At Symantec Research Labs, I built the Worldwide Intelligence Network Environment (WINE), a platform for experimenting with Big Data techniques in cyber security. WINE provides the research community with access to representative field data about the cyber threat landscape and promotes reproducibility by archiving all the reference data used in prior experiments and by maintaining a lab book with descriptions of experimental procedures [BADGERS 2011][CSET 2011][EDCC 2012]. The WINE data sets currently include 50 billion security events, recorded since 2009 on 10+ million hosts around the world. The WINE data is updated continuously, to reflect the current state of the cyber threat landscape, as well as its historical evolution. This data is gathered in the field, on real end-hosts that are actively used and targeted by cyber attacks, rather than honeypots or small-scale lab experiments. Through a “Dear Colleague” letter, the National Science Foundation has encouraged PIs to evaluate research results using WINE, and nine academic groups have conducted experimental research using WINE in 2012 and 2013.
The WINE platform can be accessed by visiting Symantec Research Labs.
For more information, see
Tutorial: [CCS 2011]
Selected research projects that used WINE
[EDCC 2012] T. Dumitraș and P. Efstathopoulos, “The Provenance of WINE,” in European Dependable Computing Conference (EDCC), Sibiu, Romania, 2012, pp. 126–131.
[CSET 2011] T. Dumitraș and I. Neamtiu, “Experimental Challenges in Cyber Security: A Story of Provenance and Lineage for Malware,” in USENIX Workshop on Cyber Security Experimentation and Test (CSET), San Francisco, CA, 2011.
[BADGERS 2011] T. Dumitraș and D. Shou, “Toward a standard benchmark for computer security research: The Worldwide Intelligence Network Environment (WINE),” in ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), Salzburg, Austria, 2011.