February 2010 Archives

Wombat Deliverable D15/D4.5 Intermediate Report on Contextual Features

The objective of this Workpackage 4 is to develop techniques to characterize the malicious code that is collected in the previous workpackage. The main idea is to enrich the collected code thanks to metadata that might reveal insights into the origin of the code and the intentions of those that created, released or used it. This deliverable provides a preliminary discussion of possible contextual features of malware, and for each feature, an estimate on its effectiveness and the difficulty to obtain it. Some of these features can be used to analyze potential threats and discriminate collected samples that are mere variations of already known threats.


Wombat Deliverable D13/D3.3 Sensor Deployment

This deliverable reports the deployment of all types of sensors implemented in the WOMBAT project and includes descriptions of experiences with the sensors from several months of deployment and experimentation. The sensors that are deployed are the SGNET, HARMUR, Shelia, Paranoid Android, HoneySpider Network, Bluebat and NoAH. The early experiences show that the WOMBAT Project is fulfilling our preliminary expectations about having powerful tools for collecting data. These data are useful for categorizing attackers and malware behaviors. Moreover our experiments reveal that the sensors can cooperate with each other, enriching in this way the information offered for analysis.


Wombat Deliverable D12/D5.1 Root Causes Analysis

This deliverable aims at giving an overview of existing techniques for root cause analysis, and provides some preliminary results with respect to the root cause analysis work performed in the project so far. The deliverable is mainly made up of 6 published peer-reviewed papers and one technical report that has reached a wide-audience.

This deliverable provides a preliminary discussion of structural features that can be used to characterize executable code. Furthermore, it discusses a number of techniques, based on these features, that are being developed in the context of the wombat project, and aim to provide a deeper understanding of malicious code and of the relations between malicious code samples.


Wombat Deliverable D10/D6.3 First WOMBAT open workshop proceedings

This volume collects the presentations and handouts of the first WOMBAT open Workshop,held on September 22-23, 2009 in St. Malo. This year's workshop focuses on the introduction of early results of the project, and in particular on the Wombat APIs or WAPI, a set of API developed by the project partners to allow integrated access to different attack dataset.
The aim of the workshop was to give participants a first-hand experience on how the WAPIs
help the analyst and the researcher in investigating new phenomena. The demos and presentations were prepared thanks to the collective effort of the project partners: France Telecom, Hispasec, Politecnico di Milano, Technical University of Vienna, Institut
Eurecom, FORTH-ICS, Symantec Corporation, Vrije Universiteit Amsterdam, Institute for Infocomm Research, NASK.


WOMBAT Deliverable D08/D4.1 Specification language for code behavior

This document provides a specification language to describe the behavior of code. Consistently with the requirements for an extensible, layered architecture for the behavioral analysis of malware, four different languages are defined, ranging from a complete, low-level description of the code's behavior to a high-level analysis report that is suitable for a human analyst. Furthermore, current approaches to behavioral malware analysis and detection within the wombat project are discussed, most of which already take advantage (or can be extended to take advantage) of the provided specification language.