Hawaii Honeynet Project Status Report

ORGANIZATION

Changes in the structure of your organization.
Currently no changes in the organization.

List current chapter members and their activities
Mark Ryan del Moral Talabis
Jason Martin
Anthony Giandomenico
Ernie Shiraki
Howard Van De Vaarst
Ron Ballesteros
Chris Potter

DEPLOYMENTS

List current technologies deployed.
Currently using active data collectors for security and data mining research
1. Search engine crawler
2. Security forum crawler
3. IRC data collector
4. Ontogen
5. Text Garden
6. Document Atlas
7. Weka

Activity timeline: Highlight attacks, compromises, and interesting information collected.
Data mining research focused on detecting trends on worms and virus activity. Data collection began on October 2008. Currently doing retro research.
October - beginning of chatter about polymorphic behavior and related to Microsoft security patches
November - Concentrated chatter of the "w32downandup" worm (which is polymorphic and related to Microsoft security patches)
December - Increase in chatter regarding antivirus and removal
January - continued chatter of "w32downandup" and antivirus/removal. Also beginning of chatter about peer-to-peer
(see findings for data mining research)

RESEARCH AND DEVELOPMENT

1. List any new tools, projects or ideas you are currently researching or developing.
We are currently pursuing research towards data mining to gain insight on security trends. Using a combination of tools we have developed a security research framework called VERITAS.

2. List tools you enhanced during the last year
No tools were enhanced but we used data mining tools to augment our data collectors.

3. Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
Currently we are trying to integrate the different tools that we use into one system.

4. Explain what kind of help or tools or collaboration you are interested in.
None currently.

FINDINGS

See the following:
http://hawaiihoneynet.zerodays.org/data_analysis_worms_viruses.pdf

PAPERS AND PRESENTATIONS

I will be presenting this at Shakacon 2009 (Hawaii Security Conference). Synopsis of talk will be:

The inspiration of this study is the dollar bill. More specifically the "Eye of Providence" or the "all-seeing eye" floating the back of the US dollar bill. But this presentation is not about Eyes, or the US Dollar, or the Da Vinnci code but about Knowledge and Information.

It is not a secret that in today's world, information is as valuable or maybe even more valuable that any military tool that we have out there. Information is the key. That is why the US Information Awareness Office's (IAO) motto is "scientia est potential", which means "knowledge is power". The IAO just like the CIA, FBI and others make information their business. Aside from these there are multiple military related projects like TALON,ECHELON, ADVISE, and MATRIX that are concerned with information gathering and analysis.

So now in the context of extremely witty acronyms, we would like to present the Virtual Extraction Review, Insight and Threat Analysis System or VERITAS. Unfortunately, it's not actually a system but a framework but I guess it would have to be because it would have much less impact if we called it VERITAF.

VERITAS is a combination of tools and techniques to conduct data mining for security. Think of it as threat Intelligence in a box. The idea here is to use data mining in order to analyze and gain insight on different threats. This can be used to visualize trends (e.g. security trends, worms, viruses), summarize large data sets (forums, blogs, irc), gather a high level understanding of a topic (e.g. technologies), and automatically categorize different topics for research (malware descriptions). And since it's a framework, you can actually use different tools and techniques in order to get what you need.

Would also like to write a KYE paper on data analysis sometime soon

GOALS

Was able to finally set up data mining framework (VERITAS).
Hopefully, we can continue pursuing this and improve on it this year.

MISC ACTIVITIES