Assessing Cybercrime Through the Eyes of the WOMBAT

  • Marc Dacier
  • Corrado Leita
  • Olivier Thonnard
  • Hau Van Pham
  • Engin Kirda
Part of the Advances in Information Security book series (ADIS, volume 46)


The WOMBAT project is a collaborative European funded research project that aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. The approach carried out by the partners include a data collection effort as well as some sophisticated analysis techniques. In this chapter, we present one of the threats-related data collection system in use by the project, as well as some of the early results obtained when digging into these data sets.


Virtual Machine Attack Event Attack Process Sample Factory Attack Cluster 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ALMODE Security. Home page of disco at at
  2. 2.
    P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling. The Nepenthes Platform: An Efficient Approach to Collect Malware. Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2006.Google Scholar
  3. 3.
    U. Bayer, C. Kruegel, and E. Kirda. TTAnalyze: A Tool for Analyzing Malware. PhD thesis, Master’s Thesis, Technical University of Vienna, 2005.Google Scholar
  4. 4.
    I. Bomze, M. Budinich, P. Pardalos, and M. Pelillo. The maximum clique problem. In Handbook of Combinatorial Optimization, volume 4. Kluwer Academic Publishers, Boston, MA, 1999.Google Scholar
  5. 5.
    F. M. C. R. Center. Web security trends report q1/2008,, sep 2008.
  6. 6.
    CERT. Advisory CA-2003-20 W32/ Blaster worm, August 2003.Google Scholar
  7. 7.
    Z. Chen, L. Gao, and K. Kwiat. Modeling the spread of active worms. In Proceedings of IEEE INFOCOM, 2003.Google Scholar
  8. 8.
    M. P. Collins, T. J. Shimeall, S. Faber, J. Janies, R. Weaver, M. D. Shon, and J. Kadane. Using uncleanliness to predict future botnet addresses. In IMC ’07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, pages 93–104, New York, NY, USA, 2007. ACM.Google Scholar
  9. 9.
    E. Cooke, M. Bailey, Z. M. Mao, D. Watson, F. Jahanian, and D. McPherson. Toward understanding distributed blackhole placement. In WORM ’04: Proceedings of the 2004 ACM workshop on Rapid malcode, pages 54–64, New York, NY, USA, 2004. ACM Press.Google Scholar
  10. 10.
    J. Crandall, S. Wu, and F. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. Proceedings of GI SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2005.Google Scholar
  11. 11.
    M. Dacier, F. Pouget, and H. Debar. Attack processes found on the internet. In NATO Symposium IST-041/RSY-013, Toulouse, France, April 2004.Google Scholar
  12. 12.
    M. Dacier, F. Pouget, and H. Debar. Honeypots, a practical mean to validate malicious fault assumptions. In Proceedings of the 10th Pacific Ream Dependable Computing Conference (PRDC04), Tahiti, February 2004.Google Scholar
  13. 13.
    M. Dacier, F. Pouget, and H. Debar. On the advantages of deploying a large scale distributed honeypot platform. In Proceedings of the E-Crime and Computer Conference 2005 (ECCE’05), Monaco, March 2005.Google Scholar
  14. 14.
    DShield. Distributed Intrusion Detection System,, 2007.
  15. 15.
    F-Secure. Malware information pages: Allaple.a,, December 2006.
  16. 16.
    A. Jain and R. Dubes. Algorithms for Clustering Data. Prentice-Hall advanced reference series, 1988.Google Scholar
  17. 17.
    C. Leita and M. Dacier. Sgnet: a worldwide deployable framework to support the analysis of malware threat models. In Proceedings of the 7th European Dependable Computing Conference (EDCC 2008), May 2008.Google Scholar
  18. 18.
    C. Leita and M. Dacier. SGNET: Implementation Insights. In IEEE/IFIP Network Operations and Management Symposium, April 2008.Google Scholar
  19. 19.
    C. Leita, M. Dacier, and F. Massicotte. Automatic handling of protocol ependencies and reaction to 0-day attacks with ScriptGen based honeypots. In RAID 2006, 9th International Symposium on Recent Advances in Intrusion Detection, September 20-22, 2006, Hamburg, Germany - Also published as Lecture Notes in Computer Science Volume 4219/2006, Sep 2006.Google Scholar
  20. 20.
    C. Leita, K. Mermoud, and M. Dacier. Scriptgen: an automated script generation tool for honeyd. In Proceedings of the 21st Annual Computer Security Applications Conference, December 2005.Google Scholar
  21. 21.
    C. Leita, V. Pham, . Thonnard, E. Ramirez-Silva, F. Pouget, E. Kirda, and M. Dacier. The Project: Collecting Internet Threats Information using a Worldwide Distributed Honeynet. In 1st WOMBAT open workshop, April 2008.Google Scholar
  22. 22.
    Maxmind Product. Home page ot the maxmind company at
  23. 23.
    D. Moore, C. Shannon, G. Voelker, and S. Savage. Network telescopes: Technical report. CAIDA, April, 2004.Google Scholar
  24. 24.
    S. Needleman and C. Wunsch. A general method applicable to the search for similarities in the amino acid sequence of two proteins. J Mol Biol. 48(3):443-53, 1970.CrossRefGoogle Scholar
  25. 25.
    Netgeo Product. Home page of the netgeo company at
  26. 26.
    V.-H. Pham and M. Dacier. Honeypot traces forensics: The observation view point matters. Technical report, EURECOM, 2009.Google Scholar
  27. 27.
    V.-H. Pham, M. Dacier, G. Urvoy Keller, and T. En Najjary. The quest for multi-headed worms. In DIMVA 2008, 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 10-11th, 2008, Paris, France, Jul 2008.Google Scholar
  28. 28.
    G. Portokalidis, A. Slowinska, and H. Bos. Argos: an emulator for fingerprinting zero-day attacks. Proc. ACM SIGOPS EUROSYS, 2006.Google Scholar
  29. 29.
    F. Pouget, M. Dacier, and V. H. Pham. Understanding threats: a prerequisite to enhance survivability of computing systems. In IISW’04, International Infrastructure Survivability Workshop 2004, in conjunction with the 25th IEEE International Real-Time Systems Symposium (RTSS 04) December 5-8, 2004 Lisbonne, Portugal, Dec 2004.Google Scholar
  30. 30.
  31. 31.
    N. Provos. A virtual honeypot framework. In Proceedings of the 12th USENIX Security Symposium, pages 1–14, August 2004.Google Scholar
  32. 32.
    M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In ACM SIGCOMM/USENIX Internet Measurement Conference, October 2006.Google Scholar
  33. 33.
    E. Ramirez-Silva and M. Dacier. Empirical study of the impact of metasploit-related attacks in 4 years of attack traces. In 12th Annual Asian Computing Conference focusing on computer and network security (ASIAN07), December 2007.Google Scholar
  34. 34.
    J. Riordan, D. Zamboni, and Y. Duponchel. Building and deploying billy goat, a worm detection system. In Proceedings of the 18th Annual FIRST Conference, 2006.Google Scholar
  35. 35.
  36. 36.
    TCPDUMP Project. Home page of the tcpdump project at
  37. 37.
    The Metasploit Project., 2007.
  38. 38.
    O. Thonnard and M. Dacier. A framework for attack patterns’ discovery in honeynet data. DFRWS 2008, 8th Digital Forensics Research Conference, August 11- 13, 2008, Baltimore, USA, 2008.Google Scholar
  39. 39.
    O. Thonnard and M. Dacier. Actionable knowledge discovery for threats intelligence support using a multi-dimensional data mining methodology. In ICDM’08, 8th IEEE International Conference on Data Mining series, December 15-19, 2008, Pisa, Italy, Dec 2008.Google Scholar
  40. 40.
    L. van der Maaten and G. Hinton. Visualizing data using t-sne. Journal of Machine Learning Research, 9:2579–2605, November 2008.Google Scholar
  41. 41.
    T. Werner. Honeytrap.
  42. 42.
    M. Zalewski. Home page of p0f at

Copyright information

© Springer-Verlag US 2010

Authors and Affiliations

  • Marc Dacier
    • 1
  • Corrado Leita
    • 1
  • Olivier Thonnard
    • 2
  • Hau Van Pham
    • 2
  • Engin Kirda
    • 2
  1. 1.Symantec, Sophia AntipolisPlease Provide CityFrance
  2. 2.Eurecom, Sophia AntipolisPlease Provide CityFrance

Personalised recommendations