1. Security Operation Center for NCHC
Professor Ce-Kuen Shieh
General Director, National Center for High-performance Computing
National Cheng Kung University

2. Outline Brief Introduction to NCHC
Purpose of Security Operation Center
Architecture of SOC
Features of NCHC SOC
Main Achievements
Summary

3. Consultation Committee
NARLabs Organization
Board of Directors
President
Consultation Committee
Vice President
National Center for High-performance Computing
Taiwan Typhoon & Flood Research Institute
National Center for Research on Earthquake
Engineering
National Chip Implementation Center
企劃考核室
業務推廣室
行政管理室
財務會計室
稽核室
資訊管理室
Taiwan Ocean Research Institute
Instrument Technology Research Center
National Laboratory Animal Center
National Space Organization
Science & Technology Policy Research and Information Center
National Nano Device Laboratories

4. Taichung Office Opened Hsinchu Headquarters Opened
NCHC Milestones
2008
Taichung Office Opened
2005
Tainan Office Opened
2003
Became Incorporated
1993
Hsinchu Headquarters Opened
1991
Officially Founded

5. Categories of NCHC’s Tasks
Service
Computing
Storage
Networking
Research & Development
Modeling & Simulation
Big Data Applications
Open Source Software Development
Software Defined Network

6. HPC, Storage and Network Services
Open to academic, research, and Industrial users
Supporting 700+ research projects per year
ALPS, 2011： Rmax 177 TFLOPS, MFLOPS/W
Formosa series built by ourselves
NCHC Total Computing Capacity
Rmax(TF)
Storage Capacity
Three-site, 3-tier backup
Total capacity 5.4 PB
TaiWan Advanced Research and Education Network (TWAREN)
20Gbps backbone (Toward 100 G)
5Gbps international connection
Year

7. Self-built Cluster Computers
2012
Formosa 5
Cloud Cluster
Big memory
Hybrid-Computing Platform
2011
Formosa 4
2010
Formosa 3
Cloud Cluster
Virtualization and Green Computing
Cloud IaaS Service
2005
Formosa 2
Cloud Cluster
GPU accelerator
2003
Formosa 1
The first 64-bit PC Cluster for online service
64-bit Dual-Core CPU and InfiniBand
The first PC Cluster for online service
2011 TOP500 #232
2011 TOP500 #234
2011 Green500 #62
2011 Green500 #37
2003 TOP500 #135

8. Backbone Network Service
TWAREN
TaiWan Advanced &
REsearch Network
TWAREN
Domestic backbone : 20Gbps
12 regional networks
95 universities & research institutes
500K users
International connection : 5Gbps
w/35 int’l research networks
Network usability : 99.99%
Shared with TANET (managed by MOE)
4000 schools, 4M users
TWAREN跨國連網圖
TWAREN Domestic Backbone
TWAREN International Connection
100Gbps backbone is coming by the end of this year

9. Cyber Threats to Taiwan
Taiwan is at the frontline in an emerging global battle for cyberspace
No.4 of Most Botnet Activity in 2013
No.5 of Top Attack Traffic Originating Countries in 2013
Top Attack Traffic Originating Countries
Country
Q4'13 Traffic %
Q3'13 %
China
43%
35% US
19%
11%
Canada
10%
0.40%
Indonesia
5.70%
20%
Taiwan
3.40%
5.20%
Netherlands
2.70%
0.50%
Russia
1.50%
2.60%
Brazil
1.10%
2.10%
Romania
0.90%
1.70%
Germany
0.80%
Other
12%
17%
Source from: Symantec 2014 Internet Security Threat Report, Volume 19 4 5
Source from: AKAMEAI’s state of the Internet, Q report

10. Purpose of SOC
Security Operation Center (SOC) is to ensure information security of internet users by
Security device management
Vulnerability management
Network threat detection
Security event management
Incident response

11. Architecture of SOC Procedure People Software Hardware Level 1 Level 2
Device Management
Threat and Vulnerability Management
Incident Response
Procedure
Level 1
Level 2
Security Operators
Security Analysts
Software Engineers
Incident Handlers
People
Software
Security Information and Event Management
(SIEM)
Security and Network Devices
Hardware

12. Features of NCHC SOC Hybrid Intrusion Detection System
Security Intelligence Dashboard and Visualization of Information Security
Sharing intelligences with Information Sharing and Analysis Center (A-ISAC)
Joint Defense among TANet partners

13. Hybrid Intrusion Detection System
DDoS
Detecting Known network attacks by signatures and patterns.
Network Intrusion Detection System
Hackers
SIEM
Network Worms
Distributed Honeynet System
Event Correlation and incident identification
Phishing s
Collecting Unknown network threats and malware samples for further analysis.

14. Hybrid Intrusion Detection System
Network Intrusion Detection System
Enterprise and Open-source solutions
APT Mail Detector
Secure Web Gateway
Distributed Honeynet System
Low-interaction honeypots
Simulating vulnerable systems for network threats
Collecting malware samples and suspicious exploit traffic for further research
Analyzing Malware behavior for potential threats

15. Distributed Honeynet System
Using IP address for sensor deployment and data collection
Cooperating with 11 National Universities
Collecting 1,500,000+ malware samples
Providing network threat list for TANet partners weekly
Establishing Malware Database

16. Cyber Intelligence Dashboard
A web-based system for monitoring, managing, reporting and notifying of events for IP enabled devices
A Self-developed system based on open source software to provides cost-efficient network management services

17. Features of NCHC SOC -Security Visualization

18. Information Sharing and Analysis
NCHC SOC shares intelligence with other partners through Information Sharing and Analysis Centers .
Government Service Network
G-ISAC
Taiwan Academic Network
A-ISAC
GSN Incidents
Hinet Incidents
GSN Incidents
HiNet Incidents
ISPs
NCC-ISAC
NCHC SOC

19. Incident Reported by NCHC SOC
Incidents from TANet users
Over 6,000 Incidents reported by NCHC SOC in one month.
Incidents from Taiwan ISPs
NCHC SOC detected more than 10,000 Incidents of network attacks in one month

20. Joint Defense of TANet partners
24/7 operation for ensuring the efficiency of incident handling.
NCHC cooperates with 7 regional network centers of Taiwan Academic Network for network monitoring and threat detection.
Providing digital forensics, malware analysis and other technical supports

21. Main Achievements Ensuring Information Security
Protecting 4,000+ schools and
5 Million users
Reporting real-time Incidents(Avg.)
Taiwan: 12,000+ tickets/month
International: 2,500+ tickets/month
Malware Collection
Malware Samples: 1.5 Million(since 2009)
Big Data(Avg.)
Honeypot: 60GB/day
Malware: sample/day
G-ISAC
Telecom
ISAC
Academic
GOV Agencies
TWNIC
TWCERT/CC
EC-Cert
MSSP/SOC
NCHC
ASOC
NTU
Search Engine
Netflow
Analysis
Malicious list
Honeynet
SPAM Mails
TWAREN
Campus
Malware
Forensics
Incident Management
TWMAN Analysis
ISAC
CERT
CSIRT

22. Summary
To adapt with the changing network threats, Hybrid Intrusion Detection Systems is essential for bettering security protection and provide efficient security services.
Distributed Honeynet System not only collects network threat samples, but also brings values to information security researches.
Strengthening International technological exchange and academic-industry cooperation to extend the scope of our Joint Defense Alliance are the our future job.

23. Q & A