The Honeynet Project Taiwan Chapter Status Report 2014

The Honeynet Project Taiwan Chapter Status Report 2014
1.ORGANIZATION
The Honeynet Project Taiwan Chapter was founded by National Center for High Performance-Computing (NCHC) in Taiwan since November 2008. 
By cooperating with research institutes and regional network centers, hundreds of honetpots have been deployed around Taiwan Academic Network (TANet) and Taiwan Advanced Research and Education Network (TWAREN) for collecting malware samples and detecting network attacks. 
 
2.GOALS
The mission of The Honeynet Project Taiwan Chapter is to fight against malware and raise public awareness of current network threats.
 
3.Chapter Member:
Yi-Lang Tsai, Chapter Leader
Yu-Chin Cheng, Full Member
Po Huang, Contributor
Bo-Yil Lee, Contributor
Jack Hsu, Contributor
 
4.The activities of the chapter include the following:
(1)Malware behavior analysis and classification
(2)Network attack detection and analysis
(3)Information security incident response.
(4)Sharing intelligence with Taiwan Academic Information Sharing and Analysis Center(A-ISAC)
(5)Big data indexing and information mining technology
(6)Digital Forensics
(7)Botnet detection and behavior analysis
(8)Developing Information visualization technology
 
5.DEPLOYMENTS
(1)Distributed Honeynet
A.Get funding from Ministry of Science and Technology and Ministry of Education to develop distributed honeynet in Taiwan Academic Network (TANet) and Taiwan Advanced Research and Education Network (TWAREN).
B.Build hundreds of various honeypots around academic network with more than 6000 IPs.
C.Our honeynet consists of Nepenthes, Dionaea, Kippo, Amun, Glastoph, Conpot, and Cuckoo sandbox.
D.Using Splunk to collect honeynet logs and analyze threats.
E.Developing internal Information Integration System (Security Dashboard) to monitor the real time status of honeynet.
(2)Design malware analysis platform named TWMAN (TaiWan Malware Analysis Net) and release in Sourceforge (twman.sourceforge.net) and OpenFoundry (twman.openfoundry.org)
(3)Cloud based Vulnerability Scanners and network forensics collecting evidence
(4)Visualization framework for security analysis 
 
6.RESEARCH AND DEVELOPMENT
(1)Research
The main goal of our research focuses on honeynet deployment, malware collection, malware behavior analysis, and distributed data mining. The trend of data science development raised the intension of big data, and the collected log from distributed honeynet system is definitely one of the most important subjects. Millions of honeynet logs are collected and analyzed in real time based to discover the potential network threat. Furthermore, all these security intelligences from honeynet will be transfer into research database for education and research purposes.
(2)Development
A.Taiwan Malware Analysis Net
The Project of Taiwan Malware Analysis Net (TWMAN) begins in 2010. The first phase of TWMAN project is to develop a platform for malware analysis. Unlike other dynamic analysis techniques which use virtual machines as a test environment, TWMAN build experimental environment with physical operation system in order to fight against those malwares using anti-VM techniques. Instead of the development of malware analysis tool, TWMAN project is going to extend itself from a malware analyzer to a complete malware analysis net including three different components: malware collection, behavior analysis, and knowledge management. With the new face of TWMAN, various sorts of malware information could be integrated into one single system. It would provide valuable data and materials for security researchers and IT specialists to defeat malware threat and contribute to advanced research.
B.Data mining technology development
According to our collection the big data from distributed honeynet. We are using Splunk solution to development search rules and reports. Our programer and contributor have write some parser to analysis honeynet logs. 
C.Visualization security data
We are testing DAVIX toolkit, Google earth API and Gephi for data visualization. Because, there are over 30 million events from honeynet logs. So we need to visualization for security data. That is based on our security dashboard to monitoring security threats in our security operation center. 
 
7.FINDINGS
(1)Threat List
Working with Ministry of Education to Monitor and detect network threat is a main work of Taiwan Chapter. Over 2 million unique IP address of suspicious network attacker had been identified in 2014. The threat list has been shared with the authority of Taiwan Academic Network (TANet) and other regional network centers in order to reduce the risk and threat from outer attackers.
(2)Unique Malware Sample
Over 2,000,000 unique malware samples have been collected in 2014. All those collected malware samples would be analyzed by three different malware sandboxes. We use the Cuckoo Sandbox, GFI CWSandbox and TWMAN sandbox for behavior analysis and report generation. The analysis results would be centralized into a knowledge management system and share to Government Information Sharing and Analysis Center (G-ISAC) in Taiwan.. 
 
8.CONFERENCE and PRESENTATIONS
Conference:
“Honeynet Conference in Taiwan 2014 (HoneyCon 2014)” hosted and organized by The Honeynet Project Taiwan Chapter. We have one day conference and one day honeynet technical workshop. Over 200 attendee join HoneyCon 2014 and over 100 learner join our workshop.