Title: The WOMBAT Attack Attribution method: some results

In this talk, I will present a new attack attribution method that has been developed within the WOMBAT project(www.wombat-project.eu). I will illustrate the method with some real-world results obtained when applying it to almost two years of attack traces collected by low interaction honeypots. This analytical method aims at identifying large scale attack phenomena composed of IP sources that are linked to the same root cause. All malicious sources involved in a same phenomenon constitute what we call a "Misbehaving Cloud" (MC). The presentation offers an overview of the various steps the method goes through to identify these clouds and the paper provided in the proceedings contains pointers to external references for more detailed information. Four instances of misbehaving clouds are then described in some more depth to demonstrate the meaningfulness of the concept.

Speaker's Bio:

M. Dacier is the senior director of the Collaborative Advanced Reseach Department (CARD) within Symantec Research Labs. This group is made of teams located in several locations in Europe and in the United States. The specificity of CARD is that its members are engaged in exploratory research projects involving academic and industrial partners from all over the world.

Before joining Symantec, Dr. Dacier taught for 6 years at Eurecom, one of Europe's most active academic research institutions in the field of computer security. Prior to this, Dr. Dacier was the manager of the Global Security Analysis Lab at IBM Zurich Research Laboratory. An internationally recognized expert in computer security, he has served in more than 60 program committees of major security conferences and was on the editorial board of several technical journals.

Dr. Dacier holds a masters degree in Computer Sciences from the university of Louvain (UCL) in Belgium, and a PhD in Computer Sciences obtained at LAAS-CNRS in Toulouse, France.