Recently in Deliverables Category

D24/D6.4 Second Open Workshop Proceedings

This is the deliverable for the second wombat open workshop, BADGERS, that took place within the EuroSys 2011 conference on April 10 in Salzburg (Austria). In this document we discuss the preparation of the second workshop, our expectations vs. feedback and impressions we collected by authors and attenders. Proceedings are included.


D23/D5.3 Early Warning System: Experimental report

A large part of Workpackage 5 concerns the Early Warning System functionality. This deliverable offers a report of the experiments carried out as part of the effort to create the Early Warning System. Several specialized alerting systems are presented, including FIRE, Exposure, BANOMAD and HoneyBuddy myIMhoneypot


D22/D5.2 Root Causes Analysis: Experimental Report

This deliverable offers an extensive report of all experiments carried out with respect to root cause analysis techniques. This final deliverable for Workpackage 5 (Threats Intelligence ) builds upon D12 (D5.1 - Technical Survey on Root Cause Analysis) and benefits from the modifications made to the various software modules developed in WP4, following up the experimental feedback.
The R&D efforts carried out in WP5 with respect to root cause analysis have produced a novel framework for attack attribution called triage. This framework has been successfully applied to various wombat datasets to perform intelligence analyses by taking advantage of several structural and contextual features of the data sets developed by the different partners. These experiments enabled us to get insights into the underlying root phenomena that have likely caused many security events observed by sensors deployed by wombat partners.
In this deliverable, we provide an in-depth description of experimental results obtained with triage, in particular with respect to (i) the analysis of Rogue AV campaigns (based on  HARMUR data), and (ii) the analysis of different malware variants attributed to the Allaple malware family (based on data from SGNET, VirusTotal and Anubis).
Finally, we describe another experiment performed on a large spam data set obtained from Symantec.Cloud (formerly MessageLabs), for which triage was successfully used to analyze spam botnets and their ecosystem, i.e., how those botnets are used by spammers to organize and coordinate their spam campaigns. Thanks to this application, we are considering a possible technology transfer of triage to Symantec.Cloud, who is interested in carrying out regular intelligence analyses of their spam data sets, and may ralso consider the integration of triage to their Skeptic ○ spam filtering technology.


D21/D4.7 Consolidated report with evaluation results

This is the final deliverable for Workpackage 4 within the wombat project. In this document we discuss the final extensions and improvements to our data collection and analysis techniques that were implemented as part of wombat. Furthermore, we present some additional results obtained from the analysis of data collected within wombat.


Wombat Deliverable D18/D4.6 Final description of contextual features

The objective of Workpackage 4 is to develop techniques to characterize the malicious
code that is collected in the previous workpackage. The main idea is to enrich the
collected code thanks to metadata that might reveal insights into the origin of the code
and the intentions of those that created, released or used it.
This deliverable is an extension of D15 (D4.5), and provides a final description of the
contextual features collected within the wombat consortium. Furthermore, it presents
initial results, statistics, and insights obtained by analyzing the collected contextual

This deliverable is a final report on the experimental results obtained by using structural
features to characterize executable code. It discusses and evaluates a number of tech-
niques, based on these features, that have been developed in the context of the wombat
project, and aim to provide a deeper understanding of malicious code and of the relations
between malicious code samples.

Wombat Deliverable D16/D4.2 Analysis Report of Behavioral Features

This deliverable provides a discussion of the features used to characterize the behavior
of code, and a discussion of preliminary results of applying these features to a set of
malicious code. It discusses the project's results in behavior-based clustering, malware
detection at end hosts in different ways, system call analysis, but also our work on
shellcode behavior.


Wombat Deliverable D15/D4.5 Intermediate Report on Contextual Features

The objective of this Workpackage 4 is to develop techniques to characterize the malicious code that is collected in the previous workpackage. The main idea is to enrich the collected code thanks to metadata that might reveal insights into the origin of the code and the intentions of those that created, released or used it. This deliverable provides a preliminary discussion of possible contextual features of malware, and for each feature, an estimate on its effectiveness and the difficulty to obtain it. Some of these features can be used to analyze potential threats and discriminate collected samples that are mere variations of already known threats.


Wombat Deliverable D13/D3.3 Sensor Deployment

This deliverable reports the deployment of all types of sensors implemented in the WOMBAT project and includes descriptions of experiences with the sensors from several months of deployment and experimentation. The sensors that are deployed are the SGNET, HARMUR, Shelia, Paranoid Android, HoneySpider Network, Bluebat and NoAH. The early experiences show that the WOMBAT Project is fulfilling our preliminary expectations about having powerful tools for collecting data. These data are useful for categorizing attackers and malware behaviors. Moreover our experiments reveal that the sensors can cooperate with each other, enriching in this way the information offered for analysis.


Wombat Deliverable D12/D5.1 Root Causes Analysis

This deliverable aims at giving an overview of existing techniques for root cause analysis, and provides some preliminary results with respect to the root cause analysis work performed in the project so far. The deliverable is mainly made up of 6 published peer-reviewed papers and one technical report that has reached a wide-audience.