Recently in France Télécom R&D-Orange Labs Category

This is the deliverable for the second wombat open workshop, BADGERS, that took place within the EuroSys 2011 conference on April 10 in Salzburg (Austria). In this document we discuss the preparation of the second workshop, our expectations vs. feedback and impressions we collected by authors and attenders. Proceedings are included.


FP7-ICT-216026-Wombat_WP6_D24_V01_Second-Open-Workshop-Proceedings-BADGERS-2011.pdf

This is the final deliverable for Workpackage 4 within the wombat project. In this document we discuss the final extensions and improvements to our data collection and analysis techniques that were implemented as part of wombat. Furthermore, we present some additional results obtained from the analysis of data collected within wombat.


FP7-ICT-216026-Wombat_WP4_D21_V01_Consolidated-reports-with-evaluation-results.pdf

WAPI, or WOMBAT API, is a SOAP-based API built in the context of the project to facilitate the remote access and exploration of security-related datasets.

The package contains all the essential code to start using the WAPI. The WAPI represents an attempt to tackle two main challenges for security data providers:

- Many of the data access primitives are not easily scriptable. Many data sources provide web-based interfaces that, while easily accessible by human operators, are not convenient for automated analysis.

- The interfaces for security datasets are very diverse in structure and methodology. The analyst who wants to take advantage of multiple data sources to perform correlations among them is thus forced to implement ad-hoc plugins and parsers for each data feed. This process is not necessarily a simple task, and requires the analyst to fully understand, for example, the schema of the SQL database provided by the data owner.



You can find the package on sourceforge : https://sourceforge.net/projects/wombat-api/


More information and details on WAPI are available in the deliverable D10/D6.3.

The WOMBAT proect will be represented at the Future Internet Assembly conference in Madrid, December 2008, by the following people:

• Vincent Boutroux, France Télécom R&D/Orange Labs
• Sotiris Ioannidis, FORTH (also representing FORWARD)
• Philip Homburg, VU (Also representing FORWARD)
• Paolo Milani Comparetti, TUV

The WOMBAT project will be represented by the following people at the ICT 2008 Conference:

• Vincent Boutroux, France Télécom R&D/Orange Labs
• Marc Dacier, Symantec
  

Hervé Debar participates in working group 1 of the Think-Trust project.

The WOMBAT project was represented by Hervé Debar at the SEC 2008 Conference in Paris, September 2008. 

M. Corrado LEITA will publicly defend his UNS Doctoral Thesis 
on Thursday, December 4th 2008 at 2:00 pm, in the Amphitheater MARCONI at EURECOM.

Topic of the Thesis:

"SGNET: automated protocol learning for the observation of malicious threats"

Jury members :

• Marc DACIER (Symantec)
• Vern PAXSON (ICSI)
• Hervé DEBAR (France Télécom R&D/Orange Labs)
• Engin KIRDA (Eurecom)
• Christopher KRUEGEL (UCSB)
• Mohamed KAANICHE (LAAS CNRS)
• Sotiris IOANNIDIS (FORTH)

One of the main prerequisites for the development of reliable defenses to protect a network resource consists in the collection of quantitative data on  Internet threats. This attempt to "know your enemy" leads to an increasing interest in the collection and exploitation of datasets providing intelligence on network attacks. The creation of these datasets is a very challenging task. The challenge derives from the need to cope with the spatial and quantitative diversity of malicious activities. The observations need to be performed on a broad perspective, since the activities are not uniformly distributed over the IP space. At the same time, the data collectors need to be sophisticated enough to extract a sufficient amount of information on each activity and perform meaningful inferences. How to combine the simultaneous need to deploy a vast number of data collectors with the need of sophistication required to make meaningful observations? This work addresses this challenge by proposing a protocol learning technique based on bioinformatics algorithms. The proposed technique allows to automatically generate low-cost protocol responders starting from a set of samples of network interaction. Its characteristics are exploited in a distributed honeypot deployment that collected information on Internet attacks for a period of 8 months in 23 different networks distributed all over the world (Europe, Australia, United States). This information is organized in a central dataset enriched with contextual information from a number of sources and analysis tools. Simple data mining techniques proposed in this work allow the generation of a valuable overview on the propagation techniques employed by nowadays malware.

Partner description
France Télécom R&D is the corporate research and development arm of France Télécom, in charge of specifying, implementing and testing advanced services for the company. The group involved in the project is the Network and Services Security (NSS) laboratory of the Middleware and Advanced Platforms (MAPS) research and development center. The NSS laboratory is 65 people strong and covers all areas of research and development in information systems security. Beyond security engineering, the laboratory has a strong focus on research, funding more than 12 man-years on research issues, hosting 10 PhD students and managing external research contracts with leading French research institutions such as Supélec or the Groupement des Ecoles de Telecommunications (GET). The laboratory also contributes to several European projects, such as Ecrypt (NoE), Artist (NoE), Resist (NoE), Diadem (STREP) and Daidalos (IP).
Partner specific involvement in the wombat project
France Télécom R&D is the project coordinator; it has exhaustive experience in handling collaborative research projects at the European level. Furthermore, France Télécom R&D has significant research contributions in the project related to malware collection and analysis. As a participant to several honeypot alliances and an operator of specific wireless honeypot technologies, France Télécom will produce scientific research results for the project. As an industrial partner, France Télécom wishes to exploit the project results during the development of the Livebox^TM home or SME Internet gateway, and the hardening of its networking infrastructure. In WP3, France Télécom will contribute alternative honeypot technologies, related to wireless networks and to clientside honeypots. In WP4, France Télécom will develop new malware models using grammars to describe their behavior, and will use these grammars in WP5 to evaluate the detection capabilities of the tools we have in place for detecting malware propagation.