Taiwan Chapter Status Report 2013

The Honeynet Project Taiwan Chapter Status Report 2013

The Honeynet Project Taiwan Chapter was founded in November 2008. Now we are an independent non-profit organization in Taiwan.
By cooperating with research institutes and regional network centers, hundreds of honetpots have been deployed around Taiwan Academic Network (TANet) and Taiwan Advanced Research and Education Network (TWAREN) for collecting malware samples and detecting network attack traffic.


The mission of The Honeynet Project Taiwan Chapter is to fight against malware and raise public awareness of current network threats.

*Chapter Member:

  • Yi-Lang Tsai, Chapter Leader
  • Yu-Chin Cheng, Board Of Director, Full Member
  • Po Huang, Contributor
  • Bo-Yil Lee, Contributor
  • Jack Hsu, Contributor
  • Jerry Huang, Contributor


  • Eugene Yeh
  • Dan Chang
  • Pei-Hsuan Huang

*The activities of the chapter include the following:

1. Malware behavior analysis and categorization 2. Network attack detection and analysis 3. Information security incident response. 4. A member of Taiwan Academic Information Sharing and Analysis Center 5. Big data indexing and information mining technology 6. Digital Forensics about system and network analysis 7. Botnet detection and behavior analysis 8. Information visualization technology


1 Large-Scale Honeynet deployments 1.1 Get funding from National Science Council and Ministry of Education to establish large-scale honeynet in Taiwan Academic Network (TANet) 1.2 Build a lot of virtual honeynet in TANet and deployment of more than 6000 IP address. 1.3 Using Honeywall, Dionaea, Kippo, Capture-HPC, Cuckoo and security tools. 1.4 Using Splunk to analysis honeynet logs. 1.5 Information Integration System Design and Development(Security Dashboard) 2 Design malware analysis platform that is named TWMAN (TaiWan Malware Analysis Net, twman.nchc.org.tw) and release in Sourceforge (twman.sourceforge.net). 3 Cloud based Vulnerability Scanners and network forensics collecting evidence 4 Visualization framework for security analysis


collection, malware behavior analysis, botnet tracking, malware testbed and distributed data mining. The honeynet have collected a big data about automatic attack from malware. It is an important issue about botnet research in Taiwan. We are trying to analysis malware samples and development ontology researching.


1. Taiwan Malware Analysis Net The Project of Taiwan Malware Analysis Net (TWMAN) begins in 2010. The first phase of TWMAN project is to develop a platform for malware analysis. Unlike other dynamic analysis techniques which use virtual machines, TWMAN build experimental environment with physical operation system in order to fight against those malwares using anti-VM techniques. Instead of the development of malware analysis tool, TWMAN project is going to extend itself from a malware analyzer to a complete malware analysis net including three different components: malware collection, behavior analysis and knowledge management. With the new face of TWMAN, various sorts of malware information could be integrated into one single system. It would provide valuable data and materials for security researchers and IT specialists to defeat malware threat and contribute to advanced research. 2. Data mining technology development According to our collection the big data from distributed honeynet. We are using Splunk and Hadoop solution to development search rules and reports. Our programmer and contributor have written some parser to analysis honeynet logs. 3. Visualization security data We are design visualization platform to show the attack come from. And use the Google earth API and D3js for information visualization. Because, there are 70GB events log from honeynet every day. So we need to visualization for security data. That is based on our security dashboard to monitoring security threats in our security operation center.

FINDINGS *Threat List

Monitoring suspicious network traffic is a main work of Taiwan Chapter. Over 2 million unique IP address of suspicious network attacker have been identified in 2013. The threat list has been shared with the authority of Taiwan Academic Network (TANet) and other regional network centers in order to reduce the risk and threat from outer attackers.

*Unique Malware Sample

Over 700,000 unique malware samples have been collected in 2013. All the collected malware samples would be analyzed by three different malware sandbox. We use the Cuckoo Sandbox, GFI CWSandbox and TWMAN sandbox to analysis the malware sample. The analysis results would be centralized into a knowledge management system and share to Government Information Sharing and Analysis Center (G-ISAC) in Taiwan.


“Honeynet Conference in Taiwan 2013 (HoneyCon 2013)” hosted and organized by The Honeynet Project Taiwan Chapter. We have one day conference and one day honeynet technical workshop. Over 200 attendee join HoneyCon 2013 and over 80 learner join our workshop.


We are using Honeynet technology to detection botnet activity and invited to presentation or sharing our experience. 1. Talk by Yi-Lang Tsai on 2013/01/03 about "Development the Honeynet Technology" organized by Taiwan government internal training. 2. Talk by Yi-Lang Tsai on 2013/07/29 about “The formwork of the Honeynet and Honeypot” organized by National Chengchi University.


We havd organized press conference on 2013/8/29 and launches free malware knowledge database to boost security. The repository includes data on around 200,000 malware. The detection network monitored throughout the day to detect and identify attacks and utilizes Google Earth to trace malware sources and attack patterns.


The goal of our chapter is to develop honeynet in major campus in Taiwan and to deal with security incidents. In addition, we embark on the visualization for security data and the integration of information security analysis systems. The optimal vision is to reduce information security threats in the network environment of Taiwan.


We are planning co-work with the security research team in Taiwan to organize information security association.