1.0 DEPLOYMENTS ================= 1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related. We have been deploying Honeywall Roo as data control/capture tool, and Fedora Core 3 and Windows 2000 as honeypots. We have been also using nepenthes to capture bots. As data analysis tools, we have been developing and using our own visualization tools, such as SnortView, IP Matrix, STARMINE, and ICHILAN that have been already presented at international conferences. 1.2 Activity timeline: Highlight attacks, compromises, and interesting information collected. SSH brute force attacks are observed as usual. We noticed botnet activities through 6667 port from computers in our local area network. 2.0 FINDINGS ============= 2.1 Highlight any unique findings, attacks, tools, or methods. 2.2 Any trends seen in the past six months. By using nepenthes, we captured many bots which are increasing this past six months. Then we developed an automated system using virtual machine to run these bots and see their activities. 3.0 LESSONS LEARNED =================== 3.1 What new positive things can you share with the community, so they can replicate your success? 3.2 What new mistakes can you share with the community, so they don't make the same mistakes? 3.3 Are there any research ideas you would like to see developed? We found that geographic information is important to understand malware activities. In wide area network monitoring, the geographic information gives us global view of malware activities. On the other hand, in local area network, it gives us important information to respond rapidly and adequately. For example, the system administrator can go immediately to the room where the compromised PCs are located and can shut down the system as needed. 4.0 NEW TOOLS ======================= 4.1 What tools or functionality are we lacking, what do we need to work on? 4.2 What new tools or technology are you working on? 4.3 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool? We do not have visual analysis tools of distributed logs where we could see and compare logs obtained all over the world. We are currently working on developing such a tool. 5.0 PAPERS AND PRESENTATIONS ============================ 5.1 Are you working any papers to be published, such as KYE or academic papers? 5.2 Are you looking for any data or people to help with your papers? 5.3 Where did you publish/present honeypot-related material? Shinichi Mukosaka, Hideki Koike: Integrated Visualization System for Monitoring Security in Large Scale Local Area Network, Proc. of Asia-Pacific Visualization Symposium (APVIS 2007), 2007. 6.0 ORGANIZATIONAL ================== 6.1 Changes in the structure of your organization. Some students graduated, and some new students joined to our project. 6.2 Your feedback on Alliance activities. 6.3 Any suggestions for improving the Alliance? It would be better that the alliance has an easy way/framework to share individual logs since the distributed honeynet is one of researches which could not be done by one organization. 7.0 GOALS ========= 7.1 Which of your goals did you meet for the last six months? We focused on monitoring local area network as well as wide area network. In such systems, we found that temporal, logical (i.e. ip address and port #), and geographical information are important. Particularly, integration of these three information is very useful. 7.2 Which of your goals did you not meet for the last six months? 7.3 Goals for the next six months We are designing and developing a web-based visualization system for distributed honeypot. 8.0 MISC ACTIVITIES ==================== 8.1 Anything else not covered you would like to share. Nothing.