General Behavioral Characterization of Proximity Malware

General Behavioral Characterization of law of law of proximity MalwareCHAPTER 1presentationGENERALA delay-tolerant network is anetworkdesigned to operate effectively over extreme distances such as those encountered in space communications or on an interplanetary scale. In such an environment, longlatency just about times measured in hours or days is inevitable. The popularity of mobile consumer electronics, like laptop computers, PDAs, and more recently and prominently, smart phones, revives the delay-tolerant-network (DTN) model as an alternative to the traditional infrastructure model. The widespread adoption of these devices, coupled with strong economic incentives, induces a class of malware that specifically targets DTNs. We call this class of malware proximity malware. Proximity malware based on the DTN model brings unique security challenges that are non present in the infrastructure model. In the infrastructure model, the cellular carrier centrally monitors networks for abnormalities moreover the resource scarcity of individual bosss limits the rate of malware propagation. A prerequisite to defending against proximity malware is to chance it. In this paper, we consider a general behavioral characterization of proximity malware. Behavioral characterization, in terms of system call and program flow, has been previously volunteerd as an effective alternative to pattern matching for malware detection. In our model, malware-infected knobs behaviors are observed by some others during their multiple opportunistic encounters Individual observations may be imperfect, entirely abnormal behaviors of infected guests are identifiable in the long-run. purpose web is the combination of Nodes. Each node will communicate with its neighbors and share their data. If a node is affected by a malware its necessary to decipherable it else its neighbors will communicate with it and they also affected by malware. Hence detection of malware is important. Here we d iscuss some methods for the detection of malware. actual SYSTEMPrevious researches evaluate the threat of proximity malware attack and plant the possibility of launching such an attack, which is confirmed by recent reports on hijacking hotel Wi-Fi hotspots for drive-by malware attack. With the adoption of new short-range communication technologies such as NFC and Wi-Fi Direct that facilitate spontaneous bulk data transfer between spatially proximate mobile devices, the threat of proximity malware is becoming more realistic and relevant than ever. Proximity malware based on the DTN model brings unique security challenges that are not present in the model.EXISTING SYSTEM DISADVANTAGESCentral monitoring and resource limits are absent in the DTN model.Very risk to collecting separate and also having insufficient evidence.It is filter the off-key evidence in sequentially and distri buted.1.3.2. LITERATURE SURVEYLITERATURE SURVEYTitleAn Optimal Distributed Malware Defense System for Mo bile Networks with Heterogeneous DevicesAuthor Yong Li, cooking pan Hui socio-economic class 2011Description Consider a mobile network where a portion of the nodes are infected by malware. Our research problem is to deploy an cost-effective defense system to help the infected nodes to recover and preserve the healthy nodes from farther infection. Typically, we should disseminate the content-based signatures of cognize malware to as many nodes as possible. The signature is obtained by hire algorithmic rules such as an MD5 hash over the malware content, and they are employ by the mobile devices to detect various patterns in the malware and then to disable further propagation. Therefore, distributing these signatures into the whole network while avoiding unnecessary redundancy is our optimization goal.Title On Modeling Malware Propagation in Generalized Social NetworksAuthor Shin-Ming Cheng division 2011Description This article proposes a novel analytical model to efficiently analyze the speed and severity for spreading the hybrid malware such as Commwarrior that targets multimedia system messaging service (MMS) and BT. Validation against conducted simulation experiments reveals that our model developed from the Susceptible-Infected (SI) model in epidemiology accuratelyApproximates mixed spreading behaviors in large areas without the huge computational cost, which helps estimate the damages caused by the hybrid malware and aids in the development of detection and containment processes.Title Scalable, Behavior-Based Malware ClusteringAuthor Ulrich BayerYear 2009Description In this research, we propose a scalable clustering approach to get wind and group malware samples that exhibit similar behavior. For this, we offshoot perform dynamic analysis to obtain the act traces of malware programs. These execution traces are then generalized into behavioral profiles, which characterize the activity of a program in more abstract terms. The profiles serve as stimulant drug to an efficient clustering algorithm that allows us to handle sample sets that are an order of magnitude larger than previous approaches. We have applied our system to real-world malware collections. The results demonstrate that our technique is able to recognize and group malware programs that behave similarly, achieving a better precision than previous approaches. To at a lower placeline the scalability of the system, we clustered a set of more than 75 thousand samples in less than three hours.Title Self-Policing Mobile Ad-Hoc Networks by Reputation SystemsAuthor Sonja BucheggerYear 2005Description Node misbehavior due(p) to egoistic or malicious reasons or faulty nodes can significantly degrade the performance of mobile ad-hoc networks. To cope with misbehavior in such self-organized networks, nodes need to be able to mechanically adapt their strategy to changing levels of cooperation. Existing approaches such as economic incentives or secure routing by cryptog raphy alleviate some of the problems, but not all. We describe the use of a self-policing mechanism based on reputation to enable mobile ad-hoc networks to keep functioning despite the nominal head of misbehaving nodes. The reputation system in all nodes makes them detect misbehavior locally by observation and use of second-hand information. Once a misbehaving node is detected it is automatically isolated from the network. We classify the features of such reputation systems and describe possible implementations of each of them. We explain in particular how it is possible to use second-hand information while mitigating taint by spurious ratings.Title The EigenTrust Algorithm for Reputation Management in P2P NetworksAuthor Sepandar D. Kamvar, Mario T. SchlosserYear 2003Description Peer-to-catch file-sharing networks are currently receiving much attention as a means of sharing and distributing information. However, as recent experience cross-files, the anonymous, open nature of thes e networks offers an almost ideal environment for the spread of Self-replicating inauthentic files. We describe an algorithm to decrease the number of d avouchloads of inauthentic files in a peer-to-peer file-sharing network that assigns each peer a unique worldwide trust value, based on the peers history of uploads. We present a distributed and secure method to compute global trust values, based on Power iteration. By having peers use these global trust values to choose the peers from whom they download, the network effectively identifies malicious peers and isolates them from the network. In simulations, this reputation system, called EigenTrust, has been shown to significantly decrease the number of inauthentic files on the network, even under(a) a variety of conditions where malicious peers cooperate in an attempt to deliberately subvert the system.Title When Gossip is Good Distributed Probabilistic Inference for Detection of easily Network IntrusionsAuthor Denver Dash, Brani slav KvetonYear 2006Description Intrusion attempts due to self-propagating code are becoming an increasingly urgent problem, in part due to the homogeneous makeup of the internet. Recent advances in anomaly based intrusion detection systems (IDSs) have made use of the quickly spreading nature of these attacks to identify them with high sensitivity and at low false supreme (FP) rates. However, slowly propagating attacks are much more difficult to detect because they are cloaked under the veil of normal network traffic, yet can be just as dangerous due to their exponential spread pattern. We extend the idea of using collaborative IDSs to corroborate the likelihood of attack by imbuing end hosts with probabilistic graphical models and using random messaging to gossip state among peer detectors. We show that such a system is able to boost a weak anomalyDetector D to detect an order-of-magnitude slower worm, at false positive rates less than a few per week, than would be possible using D alone at the end-host or on a network gathering point.Title A Preliminary Investigation of Worm Infections in a Bluetooth EnvironmentAuthor Jing Su, Kelvin K. W. ChanYear 2006Description Over the past year, on that point have been several reports of malicious code exploiting vulnerabilities in the Bluetooth protocol. While the research community has started to investigate a diverse set of Bluetooth security issues, little is known about the feasibility and the propagation dynamics of a worm in a Bluetooth environment. This paper is an initial attempt to remedy this situation. We start by display that the Bluetooth protocol design and implementation is large and complex. We gather traces and we use controlled experiments to investigate whether a large-scale Bluetooth worm outbreak is viable today. Our data shows that starting a Bluetooth worm infection is easy, once vulnerability is discovered. Finally, we use trace-drive simulations to examine the propagation dynamics of Blue tooth worms. We find that Bluetooth worms can infect a large population of conquerable devices relatively quickly, in just a few days.Title An reconciling anomaly detector for worm detectionAuthor John Mark Agosta, Carlos Diuk-WasserYear 2007Description We present an adaptive end-host anomaly detector where a supervised classifier trained as a traffic predictor is used to control a time-varying detection threshold. Training and testing it on real traffic traces collected from a number of end-hosts, we show our detector dominates an existing fixed threshold detector. This comparability is robust to the choice of off-the-shelf classifier employed, and to a variety of performance criteria the predictors error rate, the reduction in the threshold gap and the ability to detect the simulated threat of incremental worm traffic added to the traces. This detector is intended as a part of a distributed worm detection system that infers system-wide threats from end-host detections, thereby avoiding the sensing and resource limitations of conventional centralized systems. The distributed system places a constraint on this end host detector to appear consistent over time and machine variability.Title CPMC An Efficient Proximity Malware Coping Scheme in Smartphone-based Mobile NetworksAuthor Feng Li, Yinying YangYear 2010Description Many emerging malware can utilize the proximity of devices to propagate in a distributed manner, thus remaining unobserved and making detections substantially more challenging. Different from existing malware coping schemes, which are either totally centralized or purely distributed, we propose a Community-based Proximity Malware Coping scheme, CPMC. CPMC utilizes the social community structure, which reflects a stable and controllable granularity of security, in smart phone-based mobile networks. The CPMC scheme integrates short-term coping components, which deal with individual malware and long-term evaluation components, which offer vuln erability evaluation towards individual nodes. A closeness-oriented relegating forwarding scheme combined with a community level quarantine method is proposed as the short-term coping components. These components contain a proximity malware by quickly propagating the signature of a detected malware into all communities while avoiding unnecessary redundancy.PROPOSED SYSTEMBehavioral characterization, in terms of system call and program flow, has been previously proposed as an effective alternative to pattern matching for malware detection. In our model, malware-infected nodes behaviors are observed by others during their multiple opportunistic encounters Individual observations may be imperfect, but abnormal behaviors of infected nodes are identifiable in the long-run. We identify challenges for extending Bayesian malware detection to DTNs, and propose a simple yet effective method, escort-ahead, to address the challenges. Furthermore, we propose two extensions to look-ahead, dogma tic filtering and adaptive look-ahead, to address the challenge of malicious nodes sharing false evidence.PROPOSED SYSTEM ADVANTAGESReal mobile network traces are used to verify the effectiveness of the proposed methods.The proposed evidence consolidation strategies in minimizing the negative impact of liars on the shared evidences quality.It is used to identify the abnormal behaviors of infected nodes in the long-run..CHAPTER 2PROJECT DESCRIPTION2.1. GENERALWe analyze the problem of behavioral characterization of malware nodes in Delay Tolerant Network efficiently without affect network performance.2.2. PROBLEM DEFINITIONProximity malware is a malicious program that disrupts the host nodes normal function and has a chance of duplicating itself to other nodes during (opportunistic) contact opportunities between nodes in the DTN. When duplication occurs, the other node is infected with the malware. We present a general behavioral characterization of proximity malware, which captures the functional but imperfect nature in detecting proximity malware. to a lower place the behavioral malware characterization, and with a simple cut-off malware containment strategy, we formulate the malware detection process as a distributed finis problem. We analyze the risk associated with the decision, and design a simple, yet effective, strategy, look-ahead, which naturally reflects individual nodes intrinsic risk inclinations against malware infection. We present two alternative techniques, dogmatic filtering and adaptive look-ahead, that naturally extend look-ahead to consolidate evidence provided by others, while containing the negative effect of false evidence. A nice property of the proposed evidence consolidation methods is that the results will not worsen even if liars are the majority in the neighborhood2.3. METHODOLOGIESMethodologies are the process of analyzing the principles or procedure for behavioral characterizing of node with two methods, dogmatic filtering an d adaptive look-ahead, for consolidating evidence provided by other nodes, while containing the negative impact of liars in delay tolerant network.2.3.1. MODULESAuthenticationNetwork NodesMalware DetectionEvidence Analysis malevolent Node Revocation2.3.2 MODULE DESCRIPTIONAuthenticationIf you are the new user going to consume the service then they have to register first by providing necessary details. After successful completion of sign up process, the user has to login into the application by providing username and exact battle cry. The user has to provide exact username and password which was provided at the time of registration, if login success means it will take up to main page else it will remain in the login page itself..Network NodesUnder this module, the network nodes which are interconnected by local area network, that node ip address will be fetched in order to share the resources among the network. As well as the performance of individual system have been analyzed to as sess the behaviorMalware DetectionMalware detection module helps to identify the evil node which is affected by malware programEvidence AnalysisThis module used to investigate about evidences of nodes by collecting assessments before a normal node get affected by malware program. Evidence aging process helps to discard outdated assessments of a node and evidence consolidation helps to filter negative assessments of a node provided by the other nodes.Evil Node RevocationAfter detection of evil node, we need to drop the communication with that in order to prevent from malware spreading and the evil node details are transferred to database for further reference. Finally evil node gets revoked from the network computer list.2.3.3. MODULE DIAGRAM AuthenticationNetwork NodesMalware DetectionEvidence AnalysisEvil Node Revocation2.3.4. GIVEN INPUT EXPECTED OUTPUTAUTHENTICATIONInput Give username and password produce Allow to your personal detailsNETWORK NODESInput Connect to networkOutput C ommunicate between client serverMALWAER DETECTIONInput channelise your file to another nodeOutput Identifying malicious nodeEVIDENCE ANALYSESInput Communicate with other node before affect by malware node then collect evidencesOutput Showing all evidence analysis reportEVIL NODE REVOCATIONInput Communication with malware node cashbox collect full evidencesOutput Malware node has been removed2.4. TECHNIQUE USEDDogmatic filteringDogmatic filtering is based on the observation that ones own assessments are truthful and therefore, can be used to bootstrap the evidence consolidation process. A node shall only accept evidence that will not sway its current opinion too much. We call this observation the dogmatic principle.Adaptive look-aheadAdaptive look ahead takes a different approach towards evidence consolidation. Instead of deciding whether to use the evidence provided by others directly in the cut-off decision, adaptive look ahead indirectly uses the evidence by adapting the steps t o look ahead to the diversity of opinion.