Assessing Cybercrime Through the Eyes of the WOMBAT
The WOMBAT project is a collaborative European funded research project that aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. The approach carried out by the partners include a data collection effort as well as some sophisticated analysis techniques. In this chapter, we present one of the threats-related data collection system in use by the project, as well as some of the early results obtained when digging into these data sets.
KeywordsVirtual Machine Attack Event Attack Process Sample Factory Attack Cluster
Unable to display preview. Download preview PDF.
- 1.ALMODE Security. Home page of disco at at http://www.altmode.com/disco/.
- 2.P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling. The Nepenthes Platform: An Efficient Approach to Collect Malware. Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2006.Google Scholar
- 3.U. Bayer, C. Kruegel, and E. Kirda. TTAnalyze: A Tool for Analyzing Malware. PhD thesis, Master’s Thesis, Technical University of Vienna, 2005.Google Scholar
- 4.I. Bomze, M. Budinich, P. Pardalos, and M. Pelillo. The maximum clique problem. In Handbook of Combinatorial Optimization, volume 4. Kluwer Academic Publishers, Boston, MA, 1999.Google Scholar
- 5.F. M. C. R. Center. Web security trends report q1/2008, http://www.finjan.com/content.aspx?id=827, sep 2008.
- 6.CERT. Advisory CA-2003-20 W32/ Blaster worm, August 2003.Google Scholar
- 7.Z. Chen, L. Gao, and K. Kwiat. Modeling the spread of active worms. In Proceedings of IEEE INFOCOM, 2003.Google Scholar
- 8.M. P. Collins, T. J. Shimeall, S. Faber, J. Janies, R. Weaver, M. D. Shon, and J. Kadane. Using uncleanliness to predict future botnet addresses. In IMC ’07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, pages 93–104, New York, NY, USA, 2007. ACM.Google Scholar
- 9.E. Cooke, M. Bailey, Z. M. Mao, D. Watson, F. Jahanian, and D. McPherson. Toward understanding distributed blackhole placement. In WORM ’04: Proceedings of the 2004 ACM workshop on Rapid malcode, pages 54–64, New York, NY, USA, 2004. ACM Press.Google Scholar
- 10.J. Crandall, S. Wu, and F. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. Proceedings of GI SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2005.Google Scholar
- 11.M. Dacier, F. Pouget, and H. Debar. Attack processes found on the internet. In NATO Symposium IST-041/RSY-013, Toulouse, France, April 2004.Google Scholar
- 12.M. Dacier, F. Pouget, and H. Debar. Honeypots, a practical mean to validate malicious fault assumptions. In Proceedings of the 10th Pacific Ream Dependable Computing Conference (PRDC04), Tahiti, February 2004.Google Scholar
- 13.M. Dacier, F. Pouget, and H. Debar. Leurre.com: On the advantages of deploying a large scale distributed honeypot platform. In Proceedings of the E-Crime and Computer Conference 2005 (ECCE’05), Monaco, March 2005.Google Scholar
- 14.DShield. Distributed Intrusion Detection System, www.dshield.org, 2007.
- 15.F-Secure. Malware information pages: Allaple.a, http://www.f-secure.com/v-descs/allaplea.shtml, December 2006.
- 16.A. Jain and R. Dubes. Algorithms for Clustering Data. Prentice-Hall advanced reference series, 1988.Google Scholar
- 17.C. Leita and M. Dacier. Sgnet: a worldwide deployable framework to support the analysis of malware threat models. In Proceedings of the 7th European Dependable Computing Conference (EDCC 2008), May 2008.Google Scholar
- 18.C. Leita and M. Dacier. SGNET: Implementation Insights. In IEEE/IFIP Network Operations and Management Symposium, April 2008.Google Scholar
- 19.C. Leita, M. Dacier, and F. Massicotte. Automatic handling of protocol ependencies and reaction to 0-day attacks with ScriptGen based honeypots. In RAID 2006, 9th International Symposium on Recent Advances in Intrusion Detection, September 20-22, 2006, Hamburg, Germany - Also published as Lecture Notes in Computer Science Volume 4219/2006, Sep 2006.Google Scholar
- 20.C. Leita, K. Mermoud, and M. Dacier. Scriptgen: an automated script generation tool for honeyd. In Proceedings of the 21st Annual Computer Security Applications Conference, December 2005.Google Scholar
- 21.C. Leita, V. Pham, . Thonnard, E. Ramirez-Silva, F. Pouget, E. Kirda, and M. Dacier. The Leurre.com Project: Collecting Internet Threats Information using a Worldwide Distributed Honeynet. In 1st WOMBAT open workshop, April 2008.Google Scholar
- 22.Maxmind Product. Home page ot the maxmind company at http://www.maxmind.com.
- 23.D. Moore, C. Shannon, G. Voelker, and S. Savage. Network telescopes: Technical report. CAIDA, April, 2004.Google Scholar
- 25.Netgeo Product. Home page of the netgeo company at http://www.netgeo.com/.
- 26.V.-H. Pham and M. Dacier. Honeypot traces forensics: The observation view point matters. Technical report, EURECOM, 2009.Google Scholar
- 27.V.-H. Pham, M. Dacier, G. Urvoy Keller, and T. En Najjary. The quest for multi-headed worms. In DIMVA 2008, 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 10-11th, 2008, Paris, France, Jul 2008.Google Scholar
- 28.G. Portokalidis, A. Slowinska, and H. Bos. Argos: an emulator for fingerprinting zero-day attacks. Proc. ACM SIGOPS EUROSYS, 2006.Google Scholar
- 29.F. Pouget, M. Dacier, and V. H. Pham. Understanding threats: a prerequisite to enhance survivability of computing systems. In IISW’04, International Infrastructure Survivability Workshop 2004, in conjunction with the 25th IEEE International Real-Time Systems Symposium (RTSS 04) December 5-8, 2004 Lisbonne, Portugal, Dec 2004.Google Scholar
- 30.T. C. D. Project. http://www.cymru.com/darknet/.
- 31.N. Provos. A virtual honeypot framework. In Proceedings of the 12th USENIX Security Symposium, pages 1–14, August 2004.Google Scholar
- 32.M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In ACM SIGCOMM/USENIX Internet Measurement Conference, October 2006.Google Scholar
- 33.E. Ramirez-Silva and M. Dacier. Empirical study of the impact of metasploit-related attacks in 4 years of attack traces. In 12th Annual Asian Computing Conference focusing on computer and network security (ASIAN07), December 2007.Google Scholar
- 34.J. Riordan, D. Zamboni, and Y. Duponchel. Building and deploying billy goat, a worm detection system. In Proceedings of the 18th Annual FIRST Conference, 2006.Google Scholar
- 35.I. M. Sensor. http://ims.eecs.umich.edu/.
- 36.TCPDUMP Project. Home page of the tcpdump project at http://www.tcpdump.org/.
- 37.The Metasploit Project. www.metasploit.org, 2007.
- 38.O. Thonnard and M. Dacier. A framework for attack patterns’ discovery in honeynet data. DFRWS 2008, 8th Digital Forensics Research Conference, August 11- 13, 2008, Baltimore, USA, 2008.Google Scholar
- 39.O. Thonnard and M. Dacier. Actionable knowledge discovery for threats intelligence support using a multi-dimensional data mining methodology. In ICDM’08, 8th IEEE International Conference on Data Mining series, December 15-19, 2008, Pisa, Italy, Dec 2008.Google Scholar
- 40.L. van der Maaten and G. Hinton. Visualizing data using t-sne. Journal of Machine Learning Research, 9:2579–2605, November 2008.Google Scholar
- 41.T. Werner. Honeytrap. http://honeytrap.mwcollect.org/.
- 42.M. Zalewski. Home page of p0f at http://lcamtuf.coredump.cx/p0f.shtml.