FloCon 2013 Collection
These presentations were given at FloCon 2013, an annual event where attendees discuss the analysis of large volumes of traffic and showcase the next generation of flow-based analysis techniques.
Abstract
These presentations, training slides, and posters were provided at FloCon 2013, an open conference that provides operational network analysts, tool developers, and researchers a forum to discuss the analysis of large volumes of traffic to showcase the next generation of flow-based analysis techniques.
At FloCon 2013, organizers and participants focused on the challenges of "Analysis at Scale." In large network environments, flow data helps to provide a scalable way of seeing the big picture, as well as a streamlined platform for highlighting patterns of malicious behavior over time. More and more commercial tools and platforms are available for collecting and storing not only flow data, but large volumes of other data such as DNS information, packet capture, security logs, and incident reports. At FloCon 2013, participants discussed how to refine "big data" into knowledge, design methods for aggregated analyses at the network edge, and build systems for monitoring thousands or millions of assets at once.
Collection Contents
-
A Distributed Network Security Analysis System Based on Apache Hadoop-Related Technologies
January 7, 2013 • Presentation
By Bingdong Li
In this presentation, the authors describe a design of distrusted real-time network security systems based on Hadoop-related technologies.
read -
Analysis of Communication Patterns in Network Flows to Discover Application Intent
January 7, 2013 • Presentation
By William Turkett (Wake Forest University)
In this presentation, William Turkett describes the communication patterns, such as motifs, in network flow that enable analysis of application intent.
read -
Automated Malware Traffic Analysis for IPS Analysts with Scapy and dpkt in Python
January 7, 2013 • Presentation
By Geoffrey Serrao
In this presentation, Geoffrey Serrao describes trends, techniques, and examples, and suggests ways to improve the process of IDS/IPS alerts.
read -
Behavioral Whitelists of Beaconing Activity
January 7, 2013 • Poster
By Brian Allen (US-CERT), Robert Annand (US-CERT)
This poster, presented by Brian Allen and Robert Annand, illustrates aspects of performing incident analysis using behavioral whitelists of beacons.
read -
Behavioral Whitelists of High Volume Web Traffic to Specific Domains
January 7, 2013 • Poster
By George Jones, Timothy J. Shimeall
This poster shows how to facilitate incident analysis by creating whitelists of external domains that receive large volumes of traffic.
read -
Bro for Real-Time Large-Scale Understanding
January 7, 2013 • Presentation
By Seth Hall
In this presentation, Seth hall describes Bro, a real-time event analysis language and platform that offers protocol analysis.
read -
Clairvoyant Squirrel: A Scalable Domain Name Classification System
January 7, 2013 • Presentation
By John Munro, Jason Trost
In this presentation, the authors discuss problems associated with malicious domain classification, and provide examples, solutions, and proposed future work.
read -
Considerations for Scan Detection Using Flow Data
January 7, 2013 • Presentation
By John McHugh
In this presentation, the author discusses internet traffic scan detection and describes Threshold Random Walk, an algorithm to identify malicious remote hosts.
read -
CyberV@R: A Model to Compute Dollar Value at Risk of Loss to Cyber Attack
January 7, 2013 • Presentation
By James Ulrich
In this presentation, James Ulrich describes a methodology for constructing risk models that give insight into relative economic costs of cyber attack.
read -
Detecting Insider Threats with Netflow
January 7, 2013 • Presentation
By Tom Cross
In this presentation, Tom Cross describes the challenges of mitigating insider threat, discusses who commits insider attacks, and describes IT sabotage detection.
read -
Detecting Malware P2P Traffic Using Network Flow and DNS Analysis
January 7, 2013 • Presentation
By John Jerrim
In this presentation, John Jerrim discusses Malware that uses P2P protocols for command and control, and describes a tool for detecting/classifying P2P traffic.
read -
Enhancing Network Situational Awareness Using DPI Enhanced IPFIX
January 7, 2013 • Presentation
By Hari Kosaraju
In this presentation, Hari Kosaraju describes how to improve flow-based traffic visibility and how doing that enhances network situational awareness.
read -
Fire Talk About MS-ISAC Efforts
January 7, 2013 • Presentation
By Adnan Baykal (MS-ISAC)
In this paper, Adnan Baykal describes the work that MS-ISAC CERT is doing in malware analysis and computer forensics.
read -
Flow Analysis Using MapReduce
January 7, 2013 • Presentation
By Markus Deshon
In this presentation, Markus Deshon describes MapReduce, a programming model for processing large data sets with a parallel, distributed algorithm.
read -
FlowViewer: Maintaining NASA’s Earth Science Traffic Situational Awareness
January 7, 2013 • Presentation
By Joe Loiacono
In this presentation, Joe Loiacono describes FlowViewer, a tool that provides a web-based user interface to the flow-tools suite and SiLK.
read -
Identifying Network Traffic Activity Via Flow Sizes
January 7, 2013 • Presentation
By Michael Collins
In this presentation, given at FloCon 2013, Michael Collins discusses how to measure NetFlow and DNS traffic captures.
read -
Identifying Network Users Using Flow-Based Behavioral Fingerprinting
January 7, 2013 • Presentation
By Alexander Barsamian, Vincent Berk (Dartmouth College), John Murphy (FlowTraq)
In this FloCon 2013 presentation, the authors discuss how to identify network users using flow-based behavioral fingerprinting.
read -
Introduction to Anomaly Detection
January 7, 2013 • Presentation
By Char Sample, George Jones
In this presentation, George Jones describes anomaly detection, discusses collections and classifications, and provides candidates for operational profiles.
read -
Network Analysis with SiLK (2013)
January 7, 2013 • Presentation
By Ron Bandes
In this presentation, Ron Bandes describes the SiLK and iSiLK tools, and how you can use them to monitor your network.
read -
Name Servers Should Not Move
January 7, 2013 • Poster
By Leigh B. Metcalf, Jonathan Spring
In this poster, Leigh Metcalf and Jonathan Spring illustrate how to find name servers that move from IP address to IP address too often.
read -
Near Real-Time Multi-Source Flow Data Correlation
January 7, 2013 • Presentation
By Carter Bullard (QuSient LLC)
In this presentation, Carter Bullard discusses the role of flow data in cyber security incident response.
read -
Network Flow 2012: Year in Review
January 7, 2013 • Presentation
By George Warnagiris
In this presentation, George Warnagiris provides a big-picture view of network flow in 2012.
read -
Network Flow Metadata: Very Large Scale Processing with Argus
January 13, 2014 • Presentation
By Carter Bullard (QuSient LLC)
In this presentation, Carter Bullard defines network flow metadata and describes metadata support in Argus.
read -
Network Security Monitoring in Minutes
January 7, 2013 • Presentation
By Doug Burks
In this presentation, Doug Burks discusses Security Onion, a Ubuntu-based Linux distro for intrusion detection and network security monitoring.
read -
Presenting Mongoose A New Approach to Traffic Capture
January 7, 2013 • Presentation
By Ron McLeod (Corporate Development Telecom Applications Research Alliance), Ashraf Abu Abusharekh
In this presentation, the authors describe Mongoose, a tool for monitoring the activity of the network from outside the network.
read -
Scalable NetFlow Analysis with Hadoop
January 7, 2013 • Presentation
By Yeonhee Lee, Youngseok Lee
In this 2013 presentation, Yeonhee Lee and Youngseok Lee provide an overview of netflow analysis, and describe a Hadoop-based traffic processing tool.
read -
Scalable Stacked Index to Speed Access to Multi Terabyte Netflow
January 7, 2013 • Presentation
By Bruce Griffin (US-CERT)
In this presentation, Bruce Griffin describes a scalable stacked index that identifies the when and where for IPs and how to collect statistics using SiLK tools.
read -
Situational Awareness Metrics from Flow and Other Data Sources
January 7, 2013 • Presentation
By Soumyo D. Moitra
In this presentation, Soumyo Moitra describes the need for a more flexible set of metrics for establishing network situational awareness.
read -
Statistical Analysis of Flow Data Using Python and Redis
January 7, 2013 • Presentation
By Kevin Noble
In this presentation, Kevin Noble provides an overview of beacons and discusses Beacon Bits, an analytical tool set and workflow to detect beacons.
read -
Taming Big Flow Data
January 7, 2013 • Presentation
By Igor Balabine, Sasha Velednitsky
In this FloCon 2013 presentation, the authors present an intelligent approach to integrating flow data with mainstream event management systems.
read -
The Limitations of Analysis at Scale
January 7, 2013 • Presentation
By Timothy J. Shimeall
In this presentation, Timothy Shimeall describes the analysis of large-scale network traffic.
read -
Thinking Security
January 7, 2013 • Presentation
By Steven M. Bellovin
In this keynote presentation from FloCon 2013, Steven Bellovin discusses the challenges associated with maintaining proper computer security.
read -
Visualization: Where Are We Going?
January 7, 2013 • Presentation
By Tim Ray (21CT)
In this presentation, Tim Ray discusses the importance of network security visualization and presents specific tricks you can use to find the “bad guys” using netflow.
read