Recently in Institut Eurecom Category

D24/D6.4 Second Open Workshop Proceedings

|
This is the deliverable for the second wombat open workshop, BADGERS, that took place within the EuroSys 2011 conference on April 10 in Salzburg (Austria). In this document we discuss the preparation of the second workshop, our expectations vs. feedback and impressions we collected by authors and attenders. Proceedings are included.


FP7-ICT-216026-Wombat_WP6_D24_V01_Second-Open-Workshop-Proceedings-BADGERS-2011.pdf

D23/D5.3 Early Warning System: Experimental report

|
A large part of Workpackage 5 concerns the Early Warning System functionality. This deliverable offers a report of the experiments carried out as part of the effort to create the Early Warning System. Several specialized alerting systems are presented, including FIRE, Exposure, BANOMAD and HoneyBuddy myIMhoneypot


FP7-ICT-216026-Wombat_WP5_D23_V01_Early-warning-system-experimental-report.pdf

D22/D5.2 Root Causes Analysis: Experimental Report

|
This deliverable offers an extensive report of all experiments carried out with respect to root cause analysis techniques. This final deliverable for Workpackage 5 (Threats Intelligence ) builds upon D12 (D5.1 - Technical Survey on Root Cause Analysis) and benefits from the modifications made to the various software modules developed in WP4, following up the experimental feedback.
The R&D efforts carried out in WP5 with respect to root cause analysis have produced a novel framework for attack attribution called triage. This framework has been successfully applied to various wombat datasets to perform intelligence analyses by taking advantage of several structural and contextual features of the data sets developed by the different partners. These experiments enabled us to get insights into the underlying root phenomena that have likely caused many security events observed by sensors deployed by wombat partners.
In this deliverable, we provide an in-depth description of experimental results obtained with triage, in particular with respect to (i) the analysis of Rogue AV campaigns (based on  HARMUR data), and (ii) the analysis of different malware variants attributed to the Allaple malware family (based on data from SGNET, VirusTotal and Anubis).
Finally, we describe another experiment performed on a large spam data set obtained from Symantec.Cloud (formerly MessageLabs), for which triage was successfully used to analyze spam botnets and their ecosystem, i.e., how those botnets are used by spammers to organize and coordinate their spam campaigns. Thanks to this application, we are considering a possible technology transfer of triage to Symantec.Cloud, who is interested in carrying out regular intelligence analyses of their spam data sets, and may ralso consider the integration of triage to their Skeptic ○ spam filtering technology.



FP7-ICT-216026-Wombat_WP5_D22_V01_Root-Cause-Analysis-Experimental-report.pdf

D21/D4.7 Consolidated report with evaluation results

|
This is the final deliverable for Workpackage 4 within the wombat project. In this document we discuss the final extensions and improvements to our data collection and analysis techniques that were implemented as part of wombat. Furthermore, we present some additional results obtained from the analysis of data collected within wombat.


FP7-ICT-216026-Wombat_WP4_D21_V01_Consolidated-reports-with-evaluation-results.pdf

The Wombat API (WAPI) is now available on sourceforge

|

WAPI, or WOMBAT API, is a SOAP-based API built in the context of the project to facilitate the remote access and exploration of security-related datasets.

The package contains all the essential code to start using the WAPI. The WAPI represents an attempt to tackle two main challenges for security data providers:

- Many of the data access primitives are not easily scriptable. Many data sources provide web-based interfaces that, while easily accessible by human operators, are not convenient for automated analysis.

- The interfaces for security datasets are very diverse in structure and methodology. The analyst who wants to take advantage of multiple data sources to perform correlations among them is thus forced to implement ad-hoc plugins and parsers for each data feed. This process is not necessarily a simple task, and requires the analyst to fully understand, for example, the schema of the SQL database provided by the data owner.



You can find the package on sourceforge : http://sourceforge.net/projects/wombat-api/


More information and details on WAPI are available in the deliverable D10/D6.3.

Wombat Deliverable D18/D4.6 Final description of contextual features

|
The objective of Workpackage 4 is to develop techniques to characterize the malicious
code that is collected in the previous workpackage. The main idea is to enrich the
collected code thanks to metadata that might reveal insights into the origin of the code
and the intentions of those that created, released or used it.
This deliverable is an extension of D15 (D4.5), and provides a final description of the
contextual features collected within the wombat consortium. Furthermore, it presents
initial results, statistics, and insights obtained by analyzing the collected contextual
features.

FP7-ICT-216026-Wombat_WP4-D18_V01_Final-Contextual-features.pdf

Wombat Deliverable D12/D5.1 Root Causes Analysis

|
This deliverable aims at giving an overview of existing techniques for root cause analysis, and provides some preliminary results with respect to the root cause analysis work performed in the project so far. The deliverable is mainly made up of 6 published peer-reviewed papers and one technical report that has reached a wide-audience.

FP7-ICT-216026-Wombat_WP5_D12_V01_RCA-Technical-survey.pdf

WOMBAT paper accepted at NDSS2009

|
The following paper has been accepted at the Network and Distributed Systems Security (NDSS) 2009 conference:

Title: Scalable, Behavior-Based Malware Clustering
Authors:
  • Ulrich Bayer, TUV
  • Paolo Milani Comparetti, TUV
  • Clemens Hlauschek, TUV
  • Christopher Kruegel, UCSB
  • Engin Kirda, Eurecom

Anti-malware companies receive thousands of malware samples every day. To process this large quantity, a number of automated analysis tools were developed. These tools execute a malicious program in a controlled environment and produce reports that summarize the program's actions. Of course, the problem of analyzing the reports still remains. Recently, researchers have started to explore automated clustering techniques that help to identify samples that exhibit similar behavior. This allows an analyst to discard reports of samples that have been seen before, while focusing on novel, interesting threats. Unfortunately, previous techniques do not scale well and frequently fail to generalize the observed activity well enough to recognize related malware.

In this paper, we propose a scalable clustering approach to identify and group malware samples that exhibit similar behavior. For this, we first perform dynamic analysis to obtain the execution traces of malware programs. These execution traces are then generalized into behavioral profiles, which characterize the activity of a program in more abstract terms. The profiles serve as input to an efficient clustering algorithm that allows us to handle sample sets that are an order of magnitude larger than previous approaches. We have applied our system to real-world malware collections. The results demonstrate that our technique is able to recognize and group malware programs that behave similarly, achieving a better precision than previous approaches. To underline the scalability of the system, we clustered a set of more than 75 thousand samples in less than three hours.

PhD Defense of Corrado Leita

|
M. Corrado LEITA will publicly defend his UNS Doctoral Thesis 
on Thursday, December 4th 2008 at 2:00 pm, in the Amphitheater MARCONI at EURECOM.

Topic of the Thesis:

"SGNET: automated protocol learning for the observation of malicious threats"

Jury members :

  • Marc DACIER (Symantec)
  • Vern PAXSON (ICSI)
  • Hervé DEBAR (France Télécom R&D/Orange Labs)
  • Engin KIRDA (Eurecom)
  • Christopher KRUEGEL (UCSB)
  • Mohamed KAANICHE (LAAS CNRS)
  • Sotiris IOANNIDIS (FORTH)

One of the main prerequisites for the development of reliable defenses to protect a network resource consists in the collection of quantitative data on  Internet threats. This attempt to "know your enemy" leads to an increasing interest in the collection and exploitation of datasets providing intelligence on network attacks. The creation of these datasets is a very challenging task. The challenge derives from the need to cope with the spatial and quantitative diversity of malicious activities. The observations need to be performed on a broad perspective, since the activities are not uniformly distributed over the IP space. At the same time, the data collectors need to be sophisticated enough to extract a sufficient amount of information on each activity and perform meaningful inferences. How to combine the simultaneous need to deploy a vast number of data collectors with the need of sophistication required to make meaningful observations? This work addresses this challenge by proposing a protocol learning technique based on bioinformatics algorithms. The proposed technique allows to automatically generate low-cost protocol responders starting from a set of samples of network interaction. Its characteristics are exploited in a distributed honeypot deployment that collected information on Internet attacks for a period of 8 months in 23 different networks distributed all over the world (Europe, Australia, United States). This information is organized in a central dataset enriched with contextual information from a number of sources and analysis tools. Simple data mining techniques proposed in this work allow the generation of a valuable overview on the propagation techniques employed by nowadays malware.