Taiwan Chapter Status Report for 2010/2011

ORGANIZATION

Taiwan Honeynet Chapter is founded in November 2008. Our mission is to assist in addressing the threats of information security in Taiwan.

Chapter Member:

  • Yi-Lang Tsai, Chapter Leader
  • Yu-Chin Cheng, Board of Director, Full Member
  • In this year, we plan to add more members and contributors. These members come from different universities, organizations or information security researcher.

    The following activities are made by our chapter:

    1. Malware behavior analysis and categories
    2. Abnormal traffic detection and analysis from network traffic flow
    3. Security operation center for incident management and handling
    4. Co-operation Taiwan academic information sharing and analysis center
    5. Huge data indexing and information mining technology
    6. Reverse engineering in malware analysis
    7. Digital Forensics about system and network analysis
    8. Collaboration with TWCERT/CC and leading honeynet working group to build Cyber Clean Center in Taiwan
    9. Rainbow table generators and hash cracks based on cloud computing or high-performance computing
    10. Botnet detection and behavior analysis

    DEPLOYMENTS

    1. Large-Scale Honeynet deployments
    • Get funding from National Science Council and Ministry of Education to establish large-scale honeynet in Taiwan Academic Network(TANet)
    • Build a lot of virtual honeynet in TANet and deployment of more than 3600 IP address.
    • Using Honeywall, Nepenthes, Dionaea, Kippo, Capture-HPC, HIHAT and security tools.
    • Using Splunk to analysis honeynet logs.
    • Information integration system design and development (Security Dashboard)

    2. Design malware analysis platform that is named TWMAN(TaiWan Malware Analysis Net) and release in Sourceforge(twman.sourceforge.net) and OpenFoundry(twman.openfoundry.org)
    3. Cloud-based vulnerability scanners and the evidence collection by network forensics technology
    4. Visualization framework for security analysis

    RESEARCH AND DEVELOPMENT
    Research

    We are focused on honeynet deployments, malware collection, malware behavior analysis, botnet tracking, malware testbed and distributed data mining. The honeynet have collected a huge amount of data about automatic attack from malware. It is an important issue about botnet in Taiwan. We are trying to analysis malware samples and develop ontology inference for automatic malware analysis.

    Development
    1. TWMAN development

    Malware is an important topic of security threat research. In this project, a behavioral malware analysis system TWMAN is presented. This project focuses on using real operation system environment to analysis malware behavioral. Many researchers try to use virtual machine systems to monitor the malware behaviors. Those malware samples will only compromise the virtual operating system or virtual machine, which cannot reflect in the real operating system or real environment. Therefore, some malware researchers suggest that the malware sample should not be analyzed in virtual machine environment since the analyzer cannot gain much useful information in virtual machine environment.
    We developed a real operation system environment to analysis malware behavioral, named Taiwan Malware Analysis Net(TWMAN). In the following section, we explain how to use this real OS environment to analysis malware behavioral and describe the system structure of TWMAN briefly. In order to verify the correctness of analysis results obtained from TWMAN, we compare our analysis results with that from sandboxs, which are VM-based and real operation system analysis technique with CWSandbox of Sunbelt Software.

    2. Malwre testbed development

    The Taiwan Information Security Center(TWISC) was initiated as a research program in April 2005. Taiwan Information Security Center at National Cheng-Kung University (TWISC@NCKU) was officially founded on April 1st, 2006. We are using the testbed offered by TWISC@NCKU to develop malware testing platform in this year.

    3. Data mining technology development

    Based on our collection from our distributed honeynet, Splunk solution is used for generating search rules and reports. Some parsers are written by our programmers to analysis honeynet logs.

    4. Visualization security data

    We are testing DAVIX toolkit, Google earth API and Gephi for data visualization. Because the huge amount of data about 30 million events are captured by honeynet logs, we need to adopt the visualization technique for the presentation of security data. The source of security data is based on our security dashboard to daily record the security threats.

    FINDINGS
    Botnet Attack

    In the last year, TANet had been attacked by botnet from internet about 12.5 billion times. We have discovered that several IP addresses could be infected by more than three botnet malwares.

    Security threats

    Botnet is the most serious security threat in Taiwan since tons of computers in Taiwan are infected.

    Unique Malware Sample

    We are collected over 6000 unique malware samples from internet in this year. Our researchers focus on behavior-based malware analysis and use CWSandbox and TWMAN to analysis the malware samples from honeynet. We are planning to establish a malware knowledge database about malware behaviors for our own research and share them with information security researchers. The information will be shared with Government Information Sharing and Analyis Center (G-ISAC) and Malware Exchange System (MES) in Taiwan.

    PAPERS AND PRESENTATIONS
    List of Publications:

    • C. H. Chang and Y. L. Tsai , "Design of Virtual Honeynet Collaboration System in Existing Security Research Networks" 10th IEEE International Symposium on Communications and Information Technologies 2010 (ISCIT 2010), Tokyo, Japan, Oct. 26-29, 2010.
    • H. D. Huang, T. Y. Chuang, Y. L. Tsai, C. S. Lee, "Ontology-based intelligent system for malware behavioral analysis," in Proceeding of the 2010 IEEE World Congress on Computational Intelligence (WCCI 2010), Barcelona, Spain, Jul. 18-23, 2010, pp. 1-6.

    Presentations:
    We are famous for using Honeynet technology to detect botnet activities and are invited to share our experience.

    • Talk by Yi-Lang Tsai on 2010/12/30 about "Honeynet deployment and Botnet Detection" organized by Da-Yeh University.
    • Talk by Yi-Lang Tsai on 2010/11/23 about "Digital Forensics and Botnet tracking" organized by State-owned Enterprise Commission in Taiwan.
    • Talk by Yi-Lang Tsai on 2010/11/22 about "Deployment Snort for Botnet Detection" organized by Ministry of Education in Taiwan.
    • Talk by Chun-Jun Huang on 2010/11/18 about "Network Abnormal traffic detection and analysis" organized by DigiTimes Application Forum 2010(DAF 2010).
    • Talk by Yi-Lang Tsai on 2010/11/10 about "Information Security and Botnet Detection Framework" organized by National Chung Hsing University.
    • Talk by Yi-Lang Tsai on 2010/10/29 about "System security and Forensics" organized by National Chiao Tung University.
    • Talk by Yi-Lang Tsai on 2010/10/28 about "Botnet Detection and Analysis in Taiwan" organized by TANet 2010.
    • Talk by Yi-Lang Tsai on 2010/09/23 about "TANet security defense and Botnet detection" organized by TWCERT/CC.
    • Talk by Yi-Lang Tsai on 2010/08/17 about "Honeynet deployment and malware analysis" organized by National Taiwan University.
    • Talk by Yi-Lang Tsai on 2010/08/13 about "Honeynet and Botnet detection" organized by National Center for High-performance Computing.
    • Talk by Yi-Lang Tsai on 2010/08/12 about "Honeynet and Information Security threats" organized by Tainan City Government.
    • Talk by Yi-Lang Tsai on 2010/07/17 about "Botnet and Malware behavior analysis" organized by Hacks In Taiwan Conference 2010(HIT 2010).
    • Talk by Yu-Chin Cheng on 2010/07/16 about "Inside the botnets based on open source methodology" organized by Workshop on Understanding Botnets of Taiwan(Bot 2010).
    • Talk by Yi-Lang Tsai on 2010/07/07 about "Honeynet and network attacking analysis" organized by National Cheng Kung University.
    • Talk by Yi-Lang Tsai on 2010/07/07 about "Botnet detection and malware analysis" organized by National Science Council Botnet and Anti-hacking deployment project.
    • Talk by Yi-Lang Tsai on 2010/05/13 about "Security monitoring and forensics investigation" organized by Splunk Live 2010 in HongKong.
    • Talk by Yi-Lang Tsai on 2010/05/11 about "Security monitoring and forensics investigation" organized by Splunk Live 2010 in Singapore.
    • Talk by Yi-Lang Tsai on 2010/03/02 about "Honeynet deployment and technical sharing" organized by National Communications Commission.
    • Talk by Yi-Lang Tsai on 2010/02/02 about "Large-Scale Honeynet Development and Botnet Detection" organized by Taiwan Academic Information Security International Conference 2010(TAIS 2010).

    GOALS

    The goal of our chapter is to develop honeynet in major campus in Taiwan and to deal with security incidents. In addition, we embark on the visualization for security data and the integration of information security analysis systems. The optimal vision is to reduce information security threats in the network environment of Taiwan.

    MISC ACTIVITIES

    We are planning to hold an international workshop of Honeynet Project on October, 2011 in Taiwan. The first day is scheduled for technical and research presentations, and the second day is for hands-on training.