Journal of Engineering, Computers & Applied Sciences (JEC&AS) ISSN No: 2319-5606 Volume 1, No.3, December 2012 _________________________________________________________________________________ www.borjournals.com Blue Ocean Research Journals 9 A Behavioural Study of Various Worms and their Detection Schemes Nagaraju Mamillapally, Asst.Professor, Adarsh PG College of Computer Sciences, Mahabubnagar, India Venkatesh Gadege, Asst.Professor, Adarsh PG College of Computer Sciences, Mahabubnagar, India ABSTRACT Computer worms have a behavior of self-propagation over the host machines and have been terrorizing the Internet for the last several years. This is due to the ability of worms to propagate in automated fashion as they continuously compromise computer on the internet. At the same time, being fully automated makes their behavior repetitious and predictable. This article presents a survey on the behavior and detection schemes of Internet worms. We first identify worm characteristics through their behavior, and then classify worm detection algorithms based on the parameters used in the algorithms. Furthermore, we analyze and compare different detection algorithms with reference to the worm characteristics by identifying the type of worms that can and cannot be detected by these schemes. Keywords: Self-Propagation, Behavior, Detection, Vulnerability, Algorithms 1. INTRODUCTION Self-propagating malicious codes known as computer worms spread themselves without any human interaction and launch the most destructive attacks against computer networks like launching massive Distributed Denial-of-Service(DDoS) attacks that disrupt the Internet utilities, access confidential information that can be misused through large-scale traffic sniffing, key logging etc., They destroy data that has a high monetary value , and distribute large-scale unsolicited advertisement emails (as spam) or software (as malware). These worms include Camouflaging worm (C-Worm in short) [2], Code-Red worm [3], Slammer worm [4], Witty/Sasser worms [8] and Morris Worm [6]. Being fully automated, a worm’s behavior is usually repetitious and predictable, making it possible to be detected. A worm’s life consists of the following phases: target finding, transferring, activation, and infection. Since worms involve network activities in the first two phases, their behaviors in these two phases are critical for developing detection algorithms. Therefore, this paper first focuses on worm characteristics that facilitate their detection. Many algorithms have been proposed in the past to try to catch and stop the spread of Internet worms. Most research papers discuss efforts that are related to their proposed work, but none of these papers gives a comprehensive classification of the existing modeling and detection schemes. This paper contains a complete study of some active worms with their behavior and identified various modeling and detection schemes 2. Overview After an introductory terminology is presented, worm characteristics during target finding and worm transferring phases are identified. This is followed by an overview of worm defense mechanisms: modeling and detection. The modeling of various worms and detection schemes is presented next. Depending on where the detection are implemented, they may construct different views of worm propagation behaviors, so there may be differences in the scope of their defenses. Fig 1: Categorization of worm characteristics 3. TECHNOLOGY A. Activation Activation is when a worm starts performing its malicious activities. Activation might be triggered on a specific date or under certain conditions.