search menu icon-carat-right cmu-wordmark

FloCon 2013 Collection

These presentations were given at FloCon 2013, an annual event where attendees discuss the analysis of large volumes of traffic and showcase the next generation of flow-based analysis techniques.

These presentations, training slides, and posters were provided at FloCon 2013, an open conference that provides operational network analysts, tool developers, and researchers a forum to discuss the analysis of large volumes of traffic to showcase the next generation of flow-based analysis techniques.

At FloCon 2013, organizers and participants focused on the challenges of "Analysis at Scale." In large network environments, flow data helps to provide a scalable way of seeing the big picture, as well as a streamlined platform for highlighting patterns of malicious behavior over time. More and more commercial tools and platforms are available for collecting and storing not only flow data, but large volumes of other data such as DNS information, packet capture, security logs, and incident reports. At FloCon 2013, participants discussed how to refine "big data" into knowledge, design methods for aggregated analyses at the network edge, and build systems for monitoring thousands or millions of assets at once.

A Distributed Network Security Analysis System Based on Apache Hadoop-Related Technologies

January 2013

In this presentation, the authors describe a design of distrusted real-time network security systems based on Hadoop-related technologies.

Analysis of Communication Patterns in Network Flows to Discover Application Intent

January 2013

In this presentation, William Turkett describes the communication patterns, such as motifs, in network flow that enable analysis of application intent.

Automated Malware Traffic Analysis for IPS Analysts with Scapy and dpkt in Python

January 2013

In this presentation, Geoffrey Serrao describes trends, techniques, and examples, and suggests ways to improve the process of IDS/IPS alerts.

Behavioral Whitelists of Beaconing Activity

January 2013

This poster, presented by Brian Allen and Robert Annand, illustrates aspects of performing incident analysis using behavioral whitelists of beacons.

Behavioral Whitelists of High Volume Web Traffic to Specific Domains

January 2013

This poster shows how to facilitate incident analysis by creating whitelists of external domains that receive large volumes of traffic.

Bro for Real-Time Large-Scale Understanding

January 2013

In this presentation, Seth hall describes Bro, a real-time event analysis language and platform that offers protocol analysis.

Clairvoyant Squirrel: A Scalable Domain Name Classification System

January 2013

In this presentation, the authors discuss problems associated with malicious domain classification, and provide examples, solutions, and proposed future work.

Considerations for Scan Detection Using Flow Data

January 2013

In this presentation, the author discusses internet traffic scan detection and describes Threshold Random Walk, an algorithm to identify malicious remote hosts.

CyberV@R: A Model to Compute Dollar Value at Risk of Loss to Cyber Attack

January 2013

In this presentation, James Ulrich describes a methodology for constructing risk models that give insight into relative economic costs of cyber attack.

Detecting Insider Threats with Netflow

January 2013

In this presentation, Tom Cross describes the challenges of mitigating insider threat, discusses who commits insider attacks, and describes IT sabotage detection.

Detecting Malware P2P Traffic Using Network Flow and DNS Analysis

January 2013

In this presentation, John Jerrim discusses Malware that uses P2P protocols for command and control, and describes a tool for detecting/classifying P2P traffic.

Enhancing Network Situational Awareness Using DPI Enhanced IPFIX

January 2013

In this presentation, Hari Kosaraju describes how to improve flow-based traffic visibility and how doing that enhances network situational awareness.

Fire Talk About MS-ISAC Efforts

January 2013

In this paper, Adnan Baykal describes the work that MS-ISAC CERT is doing in malware analysis and computer forensics.

Flow Analysis Using MapReduce

January 2013

In this presentation, Markus Deshon describes MapReduce, a programming model for processing large data sets with a parallel, distributed algorithm.

FlowViewer: Maintaining NASA’s Earth Science Traffic Situational Awareness

January 2013

In this presentation, Joe Loiacono describes FlowViewer, a tool that provides a web-based user interface to the flow-tools suite and SiLK.

Identifying Network Traffic Activity Via Flow Sizes

January 2013

In this presentation, given at FloCon 2013, Michael Collins discusses how to measure NetFlow and DNS traffic captures.

Identifying Network Users Using Flow-Based Behavioral Fingerprinting

January 2013

In this FloCon 2013 presentation, the authors discuss how to identify network users using flow-based behavioral fingerprinting.

Introduction to Anomaly Detection

January 2013

In this presentation, George Jones describes anomaly detection, discusses collections and classifications, and provides candidates for operational profiles.

Network Analysis with SiLK (2013)

January 2013

In this presentation, Ron Bandes describes the SiLK and iSiLK tools, and how you can use them to monitor your network.

Name Servers Should Not Move

January 2013

In this poster, Leigh Metcalf and Jonathan Spring illustrate how to find name servers that move from IP address to IP address too often.

Near Real-Time Multi-Source Flow Data Correlation

January 2013

In this presentation, Carter Bullard discusses the role of flow data in cyber security incident response.

Network Flow 2012: Year in Review

January 2013

In this presentation, George Warnagiris provides a big-picture view of network flow in 2012.

Network Flow Metadata: Very Large Scale Processing with Argus

January 2014

In this presentation, Carter Bullard defines network flow metadata and describes metadata support in Argus.

Network Security Monitoring in Minutes

January 2013

In this presentation, Doug Burks discusses Security Onion, a Ubuntu-based Linux distro for intrusion detection and network security monitoring.

Presenting Mongoose A New Approach to Traffic Capture

January 2013

In this presentation, the authors describe Mongoose, a tool for monitoring the activity of the network from outside the network.

Scalable NetFlow Analysis with Hadoop

January 2013

In this 2013 presentation, Yeonhee Lee and Youngseok Lee provide an overview of netflow analysis, and describe a Hadoop-based traffic processing tool.

Scalable Stacked Index to Speed Access to Multi Terabyte Netflow

January 2013

In this presentation, Bruce Griffin describes a scalable stacked index that identifies the when and where for IPs and how to collect statistics using SiLK tools.

Situational Awareness Metrics from Flow and Other Data Sources

January 2013

In this presentation, Soumyo Moitra describes the need for a more flexible set of metrics for establishing network situational awareness.

Statistical Analysis of Flow Data Using Python and Redis

January 2013

In this presentation, Kevin Noble provides an overview of beacons and discusses Beacon Bits, an analytical tool set and workflow to detect beacons.

Taming Big Flow Data

January 2013

In this FloCon 2013 presentation, the authors present an intelligent approach to integrating flow data with mainstream event management systems.

The Limitations of Analysis at Scale

January 2013

In this presentation, Timothy Shimeall describes the analysis of large-scale network traffic.

Thinking Security

January 2013

In this keynote presentation from FloCon 2013, Steven Bellovin discusses the challenges associated with maintaining proper computer security.

Visualization: Where Are We Going?

January 2013

In this presentation, Tim Ray discusses the importance of network security visualization and presents specific tricks you can use to find the “bad guys” using netflow.