WINE: Data-Intensive Experiments in Security
The Worldwide Intelligence Network Environment (WINE) is a platform, developed at Symantec Research Labs (SRL), for conducting data intensive experiments in cyber security. We have built WINE focusing on the challenges for loading, sampling and aggregating multiple Internet-‐scale data feeds, which Symantec uses in its day-‐ to-‐day operations, and for supporting open-‐ended experiments at scale. For example, WINE has provided unique insights into the origins and prevalence of zero-‐day attacks, which exploit vulnerabilities that have not been disclosed publicly.The impact of zero-‐day attacks has been debated in the security community for more than a decade, but their duration in the wild remained unknown because zero-‐day attacks are rare events that are unlikely to be observed in honeypots or in lab experiments. We used WINE to measure the duration of 18 zero-‐day attacks, by analyzing field data collected on 11 million hosts worldwide; these attacks lasted between 19 days and 30 months, with a median of 8 months and an average of approximately 10 months.
The need for such a platform arose from SRL’s program for sharing field data, collected by Symantec on millions of hosts worldwide, with researchers in academia. In addition to cyber security, the WINE data is relevant to research in systems (e.g., for measuring the failure rate of consumer PCs in the real world), software reliability (e.g., for studying the software development practices of malware authors), machine learning, mobile computing, and visual analytics. WINE promotes rigorous experimental methods and enables the reproduction of prior experimental results by archiving the reference data sets that researchers use and by recording information on the data collection process and on the experimental procedures employed. Additional information about at: http://users.ece.cmu.edu/~tdumitra/research_wine.html.