FP7-ICT-216026-WOMBAT

Wombat Deliverable D15/D4.5 Intermediate Report on Contextual Features

Tue, 16 Feb 2010 17:09:17 +0000

The objective of this Workpackage 4 is to develop techniques to characterize the malicious code that is collected in the previous workpackage. The main idea is to enrich the collected code thanks to metadata that might reveal insights into the origin of the code and the intentions of those that created, released or used it. This deliverable provides a preliminary discussion of possible contextual features of malware, and for each feature, an estimate on its effectiveness and the difficulty to obtain it. Some of these features can be used to analyze potential threats and discriminate collected samples that are mere variations of already known threats.

FP7-ICT-216026-Wombat_WP4-D15_V01_Intermediate-Contextual-features.pdf

Wombat Deliverable D13/D3.3 Sensor Deployment

Tue, 16 Feb 2010 16:58:21 +0000

This deliverable reports the deployment of all types of sensors implemented in the WOMBAT project and includes descriptions of experiences with the sensors from several months of deployment and experimentation. The sensors that are deployed are the SGNET, HARMUR, Shelia, Paranoid Android, HoneySpider Network, Bluebat and NoAH. The early experiences show that the WOMBAT Project is fulfilling our preliminary expectations about having powerful tools for collecting data. These data are useful for categorizing attackers and malware behaviors. Moreover our experiments reveal that the sensors can cooperate with each other, enriching in this way the information offered for analysis.

FP7-ICT-216026-Wombat_WP3_D13_V01-Sensor-deployment.pdf

Wombat Deliverable D12/D5.1 Root Causes Analysis

Tue, 16 Feb 2010 16:46:07 +0000

This deliverable aims at giving an overview of existing techniques for root cause analysis, and provides some preliminary results with respect to the root cause analysis work performed in the project so far. The deliverable is mainly made up of 6 published peer-reviewed papers and one technical report that has reached a wide-audience.

FP7-ICT-216026-Wombat_WP5_D12_V01_RCA-Technical-survey.pdf

Wombat Deliverable D11/D4.3 Intermediate Analysis Report of Structural Features

Tue, 16 Feb 2010 16:33:16 +0000

This deliverable provides a preliminary discussion of structural features that can be used to characterize executable code. Furthermore, it discusses a number of techniques, based on these features, that are being developed in the context of the wombat project, and aim to provide a deeper understanding of malicious code and of the relations between malicious code samples.

FP7-ICT-216026-Wombat_WP4_D11_V01-Intermediate-analysis-report-of-structural-features.pdf

Wombat Deliverable D10/D6.3 Second WOMBAT workshop proceedings

Tue, 16 Feb 2010 16:19:27 +0000

This volume collects the presentations and handouts of the 2nd WOMBAT Project Workshop,held on September 22-23, 2009 in St. Malo. This year's workshop focuses on the introduction of early results of the project, and in particular on the Wombat APIs or WAPI, a set of API developed by the project partners to allow integrated access to different attack dataset.
The aim of the workshop was to give participants a first-hand experience on how the WAPIs
help the analyst and the researcher in investigating new phenomena. The demos and presentations were prepared thanks to the collective effort of the project partners: France Telecom, Hispasec, Politecnico di Milano, Technical University of Vienna, Institut
Eurecom, FORTH-ICS, Symantec Corporation, Vrije Universiteit Amsterdam, Institute for Infocomm Research, NASK.

FP7-ICT-216026-Wombat_WP6_D10_V01_2nd-Wombat-Proceedings-St-Malo.pdf

WOMBAT Deliverable D08/D4.1 Specification language for code behavior

Tue, 16 Feb 2010 15:25:37 +0000

This document provides a specification language to describe the behavior of code. Consistently with the requirements for an extensible, layered architecture for the behavioral analysis of malware, four different languages are defined, ranging from a complete, low-level description of the code's behavior to a high-level analysis report that is suitable for a human analyst. Furthermore, current approaches to behavioral malware analysis and detection within the wombat project are discussed, most of which already take advantage (or can be extended to take advantage) of the provided specification language.

FP7-ICT-216026-Wombat_WP4_D08_V01_Specification_language_for_code_behaviour.pdf

WOMBAT 2nd open workshop programme

Mon, 07 Sep 2009 14:27:49 +0000

The program of the 2nd WOMBAT workshop is now available.

September 22nd:

12:00-14:00: Registration and lunch
14.00-14.10: Official welcome and introduction (H. Debar)
14.10-14.40: "Introduction to the WOMBAT datasets" (M. Dacier)
14.45-15.15: "The WOMBAT WAPI: idea, implementation and use" (C. Leita)
15.15-16.00: "The SHELIA and HNS client honeypot datasets" (H. Bos; P. Kijewski)
16.00-16.15: Coffee Break and preparation for the demos
16.15-18.30: Demos
Adjourn

September 23rd

9.00-9.30:"Clustering malware with ANUBIS and SGNET and interaction with the WAPI" (P. M. Comparetti)
9.30-12.30: Demos with coffee break
12.30: lunch, closing of the workshop

The registration for the WOMBAT workshop can be done on the RAID+ESORICS registration page. If you wish to register for the workshop alone, you should use the RAID+WOMBAT registration and mention it in the comments. The registration fee for the workshop alone is 50 Euros.

WOMBAT 2nd open workshop

Mon, 10 Aug 2009 12:00:59 +0000

The WOMBAT consortium will organise its second open workshop in St 
Malo, France, on September 22-23 (from Tuesday 12:00 - Wednesday 12:00). 

The workshop is conveniently co-located with RAID and organised just before the main conference. The workshop will be practical and hands-on. Attendance will be limited to 45 researchers. Registration should be made through the RAID registration site by selecting the RAID+WOMBAT option.

By means of presentations, participants will learn what sources of 
information Wombat makes available to analysts, security experts and researchers. These sources include malware repositories and attack related databases such as those of Anubis, Symantec, HoneySpider, VirusTotal, Noah, SGNet, and several others. Moreover, participants will be allowed to get hands-on experience in an exciting tutorial session in which the participant uses a variety of sensors and databases to analyse different security incidents.

We believe that the availability of a large set of databases and a way to access all of them conveniently will be crucial for any security expert. By means of a simple API, WOMBAT allows users to do so in an intuitive manner, while allowing the data owners to keep control over exactly what data can be shared and how.

WOMBAT Origami

Tue, 17 Mar 2009 09:48:12 +0000

http://www.moocowfanclub.com/activities/crafts/origami/wombat

WOMBAT 2nd open workshop

Thu, 12 Mar 2009 09:39:52 +0000

The WOMBAT workshop will organize its second workshop in St Malo, France, September 22-23, 2009 noon-to-noon, just before RAID 2009. Attendance will be limited to 45 researchers. Additional information will be announced here.

WOMBAT derivatives

Thu, 05 Mar 2009 12:54:07 +0000

WOMBAT poo paper launch

Lecture at ZISC by Marc Dacier from Symantec

Tue, 20 Jan 2009 13:49:35 +0000

Marc Dacier from symantec has presented a one hour lecture at the ZISC Information Security colloquium (http://www.zisc.ethz.ch/events/infseccolloquium_FS2009) including pointers to WOMBAT.

In order to assure accuracy and realism of resilience assessment methods and tools, it is essential to have access to field data that are unbiased and representative. Several initiatives are taking place that offer access to malware samples for research purposes. Papers are published where techniques have been assessed thanks to these samples. Definition of benchmarking datasets is the next step ahead. In this presentation, we report on the lessons learned while collecting and analyzing malware samples in a large scale collaborative effort. Three different environments are described and their integration used to highlight the open issues that remain with such data collection. Three main lessons are offered to the reader. First, creation of representative malware samples datasets is probably an impossible task. Second, false negative alerts are not what we think they are. Third, false positive alerts exist where we were not used to see them. These three lessons have to be taken into account by those who want to assess the resilience of techniques with respect to malicious faults.

These are the results of a joint work carried out in the context of the European funded WOMBAT project, together with partners from Hispasec Systemas, EURECOM institute and Symantec Research Labs Europe (see http://wombat-project.eu/ for more on the WOMBAT project). Zurich_ZISC_presentation.pdf

WOMBAT presentation at the e-COPP conference

Tue, 25 Nov 2008 14:01:49 +0000

As part of his presentation at the e-COPP conference, P. Kijewski (NASK) will introduce the WOMBAT project.

WOMBAT paper accepted at NDSS2009

Tue, 25 Nov 2008 13:52:09 +0000

The following paper has been accepted at the Network and Distributed Systems Security (NDSS) 2009 conference:

Title: Scalable, Behavior-Based Malware Clustering
Authors:

Ulrich Bayer, TUV
Paolo Milani Comparetti, TUV
Clemens Hlauschek, TUV
Christopher Kruegel, UCSB
Engin Kirda, Eurecom

Anti-malware companies receive thousands of malware samples every day. To process this large quantity, a number of automated analysis tools were developed. These tools execute a malicious program in a controlled environment and produce reports that summarize the program's actions. Of course, the problem of analyzing the reports still remains. Recently, researchers have started to explore automated clustering techniques that help to identify samples that exhibit similar behavior. This allows an analyst to discard reports of samples that have been seen before, while focusing on novel, interesting threats. Unfortunately, previous techniques do not scale well and frequently fail to generalize the observed activity well enough to recognize related malware.

In this paper, we propose a scalable clustering approach to identify and group malware samples that exhibit similar behavior. For this, we first perform dynamic analysis to obtain the execution traces of malware programs. These execution traces are then generalized into behavioral profiles, which characterize the activity of a program in more abstract terms. The profiles serve as input to an efficient clustering algorithm that allows us to handle sample sets that are an order of magnitude larger than previous approaches. We have applied our system to real-world malware collections. The results demonstrate that our technique is able to recognize and group malware programs that behave similarly, achieving a better precision than previous approaches. To underline the scalability of the system, we clustered a set of more than 75 thousand samples in less than three hours.

WOMBAT Participation at the FIA Conference in Madrid, Dec. 2008

Tue, 25 Nov 2008 13:29:26 +0000

The WOMBAT proect will be represented at the Future Internet Assembly conference in Madrid, December 2008, by the following people:

Vincent Boutroux, France Télécom R&D/Orange Labs
Sotiris Ioannidis, FORTH (also representing FORWARD)
Philip Homburg, VU (Also representing FORWARD)
Paolo Milani Comparetti, TUV