NASK is one of the partners of the European project WOMBAT, which started in January 2008 and will continue to the end of 2010. The project is being developed with the cooperation of security specialists from technology companies and research institutions. Apart from NASK, project partners include: France Telecom R&D, Hispasec Sistemas as well as Institut Eurecom, FORTH, Politecnico di Milano, Technical University Vienna and Vrije Universiteit Amsterdam. The external support for the project will also come from other institutions and companies engaged in research, designing and implementation of computer security solutions.

Facing more and more powerful cyber threats appearing in the Internet today, there is a lack of appropriate advanced means that could help better identify and understanding of existing and emerging threats as well as malicious activities in the Internet, especially in the worldwide context. The main goal of the WOMBAT project is to provide new opportunities for deeper analysis of those phenomena, that in particular target the Internet economy and the net citizens, in order to identify their sources and causes. To date, because of privacy or confidentiality issues, and the resulting lack of publicly-available detailed information, there has not been any real possibility to build a rigorous framework to investigate emerging Internet threats, using different data sources and viewpoints.

Breaking the barrier and reaching the project goal is now feasible thanks to the cooperation of many project contributors involved in monitoring and improving Internet security, who are the owners of the systems and data concerned. The project also plans to develop and deploy a special distributed system of sensors. This will enable automatic real-time gathering of detailed information about new attacks and threats (exploits and malware) occurring in the Internet. Moreover, a vital stage in the project will be the development of a global database containing information about observed security threats and incidents. Creating such a database is now feasible, thanks to the availability of a rich diversity of sources of security-related data, to be provided by partners and other contributors of the project. Sources of information about threats and malicious events used in the project include a worldwide distributed honeypot system Leurre.com, operated by Institut Eurecom; the largest collection of malware in the world, accumulated by the company Hispasec within the Virustotal project; an early warning system ARAKIS (www.arakis.pl) designed and maintained by NASK / CERT Polska . The WOMBAT project will focus on designing new advanced techniques and tools enabling semi-automatic analysis of data accumulated. These new techniques will enable the generation of metadata which allow the identification of common features of threats and their systematic characteristics. The wide variety of data sources will permit a very powerful multi-perspective analysis of the threat and attack information. In a later stage, the metadata obtained will enable the development of threat intelligence techniques directed at the identification of the root cause(s) of a group of intrusions, as well as finding various relationships among observed threats. Such knowledge will enable the association of new observed phenomena with ones previously observed, thereby helping to identify root threat sources and predict new ones.

This global monitoring system of Internet threats, together with an up-to-date and rich repository of information, is intended to form the basis of a future worldwide early warning system that will gather and distribute up-to-date information about new types of Internet security threats, and enable a much faster response in developing and deploying appropriate countermeasures.

The knowledge gained from the WOMBAT project will be shared with security specialists and researchers, and also by Internet service providers (ISPs), CERT teams, IT companies, security vendors, banks, etc.

It is intended to support the decision-making process on the development and deployment of security solutions, and to help them to focus on the most important emerging risks.