Recently in WP6-Dissemination Category

D24/D6.4 Second Open Workshop Proceedings

This is the deliverable for the second wombat open workshop, BADGERS, that took place within the EuroSys 2011 conference on April 10 in Salzburg (Austria). In this document we discuss the preparation of the second workshop, our expectations vs. feedback and impressions we collected by authors and attenders. Proceedings are included.


The Wombat API (WAPI) is now available on sourceforge


WAPI, or WOMBAT API, is a SOAP-based API built in the context of the project to facilitate the remote access and exploration of security-related datasets.

The package contains all the essential code to start using the WAPI. The WAPI represents an attempt to tackle two main challenges for security data providers:

- Many of the data access primitives are not easily scriptable. Many data sources provide web-based interfaces that, while easily accessible by human operators, are not convenient for automated analysis.

- The interfaces for security datasets are very diverse in structure and methodology. The analyst who wants to take advantage of multiple data sources to perform correlations among them is thus forced to implement ad-hoc plugins and parsers for each data feed. This process is not necessarily a simple task, and requires the analyst to fully understand, for example, the schema of the SQL database provided by the data owner.

You can find the package on sourceforge :

More information and details on WAPI are available in the deliverable D10/D6.3.

WOMBAT second open workshop proceedings

This volume collects the proceedings of the second WOMBAT Project Workshop,held on April 10 in Salzburg.


Wombat Deliverable D10/D6.3 First WOMBAT open workshop proceedings

This volume collects the presentations and handouts of the first WOMBAT open Workshop,held on September 22-23, 2009 in St. Malo. This year's workshop focuses on the introduction of early results of the project, and in particular on the Wombat APIs or WAPI, a set of API developed by the project partners to allow integrated access to different attack dataset.
The aim of the workshop was to give participants a first-hand experience on how the WAPIs
help the analyst and the researcher in investigating new phenomena. The demos and presentations were prepared thanks to the collective effort of the project partners: France Telecom, Hispasec, Politecnico di Milano, Technical University of Vienna, Institut
Eurecom, FORTH-ICS, Symantec Corporation, Vrije Universiteit Amsterdam, Institute for Infocomm Research, NASK.


WOMBAT first open workshop programme

The program of the first WOMBAT open workshop is now available.

September 22nd:

  • 12:00-14:00: Registration and lunch
  • 14.00-14.10: Official welcome and introduction (H. Debar)
  • 14.10-14.40: "Introduction to the WOMBAT datasets" (M. Dacier)
  • 14.45-15.15: "The WOMBAT WAPI: idea, implementation and use" (C. Leita)
  • 15.15-16.00: "The SHELIA and HNS client honeypot datasets" (H. Bos; P. Kijewski)
  • 16.00-16.15: Coffee Break and preparation for the demos
  • 16.15-18.30: Demos
  • Adjourn

September 23rd

  • 9.00-9.30:"Clustering malware with ANUBIS and SGNET and interaction with the WAPI" (P. M. Comparetti)
  • 9.30-12.30: Demos with coffee break
  • 12.30: lunch, closing of the workshop

The registration for the WOMBAT workshop can be done on the RAID+ESORICS registration page. If you wish to register for the workshop alone, you should use the RAID+WOMBAT registration and mention it in the comments. The registration fee for the workshop alone is 50 Euros.

WOMBAT first open workshop

The WOMBAT consortium will organise its first open workshop in St 
Malo, France, on September 22-23 (from Tuesday 12:00 - Wednesday 12:00).

The workshop is conveniently co-located with RAID and organised just before the main conference. The workshop will be practical and hands-on. Attendance will be limited to 45 researchers. Registration should be made through the RAID registration site by selecting the RAID+WOMBAT option.

By means of presentations, participants will learn what sources of
information Wombat makes available to analysts, security experts and researchers. These sources include malware repositories and attack related databases such as those of Anubis, Symantec, HoneySpider, VirusTotal, Noah, SGNet, and several others. Moreover, participants will be allowed to get hands-on experience in an exciting tutorial session in which the participant uses a variety of sensors and databases to analyse different security incidents.

We believe that the availability of a large set of databases and a way to access all of them conveniently will be crucial for any security expert. By means of a simple API, WOMBAT allows users to do so in an intuitive manner, while allowing the data owners to keep control over exactly what data can be shared and how.

WOMBAT first open workshop

The WOMBAT project will organize its first open workshop in St Malo, France, September 22-23, 2009 noon-to-noon, just before RAID 2009. Attendance will be limited to 45 researchers. Additional information will be announced here.

Lecture at ZISC by Marc Dacier from Symantec

Marc Dacier from symantec has presented a one hour lecture at the ZISC Information Security colloquium ( including pointers to WOMBAT.

In order to assure accuracy and realism of resilience assessment methods and tools, it is essential to have access to field data that are unbiased and representative. Several initiatives are taking place that offer access to malware samples for research purposes. Papers are published where techniques have been assessed thanks to these samples. Definition of benchmarking datasets is the next step ahead. In this presentation, we report on the lessons learned while collecting and analyzing malware samples in a large scale collaborative effort. Three different environments are described and their integration used to highlight the open issues that remain with such data collection. Three main lessons are offered to the reader. First, creation of representative malware samples datasets is probably an impossible task. Second, false negative alerts are not what we think they are. Third, false positive alerts exist where we were not used to see them. These three lessons have to be taken into account by those who want to assess the resilience of techniques with respect to malicious faults.

These are the results of a joint work carried out in the context of the European funded WOMBAT project, together with partners from Hispasec Systemas, EURECOM institute and Symantec Research Labs Europe (see for more on the WOMBAT project). Zurich_ZISC_presentation.pdf

WOMBAT presentation at the e-COPP conference

As part of his presentation at the e-COPP conference, P. Kijewski (NASK) will introduce the WOMBAT project.

WOMBAT paper accepted at NDSS2009

The following paper has been accepted at the Network and Distributed Systems Security (NDSS) 2009 conference:

Title: Scalable, Behavior-Based Malware Clustering
  • Ulrich Bayer, TUV
  • Paolo Milani Comparetti, TUV
  • Clemens Hlauschek, TUV
  • Christopher Kruegel, UCSB
  • Engin Kirda, Eurecom

Anti-malware companies receive thousands of malware samples every day. To process this large quantity, a number of automated analysis tools were developed. These tools execute a malicious program in a controlled environment and produce reports that summarize the program's actions. Of course, the problem of analyzing the reports still remains. Recently, researchers have started to explore automated clustering techniques that help to identify samples that exhibit similar behavior. This allows an analyst to discard reports of samples that have been seen before, while focusing on novel, interesting threats. Unfortunately, previous techniques do not scale well and frequently fail to generalize the observed activity well enough to recognize related malware.

In this paper, we propose a scalable clustering approach to identify and group malware samples that exhibit similar behavior. For this, we first perform dynamic analysis to obtain the execution traces of malware programs. These execution traces are then generalized into behavioral profiles, which characterize the activity of a program in more abstract terms. The profiles serve as input to an efficient clustering algorithm that allows us to handle sample sets that are an order of magnitude larger than previous approaches. We have applied our system to real-world malware collections. The results demonstrate that our technique is able to recognize and group malware programs that behave similarly, achieving a better precision than previous approaches. To underline the scalability of the system, we clustered a set of more than 75 thousand samples in less than three hours.

About this Archive

This page is a archive of recent entries in the WP6-Dissemination category.

WP5-Threat Intelligence. is the previous category.

Find recent content on the main index or look in the archives to find all content.