FP7-ICT-216026-WOMBAT

D24/D6.4 Second Open Workshop Proceedings

Wed, 18 May 2011 10:41:10 +0000

This is the deliverable for the second wombat open workshop, BADGERS, that took place within the EuroSys 2011 conference on April 10 in Salzburg (Austria). In this document we discuss the preparation of the second workshop, our expectations vs. feedback and impressions we collected by authors and attenders. Proceedings are included.

FP7-ICT-216026-Wombat_WP6_D24_V01_Second-Open-Workshop-Proceedings-BADGERS-2011.pdf

D23/D5.3 Early Warning System: Experimental report

Wed, 18 May 2011 10:32:54 +0000

A large part of Workpackage 5 concerns the Early Warning System functionality. This deliverable offers a report of the experiments carried out as part of the effort to create the Early Warning System. Several specialized alerting systems are presented, including FIRE, Exposure, BANOMAD and HoneyBuddy myIMhoneypot

FP7-ICT-216026-Wombat_WP5_D23_V01_Early-warning-system-experimental-report.pdf

D22/D5.2 Root Causes Analysis: Experimental Report

Wed, 18 May 2011 10:22:57 +0000

This deliverable offers an extensive report of all experiments carried out with respect to root cause analysis techniques. This final deliverable for Workpackage 5 (Threats Intelligence ) builds upon D12 (D5.1 - Technical Survey on Root Cause Analysis) and benefits from the modifications made to the various software modules developed in WP4, following up the experimental feedback.
The R&D efforts carried out in WP5 with respect to root cause analysis have produced a novel framework for attack attribution called triage. This framework has been successfully applied to various wombat datasets to perform intelligence analyses by taking advantage of several structural and contextual features of the data sets developed by the different partners. These experiments enabled us to get insights into the underlying root phenomena that have likely caused many security events observed by sensors deployed by wombat partners.
In this deliverable, we provide an in-depth description of experimental results obtained with triage, in particular with respect to (i) the analysis of Rogue AV campaigns (based on HARMUR data), and (ii) the analysis of different malware variants attributed to the Allaple malware family (based on data from SGNET, VirusTotal and Anubis).
Finally, we describe another experiment performed on a large spam data set obtained from Symantec.Cloud (formerly MessageLabs), for which triage was successfully used to analyze spam botnets and their ecosystem, i.e., how those botnets are used by spammers to organize and coordinate their spam campaigns. Thanks to this application, we are considering a possible technology transfer of triage to Symantec.Cloud, who is interested in carrying out regular intelligence analyses of their spam data sets, and may ralso consider the integration of triage to their Skeptic ○ spam filtering technology.

FP7-ICT-216026-Wombat_WP5_D22_V01_Root-Cause-Analysis-Experimental-report.pdf

D21/D4.7 Consolidated report with evaluation results

Wed, 18 May 2011 10:14:59 +0000

This is the final deliverable for Workpackage 4 within the wombat project. In this document we discuss the final extensions and improvements to our data collection and analysis techniques that were implemented as part of wombat. Furthermore, we present some additional results obtained from the analysis of data collected within wombat.

FP7-ICT-216026-Wombat_WP4_D21_V01_Consolidated-reports-with-evaluation-results.pdf

The Wombat API (WAPI) is now available on sourceforge

Tue, 19 Apr 2011 16:38:29 +0000

WAPI, or WOMBAT API, is a SOAP-based API built in the context of the project to facilitate the remote access and exploration of security-related datasets.

The package contains all the essential code to start using the WAPI. The WAPI represents an attempt to tackle two main challenges for security data providers:

- Many of the data access primitives are not easily scriptable. Many data sources provide web-based interfaces that, while easily accessible by human operators, are not convenient for automated analysis.

- The interfaces for security datasets are very diverse in structure and methodology. The analyst who wants to take advantage of multiple data sources to perform correlations among them is thus forced to implement ad-hoc plugins and parsers for each data feed. This process is not necessarily a simple task, and requires the analyst to fully understand, for example, the schema of the SQL database provided by the data owner.

You can find the package on sourceforge : http://sourceforge.net/projects/wombat-api/

More information and details on WAPI are available in the deliverable D10/D6.3.

WOMBAT second open workshop proceedings

Mon, 18 Apr 2011 12:57:32 +0000

This volume collects the proceedings of the second WOMBAT Project Workshop,held on April 10 in Salzburg.

badgers2011-proceedings.pdf

Wombat Deliverable D18/D4.6 Final description of contextual features

Wed, 13 Apr 2011 12:34:35 +0000

The objective of Workpackage 4 is to develop techniques to characterize the malicious
code that is collected in the previous workpackage. The main idea is to enrich the
collected code thanks to metadata that might reveal insights into the origin of the code
and the intentions of those that created, released or used it.
This deliverable is an extension of D15 (D4.5), and provides a final description of the
contextual features collected within the wombat consortium. Furthermore, it presents
initial results, statistics, and insights obtained by analyzing the collected contextual
features.

FP7-ICT-216026-Wombat_WP4-D18_V01_Final-Contextual-features.pdf

WOMBAT second open workshop Call For Paper

Thu, 09 Dec 2010 18:18:51 +0000

BADGERS 2011

Building Analysis Datasets and Gathering Experience Returns for Security

Workshop on development of large scale security-related data collection and analysis initiatives

The WOMBAT consortium will organise its second open workshop in Salzburg, Austria, on April 10. The BADGERS workshop is co-located with the EuroSys 2011 conference. Check the conference page for up-to-date info.

About BADGERS

The BADGERS workshop is intended to encourage the development of large scale security-related data collection and analysis initiatives. It will provide an environment to describe already existing real-world, large-scale datasets, and to share with the systems community the return on experiences acquired by analyzing such collected data. Furthermore, novel approaches to collect and study such data sets are welcome.

Call for Papers

In contrast to the systems community, security researchers have only recently started collecting and looking at large-scale, real-world data (e.g., the EU WOMBAT and the US PREDICT initiatives). It is well known that experimental work is often hampered by concerns such as confidentiality, privacy, and liability. However, the threat landscape is rapidly changing and this represents a growing concern for individuals and organisations. To address these issues appropriately, there is a dire need to better understand the modus operandi and the motivations of the attackers. This can only be achieved by getting access to large-scale, real-world data, and by designing techniques to mine relevant knowledge out of it.

This workshop aims at bringing together people (e.g., researchers, practitioners, system administrators, system programmers) active in the emerging domain of security-related data collection and analysis. By giving visibility to existing solutions, we expect that the workshop will promote and encourage the better sharing of data and knowledge.

By co-locating the BADGERS workshop with EuroSys, we wish to create a bridge between the well-established systems community and the members of the security community who are interested in experimental systems work.

The BADGER workshop solicits two kinds of submissions: Regular papers and work in progress papers. Regular papers should not exceed 8 pages, excluding well-marked appendixes. Work in progress papers should not exceed two pages.

Submissions

Papers can be submitted to the workshop through the HotCrp Submission System that we've set up.

Wombat Deliverable D17/D4.4 Final Analysis Report of Structural Features

Sun, 01 Aug 2010 18:01:07 +0000

This deliverable is a final report on the experimental results obtained by using structural
features to characterize executable code. It discusses and evaluates a number of tech-
niques, based on these features, that have been developed in the context of the wombat
project, and aim to provide a deeper understanding of malicious code and of the relations
between malicious code samples.

FP7-ICT-216026-Wombat_WP4_D17_V01_Final_Analysis_Report_of_Structural_features.pdf

Wombat Deliverable D16/D4.2 Analysis Report of Behavioral Features

Sat, 31 Jul 2010 18:42:51 +0000

This deliverable provides a discussion of the features used to characterize the behavior
of code, and a discussion of preliminary results of applying these features to a set of
malicious code. It discusses the project's results in behavior-based clustering, malware
detection at end hosts in different ways, system call analysis, but also our work on
shellcode behavior.

FP7-ICT-216026-Wombat_WP4_D16_V01_Analysis-Report-of-Behavioral-features.pdf

Wombat Deliverable D15/D4.5 Intermediate Report on Contextual Features

Tue, 16 Feb 2010 17:09:17 +0000

The objective of this Workpackage 4 is to develop techniques to characterize the malicious code that is collected in the previous workpackage. The main idea is to enrich the collected code thanks to metadata that might reveal insights into the origin of the code and the intentions of those that created, released or used it. This deliverable provides a preliminary discussion of possible contextual features of malware, and for each feature, an estimate on its effectiveness and the difficulty to obtain it. Some of these features can be used to analyze potential threats and discriminate collected samples that are mere variations of already known threats.

FP7-ICT-216026-Wombat_WP4-D15_V01_Intermediate-Contextual-features.pdf

Wombat Deliverable D13/D3.3 Sensor Deployment

Tue, 16 Feb 2010 16:58:21 +0000

This deliverable reports the deployment of all types of sensors implemented in the WOMBAT project and includes descriptions of experiences with the sensors from several months of deployment and experimentation. The sensors that are deployed are the SGNET, HARMUR, Shelia, Paranoid Android, HoneySpider Network, Bluebat and NoAH. The early experiences show that the WOMBAT Project is fulfilling our preliminary expectations about having powerful tools for collecting data. These data are useful for categorizing attackers and malware behaviors. Moreover our experiments reveal that the sensors can cooperate with each other, enriching in this way the information offered for analysis.

FP7-ICT-216026-Wombat_WP3_D13_V01-Sensor-deployment.pdf

Wombat Deliverable D12/D5.1 Root Causes Analysis

Tue, 16 Feb 2010 16:46:07 +0000

This deliverable aims at giving an overview of existing techniques for root cause analysis, and provides some preliminary results with respect to the root cause analysis work performed in the project so far. The deliverable is mainly made up of 6 published peer-reviewed papers and one technical report that has reached a wide-audience.

FP7-ICT-216026-Wombat_WP5_D12_V01_RCA-Technical-survey.pdf

Wombat Deliverable D11/D4.3 Intermediate Analysis Report of Structural Features

Tue, 16 Feb 2010 16:33:16 +0000

This deliverable provides a preliminary discussion of structural features that can be used to characterize executable code. Furthermore, it discusses a number of techniques, based on these features, that are being developed in the context of the wombat project, and aim to provide a deeper understanding of malicious code and of the relations between malicious code samples.

FP7-ICT-216026-Wombat_WP4_D11_V01-Intermediate-analysis-report-of-structural-features.pdf

Wombat Deliverable D10/D6.3 First WOMBAT open workshop proceedings

Tue, 16 Feb 2010 16:19:27 +0000

This volume collects the presentations and handouts of the first WOMBAT open Workshop,held on September 22-23, 2009 in St. Malo. This year's workshop focuses on the introduction of early results of the project, and in particular on the Wombat APIs or WAPI, a set of API developed by the project partners to allow integrated access to different attack dataset.
The aim of the workshop was to give participants a first-hand experience on how the WAPIs
help the analyst and the researcher in investigating new phenomena. The demos and presentations were prepared thanks to the collective effort of the project partners: France Telecom, Hispasec, Politecnico di Milano, Technical University of Vienna, Institut
Eurecom, FORTH-ICS, Symantec Corporation, Vrije Universiteit Amsterdam, Institute for Infocomm Research, NASK.

FP7-ICT-216026-Wombat_WP6_D10_V01_2nd-Wombat-Proceedings-St-Malo.pdf