Recently in WP6-Dissemination Category

This volume collects the presentations and handouts of the 2nd WOMBAT Project Workshop,held on September 22-23, 2009 in St. Malo. This year's workshop focuses on the introduction of early results of the project, and in particular on the Wombat APIs or WAPI, a set of API developed by the project partners to allow integrated access to different attack dataset.
The aim of the workshop was to give participants a first-hand experience on how the WAPIs
help the analyst and the researcher in investigating new phenomena. The demos and presentations were prepared thanks to the collective effort of the project partners: France Telecom, Hispasec, Politecnico di Milano, Technical University of Vienna, Institut
Eurecom, FORTH-ICS, Symantec Corporation, Vrije Universiteit Amsterdam, Institute for Infocomm Research, NASK.

FP7-ICT-216026-Wombat_WP6_D10_V01_2nd-Wombat-Proceedings-St-Malo.pdf

The program of the 2nd WOMBAT workshop is now available.

September 22nd:

• 12:00-14:00: Registration and lunch
• 14.00-14.10: Official welcome and introduction (H. Debar)
• 14.10-14.40: "Introduction to the WOMBAT datasets" (M. Dacier)
• 14.45-15.15: "The WOMBAT WAPI: idea, implementation and use" (C. Leita)
• 15.15-16.00: "The SHELIA and HNS client honeypot datasets" (H. Bos; P. Kijewski)
• 16.00-16.15: Coffee Break and preparation for the demos
• 16.15-18.30: Demos
• Adjourn

September 23rd

• 9.00-9.30:"Clustering malware with ANUBIS and SGNET and interaction with the WAPI" (P. M. Comparetti)
• 9.30-12.30: Demos with coffee break
• 12.30: lunch, closing of the workshop

The registration for the WOMBAT workshop can be done on the RAID+ESORICS registration page. If you wish to register for the workshop alone, you should use the RAID+WOMBAT registration and mention it in the comments. The registration fee for the workshop alone is 50 Euros.

The WOMBAT consortium will organise its second open workshop in St 
Malo, France, on September 22-23 (from Tuesday 12:00 - Wednesday 12:00). 

The workshop is conveniently co-located with RAID and organised just before the main conference. The workshop will be practical and hands-on. Attendance will be limited to 45 researchers. Registration should be made through the RAID registration site by selecting the RAID+WOMBAT option.

By means of presentations, participants will learn what sources of 
information Wombat makes available to analysts, security experts and researchers. These sources include malware repositories and attack related databases such as those of Anubis, Symantec, HoneySpider, VirusTotal, Noah, SGNet, and several others. Moreover, participants will be allowed to get hands-on experience in an exciting tutorial session in which the participant uses a variety of sensors and databases to analyse different security incidents.

We believe that the availability of a large set of databases and a way to access all of them conveniently will be crucial for any security expert. By means of a simple API, WOMBAT allows users to do so in an intuitive manner, while allowing the data owners to keep control over exactly what data can be shared and how.

The WOMBAT workshop will organize its second workshop in St Malo, France, September 22-23, 2009 noon-to-noon, just before RAID 2009. Attendance will be limited to 45 researchers. Additional information will be announced here.

Marc Dacier from symantec has presented a one hour lecture at the ZISC Information Security colloquium (http://www.zisc.ethz.ch/events/infseccolloquium_FS2009) including pointers to WOMBAT.

In order to assure accuracy and realism of resilience assessment methods and tools, it is essential to have access to field data that are unbiased and representative. Several initiatives are taking place that offer access to malware samples for research purposes. Papers are published where techniques have been assessed thanks to these samples. Definition of benchmarking datasets is the next step ahead. In this presentation, we report on the lessons learned while collecting and analyzing malware samples in a large scale collaborative effort. Three different environments are described and their integration used to highlight the open issues that remain with such data collection. Three main lessons are offered to the reader. First, creation of representative malware samples datasets is probably an impossible task. Second, false negative alerts are not what we think they are. Third, false positive alerts exist where we were not used to see them. These three lessons have to be taken into account by those who want to assess the resilience of techniques with respect to malicious faults.

These are the results of a joint work carried out in the context of the European funded WOMBAT project, together with partners from Hispasec Systemas, EURECOM institute and Symantec Research Labs Europe (see http://wombat-project.eu/ for more on the WOMBAT project). Zurich_ZISC_presentation.pdf

As part of his presentation at the e-COPP conference, P. Kijewski (NASK) will introduce the WOMBAT project.

The following paper has been accepted at the Network and Distributed Systems Security (NDSS) 2009 conference:

Title: Scalable, Behavior-Based Malware Clustering
Authors:

• Ulrich Bayer, TUV
• Paolo Milani Comparetti, TUV
• Clemens Hlauschek, TUV
• Christopher Kruegel, UCSB
• Engin Kirda, Eurecom

Anti-malware companies receive thousands of malware samples every day. To process this large quantity, a number of automated analysis tools were developed. These tools execute a malicious program in a controlled environment and produce reports that summarize the program's actions. Of course, the problem of analyzing the reports still remains. Recently, researchers have started to explore automated clustering techniques that help to identify samples that exhibit similar behavior. This allows an analyst to discard reports of samples that have been seen before, while focusing on novel, interesting threats. Unfortunately, previous techniques do not scale well and frequently fail to generalize the observed activity well enough to recognize related malware.

In this paper, we propose a scalable clustering approach to identify and group malware samples that exhibit similar behavior. For this, we first perform dynamic analysis to obtain the execution traces of malware programs. These execution traces are then generalized into behavioral profiles, which characterize the activity of a program in more abstract terms. The profiles serve as input to an efficient clustering algorithm that allows us to handle sample sets that are an order of magnitude larger than previous approaches. We have applied our system to real-world malware collections. The results demonstrate that our technique is able to recognize and group malware programs that behave similarly, achieving a better precision than previous approaches. To underline the scalability of the system, we clustered a set of more than 75 thousand samples in less than three hours.

The WOMBAT proect will be represented at the Future Internet Assembly conference in Madrid, December 2008, by the following people:

• Vincent Boutroux, France Télécom R&D/Orange Labs
• Sotiris Ioannidis, FORTH (also representing FORWARD)
• Philip Homburg, VU (Also representing FORWARD)
• Paolo Milani Comparetti, TUV

The WOMBAT project will be represented by the following people at the ICT 2008 Conference:

• Vincent Boutroux, France Télécom R&D/Orange Labs
• Marc Dacier, Symantec
  

Hervé Debar participates in working group 1 of the Think-Trust project.