FORTH-ICS: November 2008 Archives

The WOMBAT proect will be represented at the Future Internet Assembly conference in Madrid, December 2008, by the following people:

• Vincent Boutroux, France Télécom R&D/Orange Labs
• Sotiris Ioannidis, FORTH (also representing FORWARD)
• Philip Homburg, VU (Also representing FORWARD)
• Paolo Milani Comparetti, TUV

This document contains a description of the wombat architecture and a high level design
of the new sensors. The wombat architecture is covered by a comprehensive review of
all its components. Part of this architecture is also the data sources and especially the
new ones that will be implemented as part of the wombat project. Each of them will
be described in the design level, focusing on the way that they will be integrated with
the wombat infrastructure

FP7-ICT-216026-Wombat-WP3-D06_V02_Infrastructure_design.pdf

M. Corrado LEITA will publicly defend his UNS Doctoral Thesis 
on Thursday, December 4th 2008 at 2:00 pm, in the Amphitheater MARCONI at EURECOM.

Topic of the Thesis:

"SGNET: automated protocol learning for the observation of malicious threats"

Jury members :

• Marc DACIER (Symantec)
• Vern PAXSON (ICSI)
• Hervé DEBAR (France Télécom R&D/Orange Labs)
• Engin KIRDA (Eurecom)
• Christopher KRUEGEL (UCSB)
• Mohamed KAANICHE (LAAS CNRS)
• Sotiris IOANNIDIS (FORTH)

One of the main prerequisites for the development of reliable defenses to protect a network resource consists in the collection of quantitative data on  Internet threats. This attempt to "know your enemy" leads to an increasing interest in the collection and exploitation of datasets providing intelligence on network attacks. The creation of these datasets is a very challenging task. The challenge derives from the need to cope with the spatial and quantitative diversity of malicious activities. The observations need to be performed on a broad perspective, since the activities are not uniformly distributed over the IP space. At the same time, the data collectors need to be sophisticated enough to extract a sufficient amount of information on each activity and perform meaningful inferences. How to combine the simultaneous need to deploy a vast number of data collectors with the need of sophistication required to make meaningful observations? This work addresses this challenge by proposing a protocol learning technique based on bioinformatics algorithms. The proposed technique allows to automatically generate low-cost protocol responders starting from a set of samples of network interaction. Its characteristics are exploited in a distributed honeypot deployment that collected information on Internet attacks for a period of 8 months in 23 different networks distributed all over the world (Europe, Australia, United States). This information is organized in a central dataset enriched with contextual information from a number of sources and analysis tools. Simple data mining techniques proposed in this work allow the generation of a valuable overview on the propagation techniques employed by nowadays malware.