Recently in Deliverables Category

The objective of this Workpackage 4 is to develop techniques to characterize the malicious code that is collected in the previous workpackage. The main idea is to enrich the collected code thanks to metadata that might reveal insights into the origin of the code and the intentions of those that created, released or used it. This deliverable provides a preliminary discussion of possible contextual features of malware, and for each feature, an estimate on its effectiveness and the difficulty to obtain it. Some of these features can be used to analyze potential threats and discriminate collected samples that are mere variations of already known threats.

FP7-ICT-216026-Wombat_WP4-D15_V01_Intermediate-Contextual-features.pdf

This deliverable reports the deployment of all types of sensors implemented in the WOMBAT project and includes descriptions of experiences with the sensors from several months of deployment and experimentation. The sensors that are deployed are the SGNET, HARMUR, Shelia, Paranoid Android, HoneySpider Network, Bluebat and NoAH. The early experiences show that the WOMBAT Project is fulfilling our preliminary expectations about having powerful tools for collecting data. These data are useful for categorizing attackers and malware behaviors. Moreover our experiments reveal that the sensors can cooperate with each other, enriching in this way the information offered for analysis.

FP7-ICT-216026-Wombat_WP3_D13_V01-Sensor-deployment.pdf

This deliverable aims at giving an overview of existing techniques for root cause analysis, and provides some preliminary results with respect to the root cause analysis work performed in the project so far. The deliverable is mainly made up of 6 published peer-reviewed papers and one technical report that has reached a wide-audience.

FP7-ICT-216026-Wombat_WP5_D12_V01_RCA-Technical-survey.pdf

This deliverable provides a preliminary discussion of structural features that can be used to characterize executable code. Furthermore, it discusses a number of techniques, based on these features, that are being developed in the context of the wombat project, and aim to provide a deeper understanding of malicious code and of the relations between malicious code samples.

FP7-ICT-216026-Wombat_WP4_D11_V01-Intermediate-analysis-report-of-structural-features.pdf

This volume collects the presentations and handouts of the 2nd WOMBAT Project Workshop,held on September 22-23, 2009 in St. Malo. This year's workshop focuses on the introduction of early results of the project, and in particular on the Wombat APIs or WAPI, a set of API developed by the project partners to allow integrated access to different attack dataset.
The aim of the workshop was to give participants a first-hand experience on how the WAPIs
help the analyst and the researcher in investigating new phenomena. The demos and presentations were prepared thanks to the collective effort of the project partners: France Telecom, Hispasec, Politecnico di Milano, Technical University of Vienna, Institut
Eurecom, FORTH-ICS, Symantec Corporation, Vrije Universiteit Amsterdam, Institute for Infocomm Research, NASK.

FP7-ICT-216026-Wombat_WP6_D10_V01_2nd-Wombat-Proceedings-St-Malo.pdf

This document provides a specification language to describe the behavior of code. Consistently with the requirements for an extensible, layered architecture for the behavioral analysis of malware, four different languages are defined, ranging from a complete, low-level description of the code's behavior to a high-level analysis report that is suitable for a human analyst. Furthermore, current approaches to behavioral malware analysis and detection within the wombat project are discussed, most of which already take advantage (or can be extended to take advantage) of the provided specification language.

FP7-ICT-216026-Wombat_WP4_D08_V01_Specification_language_for_code_behaviour.pdf

This document contains a description of the wombat architecture and a high level design
of the new sensors. The wombat architecture is covered by a comprehensive review of
all its components. Part of this architecture is also the data sources and especially the
new ones that will be implemented as part of the wombat project. Each of them will
be described in the design level, focusing on the way that they will be integrated with
the wombat infrastructure

FP7-ICT-216026-Wombat-WP3-D06_V02_Infrastructure_design.pdf

This document outlines the requirements for early warning systems built on technology provided by the WOMBAT project, setting out both: functional and non-functional requirements. The collected requirements reflect the identified user needs and the key directions to be followed within the research and development Work-packages (WP3-Data Collection and Distribution, WP4-Data Enrichment and Characterization, WP5-Threat Intelligence).

The document starts from an assessment of user requirements gathered from potential users including external participants in the Closed Workshop and the WOMBAT development group. This part covers expectations of distinct classes of data users such as: security vendors, malware researchers, ISPs, CERT teams, Government, financial institutions and home users. It details the requirements for the system architecture, data and system functions, and specifies performance, availability and security features to provide sufficient functionality. It also defines user interface, testing and configuration management requirements.

FP7-ICT-216026-Wombat_WP2_D05_V01_Requirements.pdf

This document contains a detailed analysis of the state-of-the-art tools and research approaches for malware collection and analysis. We have reviewed high/medium/low-interaction honeypots and malware collection tools and worldwide initiatives. The analysis of the collected malware is covered by a comprehensive review of the most relevant research proposals, also including techniques that have been used to analyze running programs in general, to be adapted for the wombat purposes.

FP7-ICT-216026-Wombat-WP2_D03_V01_State_art.pdf.

On April 21st-22nd, the WOMBAT project will organize an invitation-only workshop (located in Amsterdam, Netherlands) to address the difficulties in collaboration and attack data sharing. The discussion will address standards for data exchange, infrastructural challenges, and the resolution of privacy and competition issues in data sharing. The project partners will present the vision of the project, and a draft version of our requirements analysis. The invited participants will share their own technical infrastructures and research directions. Some of the revised papers presented at the workshop will be released in a volume of proceedings.