that naturally extend look-ahead to consolidate evidence provided by others, while containing the negative effect of false evidence. A nice property of the proposed evidence consolidation methods is that the results will not worsen even if liars are the majority in the neighborhood
Methodologies are the process of analyzing the principles or procedure for behavioral characterizing of node with two methods, dogmatic filtering and adaptive look-ahead, for consolidating evidence provided by other nodes, while containing the negative impact of liars in delay tolerant network.
- Network Nodes
- Malware Detection
- Evidence Analysis
- Evil Node Revocation
2.3.2 MODULE DESCRIPTION
If you are the new user going to consume the service then they have to register first by providing necessary details. After successful completion of sign up process, the user has to login into the application by providing username and exact password. The user has to provide exact username and password which was provided at the time of registration, if login success means it will take up to main page else it will remain in the login page itself..
- Network Nodes
Under this module, the network nodes which are interconnected by local area network, that node ip address will be fetched in order to share the resources among the network. As well as the performance of individual system have been analyzed to assess the behavior
- Malware Detection
Malware detection module helps to identify the evil node which is affected by malware program
- Evidence Analysis
This module used to investigate about evidences of nodes by collecting assessments before a normal node get affected by malware program. Evidence aging process helps to discard outdated assessments of a node and evidence consolidation helps to filter negative assessments of a node provided by the other nodes.
- Evil Node Revocation
After detection of evil node, we need to drop the communication with that in order to prevent from malware spreading and the evil node details are transferred to database for further reference. Finally evil node gets revoked from the network computer list.
2.3.3. MODULE DIAGRAM:
- Network Nodes
- Malware Detection
- Evidence Analysis
- Evil Node Revocation
2.3.4. GIVEN INPUT EXPECTED OUTPUT
Input: Give username and password
Output: Allow to your personal details
Input: Connect to network
Output: Communicate between client server
Input: Transfer your file to another node
Output: Identifying malicious node
Input: Communicate with other node before affect by malware node then collect evidences
Output: Showing all evidence analysis report
EVIL NODE REVOCATION
Input: Communication with malware node till collect full evidences
Output: Malware node has been removed
2.4. TECHNIQUE USED
Dogmatic filtering is based on the observation that one’s own assessments are truthful and therefore, can be used to bootstrap the evidence consolidation process. A node shall only accept evidence that will not sway its current opinion too much. We call this observation the dogmatic principle.
Adaptive look ahead takes a different approach towards evidence consolidation. Instead of deciding whether to use the evidence provided by others directly in the cut-off decision, adaptive look ahead indirectly uses the evidence by adapting the steps to look ahead to the diversity of opinion.
Cite This Work
To export a reference to this article please select a referencing stye below: