Home arrow Publications arrow Status Reports arrow Chinese Honeynet Project Status Report – Academic year of 2008

Main Menu

Home
The Artemis Project
Publications
KYE Translations
Tools
Technical Trainings
Maillist
Open Projects
Funding/Donation
Funding/Donation

RSS

Use RSS to Subscribe
Chinese Honeynet Project Status Report – Academic year of 2008 PDF Print E-mail
Written by zhugejw   
2008-06-30 21:19:48
Chinese Honeynet Project Status Report – Academic year of 2008

Period Apr 2007 to June 2008

1. DEPLOYEMENTS =============================================================

1.1 Current technologies deployed

Low-Interaction Honeypots:

    • Nepenthes

High-Interaction Honeypots:

    • HoneyBow

    • Typical Gen 3 Honeynet

    • Client-side High-Interaction Honeypots for Malicious website measurement, see our Papers on malicious websites for detail.

Distributed Honeypots/Honeynets:      

    • GDH Phase One CNA node: the only GDH node in China 

    • Leurrecom.org Beijing node.

    • Deploying and maintaining Matrix Chinese Distributed Honeynet for CNCERT/CC (100+ honeypots, 30+ nodes distributed at 20+ provinces).

1.2  Activity timeline: Highlight attacks, compromises, and interesting information collected.

• Autonomous Spreading Malware measurement, see our ICICS’07 paper, and FIRST’08 paper on Matrix for detail. With the help of the Matrix Chinese distributed honeynet integrating Nepenthes, HoneyBow and GenIII Honeynet, we had a hit count of about 1,244,000 autonomous spreading malware infection. The hit count specifies the total number of downloaded samples, i.e., how often we successfully captured a binary, disregarding multiple copies of the same binary. As a metric for uniqueness we use the MD5sum. Using this metric, we collected nearly 180,000 unique sample binaries during the measurement period of twelve months. This means that we have on average about 3,408 collected and 496 new unique binaries per day.

• Botnets measurement, see our Botnet measurement TR, and FIRST’08 paper on Matrix for detail. One of the most important applications of our Chinese Matrix Distributed Honeynet is the measurement on IRC-based Botnets, which are very common on the Chinese Internet. We have discovered 2,687 unique botnets on the China public Internet during the whole year of 2007. Uniqueness is defined in this context as a unique combination of DNS name, port number and channel name.

• Malicious websites measurement, see our WEIS’08 paper for detail.Based on the malicious websites measurement setup based on high-interaction client honeypots, we identified a total of 2,149 malicious websites (i.e. 1.49%) from 144,587 distinct hosts which represent the most commonly visited websites by normal Chinese Internet users.

2. FINDINGS

=============================================================

2.1 Highlight any unique findings, attacks, tools, or methods.

See our papers for details.

2.2 Data analysis tools and methods being used.

For honeynet data analysis, we use standard analysis tools including tcpdump, ethereal and Gen 3 Walleye, as well as some home-made immature scripts implementing statistical analysis, baseline analysis, cluster analysis, and correlation analysis methods.For malware analysis, we use our MwScanner to identify the known malware, and MwDissector for malware automatic static analysis, and MwSniffer for malware automatic dynamic analysis. We are also developing and using FVM Sandbox for parallel malware dynamic analysis.For BotNet tracking, we use our own developed HoneyBot tool.For malicious website analysis and measurement, we use our home-made high-interaction honeypot system integrating MwSniffer, MwScanner and HoneyBow.

2.3 For data analysis what tools work well, and what still needs to be developed.

We are experimenting with some kinds of data analysis techniques such as cluster analysis (and further root cause analysis), baseline analysis and correlation analysis, aiming to provide practical methods for identifying high-level attack events from the huge dataset collected by the distributed honeynet. We think such high-level data analysis methods (integrating with low-level data analysis techniques and drill-in mechanisms) need further research and development, especially for the distributed honeynet deployment such as GDH and Matrix.

3. LESSION LEARNED

=============================================================

3.1 Positive things share with the community.

• Keep good relations with CERT organizations and ISPs, help them to defend the security of the Internet, they will be your sponsors and customers, and provide you the necessary test-bed and valuable data for new technology development and experiment.

3.2 Mistakes share with the community.

None, currently.

3.3 Research ideas.

• Integration of virtual honeypots (like honeyd and nepenthes) and high-interaction honeypots to get a scalable, lower cost/threats/labor solution, but still provide high interaction level to the novel attacks/malware.

• Virtual honeypots technology based on OS and Network simulation (like Norman sandbox technology) and its applications.

• Measure security threats of Internet killer applications: WWW, Email, P2P, IM, etc. based on the client-side honeypot technology.

4. NEW TOOLS

=============================================================

4.1 New tools or technology we are working on

• FVM Sandbox for parallel malware dynamic analysis.

• High-interaction client honeypot, to detect the malicious websites, and also to identify and fetch the evil exploits/trojans.

• Exploit detection and analysis techniques based on Virtual Machine Introspection and Dynamic Dataflow Analysis.

4.2 Integrate with any other tools and Collaboration.

None.

5. PAPERS AND PRESENTATIONS =============================================================

5.1 Presentations

In English:

1. Chengyu Song, Studying Malicious Websites and the Underground Economy on the Chinese Web, the 7th Workshop  on the Economics of Information Security (WEIS'08), Hanover, NH, USA, June 2008.

2. Jianwei Zhuge, Collecting Autonomous Spreading Malware Using High-interaction Honeypots, 9th International Conference on Information and Communications Security (ICICS'07), Zhengzhou, China, Dec 2007.

3. Tao Wei, Component Similarity Based Methods for Automatic Analysis of Malicious Executables, Virus Bulletin Conference 2007 (VB'07), Vienna, Austria, Sep 2007. 

 In Chinese:

4. Jianwei Zhuge. Malicious Websites Measurement Techniques and Practice, Invited technical training at Chinese Science and Technology Network Training Class, June. 2008.

5. Jianwei Zhuge. An Introduction to Virtual Machine, Peking University Security Seminar, Apr. 2008.

6. Jianwei Zhuge. HoneyBow: An Automated Malware Collection Tool based on the High-Interaction Honeypot Principle, the 2007 Chinese Symposium on Network and Information Security (NetSec'07), Qingdao, China, Aug 2007.

7. Xinhui Han. An Investigation on the Botnets Activities, the 2007 Chinese Symposium on Network and Information Security (NetSec'07), Qingdao, China, Aug 2007.8. Jianwei Zhuge. Detecting High-Level Interactive Honeypots. the 2007 Chinese Symposium on Network and Information Security (NetSec'07), Qingdao, China, Aug 2007. 

5.2 Papers

English Papers

1. J. Zhuge, T. Holz, C. Song, J. Guo, X. Han and W. Zou, Studying Malicious Websites and the Underground Economy on the Chinese Web, the 7th Workshop  on the Economics of Information Security (WEIS'08), Hanover, NH, USA, June 2008.[pdf]. Peking University & University of Mannheim Technical Report, Nov 2007. [pdf]

2. J. Zhuge, Y. Zhou, J. Guo. et al, Malicous Websites on the Chinese Web: Overview and Case Study, In Proceedings of 20th Annual FIRST Conference (FIRST’08), British Columbia, Canada, June 2008. (Dr. M. Wang from CNCERT/CC presented at FIRST’08 representing the authors)

3. Y. Zhou, J. Zhuge, N. Xu. et al, Matrix, a Distributed Honeynet and its Applications, In Proceedings of 20th Annual FIRST Conference (FIRST’08), British Columbia, Canada, June 2008. (Mr. Y. Zhou from CNCERT/CC presented at FIRST’08 representing the authors)

4. J. Zhuge, T. Holz, X. Han, C. Song, and W. Zou. Collecting Autonomous Spreading Malware Using High-interaction Honeypots, In Proceedings of 9th International Conference on Information and Communications Security (ICICS'07), Zhengzhou, China, Dec 2007. [pdf]

5. Z. Liang,T. Wei,Y. Chen, X. Han, J. Zhuge, and W. Zou. Component Similarity Based Methods for Automatic Analysis of Malicious Executables, In Proceedings of Virus Bulletin Conference 2007 (VB'07), Vienna, Austria, Sep 2007. [pdf]

6. J. Zhuge, T. Holz, X. Han, J. Guo, and W. Zou. Characterizing the IRC-based Botnet Phenomenon, Peking University & University of Mannheim Technical Report, Nov 2007. [pdf] 

Chinese Papers

7. J. Zhuge, X. Han, Y. Zhou, Z. Ye and W. Zou. Botnet Research and Development, Chinese Journal of Software, 19(3):702~715, 2008.

8. J. Zhuge, X. Han, Y. Zhou, C. Song, J. Guo and W. Zou. HoneyBow: An Automated Malware Collection Tool based on the High-Interaction Honeypot Principle, Chinese Journal of Communication, 28(12):8~13, 2007.

9. X. Han, J. Guo, Y. Zhou, J. Zhuge, D. Cao, and W. Zou. An Investigation on the Botnets Activities, Chinese Journal of Communication, 28(12):167~172, 2007.

10. Z. Liang, D. Si, C. Li, J. Mao, Y. Chen and J. Zhuge. Detecting High-Level Interactive Honeypots. In Proceedings of the 2007 Chinese Symposium on Network and Information Security (NetSec'07), Qingdao, China, Aug 2007. 

Chinese Magazine Articles

11. J. Zhuge. Measurement on Botnets, Computer World – CSO & Information Security Magazine, Invited Article, Dec 2007.

12. J. Zhuge. Honeypot Technology and its Latest Progress, Computer World – CSO & Information Security Magazine, Invited Article, Oct 2007.

13. J. Zhuge. Strike Malware using Honeypot Technology, Computer World – CSO & Information Security Magazine, Invited Article, Oct 2007. 

On Submission

14. J. Zhuge. C. Song, J. Guo, X. Han, Y. Zhou, Trojan Network on the Chinese Web: Investigation and Measurement, submitted to Chinese Journal of Communication. 

5.3 Are you looking for any data or people to help with your papers

• We collaborated with Thorsten Holz of German Honeynet Project on three papers, and successfully got two of them accepted by academic conferences (WEIS’08 and ICICS’07), and another one released as Joint Technical Report. Thorsten helped us much on the paper writing and reviewing. We are looking for further collaboration with him and/or other researchers on co-authoring academic or technical papers.

6. ORGANIZATIONAL

============================================================

6.1 Changes in the structure of your organization.

The structure of Chinese Honeynet Project has minor change during the last period. Now we have 2 faculties (Jianwei Zhuge and Xinhui Han), 2 staffs (Jinpeng Guo and Zhiyin Liang), 6 master students (Qiushi Wang, Tengfei Lu, Chengyu Song, Yaxin Liu, Jinhui Zhong, Ruifei Yu), 4 undergraduate students (Shixiong Zhu, Hao Liu, Jun Zhou, Zhijie Chen). The size of Chinese Honeynet Project will remain stable with about 5 faculties/staffs and 10 students in the next several years. We are seeking for experienced Chinese researchers or developers to join our team, we provide full-time job positions, Ph.D. and Master student programs of Peking University, and intern positions.Jianwei Zhuge and Chengyu Song are Full Members of the Honeynet Project. As the only chapter of the Honeynet Project in the Greater China area, we welcome experienced security researchers and open source developers to join us, and hope to have more Full Members of the Honeynet Project in the near future.

6.2  Your feedback on Alliance activities.

1. Chinese Honeynet Project missed the 2007 Annual Honeynet Workshop because of the Visa issue (Since Costa Rica has normalized the diplomatic relation with China, and gives free permission to Chinese residents who holding U.S. Visa, it seems easier to attend the Annual Honeynet Workshop this year).

2. Chinese Honeynet Project participated in GDH Phase One project, and deployed the only GDH node in China.3. Chinese Honeynet Project has proposed Sebek improvement project.

6.3  Any suggestions for improving the Alliance?

None currently.

7. GOALS

============================================================

7.1 Which of your goals did you meet for the last period?

1. We have finished the project on automatic malware analysis tool successfully, designed and developed an integrated malware automatic analysis platform, including static analysis/signature generation (Anity labs), dynamic analysis (Artemis) and network analysis (CCERT). We developed a feather-weight virtual machine based sandbox, for parallel dynamic analysis of large amount of malware samples on a single native host. No open publications available yet, add oil Chengyu and Zhiyin :).

2. We have enlarged Matrix Chinese Distributed Honeynet system to have up to 40 honeynets and up to 100 honeypots distributed at more than 20 provinces in China. The system has become one of the Internet threats measurement infrastructures for CNCERT/CC. Thanks CNCERT/CC to provide us such a great opportunity. Good job done, Jinpeng and Qiushi.

3. We have got further funds from CNCERT/CC on a botnet and malicious website measurement project. We also wrote proposals for NSFC funds and other funding opportunities, but are still awaiting the review results. We need big funds (we cannot cover our expenses with the funds in the recent projects) or donations to obtain necessary resources, to cover our expenses, and to improve the salary level for staff members, also subsidy level for the students. Funding or donation information goes to Jianwei please.

4. We have published 13 papers and articles this year, including 5 conference papers in English, 1 technical report, 4 journal and conference papers in Chinese, and another 3 magazine articles. More members presented at various conferences, workshops and seminars. Thanks Thorsten Holz for help with co-authoring papers.

5. Based on our Seminar on Hacking Analysis and Forensics during the past whole academic year, Jianwei Zhuge will teach a course “Network Hacking and Defense: Technology and Practice” for the graduate and senior undergraduate students majoring in Computer Science.

7.2 Which of your goals did you not meet for the last period?

1. We DID NOT meet the goal of writing a book on honeypot and honeynet technology in Chinese, since the chosen publisher (the most famous IT publisher) didn’t even response to our book proposal. We will again seek for the book publication when we have time and good opportunity.

2. We FAILED to get our papers accepted by the rank A/rank A+ academic journals and conferences, though it was not listed as a goal for the Chinese Honeynet Project team for the past academic year. It will be listed as a goal for the next academic year.

7.3 Goals for the next academic year

1. Finish the current funded projects successfully, and seek for future funds and/or donations. We need funds and resources to maintain and develop our team for further research and development.

2. Deeper and harder research and development, and get at least one paper accepted by the rank A/rank A+ academic journals and conferences. Collaboration proposal on co-authoring papers are welcome, drop Jianwei a line. 

3. Help CNCERT/CC and other security organizations in China to build Internet threats measurement and response solutions and systems.

4. Finish the teaching of course “Network Hacking and Defense: Technology and Practice” in high quality, and attract more students to join our team, or into the open source research and development.

8. MISC ACTIVITIES

=============================================================

Translated the new KYEs into Chinese.

Last Updated ( 2008-06-30 21:32:32 )
 
Next >