FloCon 2010 Collection
These presentations were given at FloCon 2010, an annual event where attendees discuss the analysis of large volumes of traffic and showcase the next generation of flow-based analysis techniques.
Publisher:
CERT
Subjects
Abstract
FloCon 2010 focused on flow data analysis within the context of other data sources. Presentations emphasized techniques for analyzing flow data, integrating flow data with network data sets, and engineering support for flow analysis and integration.
Collection Contents
-
A Case Study - Using Flow to Identify Specific Malware Characteristics
January 11, 2010 • Presentation
By Jonathan Taimanglo (Department of Homeland Security), Michael Jacobs (Department of Homeland Security)
In this presentation, US-CERT staff explain how they narrowed a large dataset to a few suspicious IP addresses using SiLK and PERL.
read -
A Temporal Logic For Network Flow Analysis
January 11, 2010 • Presentation
By Timothy J. Shimeall
In this presentation, Tim Shimeall discusses temporal logic adaptations of flow analysis and how formalization of time relationships can help improve flow analysis methods.
read -
Abstracting and Visualizing Host Behaviour through Graphs
January 11, 2010 • Presentation
By Eduard Glatz (Computer Engineernig and Networks Laboratory)
In this presentation, Eduard Glatz describes how graphs can be used to represent host traffic while filtering unwanted traffic.
read -
Beyond the Top Talkers: Empirical Correlation of Conficker-C Infected IP Space
January 11, 2010 • Presentation
By Rhiannon Weaver
In this presentation, Rhiannon Weaver discusses Conficker, a computer worm that targets the Microsoft Windows operating system.
read -
DMnet: Detection Mitigation Network: A Behavioral Analysis System Supporting Trust Measurements
January 11, 2010 • Presentation
By Owen McCusker (Sonalysts), Scott Brunza (Sonalysts), Carrie Gates, Joel Glanfield (CA Labs), Dana Paterson (FloVis)
In this presentation, given at FloCon 2010, the authors describe DMnet, a distributed botnet detection and mitigation system.
read -
DNS and Flow: Bulk DNS Analysis
January 11, 2010 • Presentation
By Ed Stoner
In this presentation, Ed Stoner explores techniques to analyze DNS traffic and combine that analysis with flow analysis.
read -
First Experiences with Cuckoo Bags
January 11, 2010 • Presentation
By John McHugh, Jeff Janies, Teryl Taylor (FloVis)
In this presentation, Redjack staff describe cuckoo bags, data structure and tools for maintaining sets index by IPv4 and IPv6 addresses in the same structure.
read -
Flow Analysis for Network Situational Awareness
January 11, 2010 • Presentation
By Timothy J. Shimeall
In this presentation, given at FloCon in January 2010, Tim Shimeall discusses networks, external events and trends, and network dependencies and analysis.
read -
Flow Data at 10 GigE and Beyond: What Can (or Should) We Do?
January 11, 2010 • Presentation
By Scott Pinkerton (Argonne National Laboratory)
In this presentation, given at FloCon 2010, Scott Pinkerton discusses approaches to using flow data in large environments.
read -
FloCon 2010 Keynote: Flow Data for Billing and Routing
January 11, 2010 • Presentation
By Bill Woodcock (Packet Clearing House)
In this presentation, Bill Woodcock describes how flow data can be used for smarter billing, routing optimization, and as a target for analyzing user behavior.
read -
Flow Traffic Analysis Narratives
January 11, 2010 • Presentation
By Michael Collins
In this presentation, Michael Collins describes the importance of developing narratives that abstractly describe activity between hosts.
read -
Flow Valuations Based on Network-Service Cooperation
January 11, 2010 • Presentation
By Tanja Zseby (Fraunhofer Fokus), Thomas Hirsch (Fraunhofer Fokus)
In this FloCon 2010 presentation, Fraunhofer staff describe autonomic networking and using network-service cooperation to determine which flows to block.
read -
Geography of Internet2 Netflow
January 11, 2010 • Presentation
By David A. Ripley (Indiana University Advanced Network Management Laboratory), Tony H. Grubesic (Indiana University), Timothy C. Matisziw (University of Missouri)
In this presentation, the authors describe a methodology for determining the geographical movement of information on the Internet2 Network.
read -
High-Throughput Real-Time Network Flow Visualization
January 11, 2010 • Presentation
By Daniel Best (Pacific Northwest National Laboratory)
In this presentation, Daniel Best explains how a high-throughput pipeline and tools, such as Traffic Circle, CLIQUE, and MeDiCi, help analysts spot problems.
read -
Introduction to Argus
January 11, 2010 • Presentation
By Carter Bullard (QuSient LLC)
In this presentation, Carter Bullard introduces and describes Argus, a network utilization audit system.
read -
Introduction to SIE
January 11, 2010 • Presentation
By Eric Ziegast (Internet Systems Consortium)
In this presentation, Eric Ziegast describes the Security Information Exchange, a set of organizations dedicated to the globally trusted exchange of information.
read -
IPTV Traffic “Qcast”: IP Multicast Traffic Monitoring System with IPFIX/PSAMP
January 11, 2010 • Presentation
By Shingo Kashima (NTT Corporation), Atsushi Kobayashi (NTT Corporation)
In this presentation, the authors discuss issues related to multicast monitoring and introduce their system called Qcast.
read -
Know Your Network
January 11, 2010 • Presentation
By Josh Goldfarb (MITS Cybersecurity)
In this presentation, Josh Goldfarb explains an iterative approach to knowing what belongs in your network and what does not.
read -
Lessons Learned While Providing SiLK Training
January 11, 2010 • Presentation
By Jim Downey (Defense Information Systems Agency), Jim Downey (Defense Information Systems Agency)
In this presentation, Jim Downey describes the lessons he has learned from training customers in SiLK.
read -
Network Flow Data Fusion GeoSpatial and NetSpatial Data Enhancement
January 11, 2010 • Presentation
By Carter Bullard (QuSient LLC)
In this presentation, Carter Bullard discusses flow data fusion, and how data need to have some requirements to be useful.
read -
Network Host Classification Using Statistical Analysis of Flow Data
January 11, 2010 • Presentation
By Alex Kent (Los Alamos National Laboratory), Mike Fisk (Los Alamos National Laboratory), Eugene Gavrilov (Los Alamos National Laboratory)
In this presentation, given at FloCon 2010, the authors describe how host/IP address profiling based on flow data over time can provide valuable outcomes.
read -
Parallel Processing in Netflow Data Fusion
January 11, 2010 • Presentation
By George Saylor (G2, Inc.), Michael Rash (G2, Inc.)
In this presentation, the authors discuss parallel processing to facilitate processing data in very large environments.
read -
Project Bloom: Empowering the Security Research Community Through Data Products and Computing
January 11, 2010 • Presentation
By Minaxi Gupta (Indiana University, Bloomington), Gregory Travis (Indiana University, Bloomington), Doug D. Pearson (Indiana University, Bloomington)
In this presentation, the authors describe Project Bloom, a project that provides quality data and data products to researchers.
read -
Realtime Change Detection & Automatic Network Response
January 11, 2010 • Presentation
By Alex Brugh (Los Alamos National Laboratory), Mike Fisk (Los Alamos National Laboratory), Josh Neil (Los Alamos National Laboratory), Paul Ferrell (Los Alamos National Laboratory), Scott Miller (Los Alamos National Laboratory), Danny Quist (Los Alamos National Laboratory)
In this presentation, the authors describe the use of flow data in change detection and response, including current methods and areas of research.
read -
"SASUKE" Traffic Monitoring Tool Traffic Shift Monitoring Based on Correlation Between BGP Messages and Flow Data
January 11, 2010 • Presentation
By Atsushi Kobayashi (NTT Corporation), Yutaka Hirokawa (NTT Information Sharing Laboratories), Hiroshi Kurakami (NTT Corporation)
In this presentation, the authors describe SASUKE, a tool that detects traffic change and identifies the BGP route announcements involved.
read -
SiLK and the Virtual Training Environment
January 11, 2010 • Presentation
By George Warnagiris
In this presentation, CERT staff members describe SiLK, a collection of traffic analysis tools developed by CERT, and the Virtual Training Environment.
read -
Simply Top Talkers
January 11, 2010 • Presentation
By Jeroen Massar (IBM Research Zurich), Andreas Kind (Zurich Research Laboratory), Marc P. Stoecklin (Zurich Research Laboratory)
In this presentation, the authors discuss techniques to compute top-k listings for single and composed traffic aspects.
read -
Stager – A Generic Tool for Presenting Network Statistics
January 11, 2010 • Presentation
By Arne Oslebo (Uninett)
In this presentation, Arne Oslebo describes Stager, a web-based tool for presenting and aggregating most types of network statistics.
read -
Strip Plots: A Simple Automated Time-Series Visualization
January 11, 2010 • Presentation
By Sid Faber
In this presentation, Sid Faber describes an approach to a self-maintaining network profile using batch processing, email, quick triage, and intuitive design.
read -
Towards Reliable Traffic Classification Using Visual Motifs
January 11, 2010 • Presentation
By Wilson Lian (University of North Carolina, Chapel Hill), John McHugh, Fabian Monrose (University of North Carolina, Chapel Hill)
In this presentation, the authors provide an overview of traffic classification, and discuss and evaluate visual motifs.
read -
Traffic Analysis Using Streaming Queries
January 11, 2010 • Presentation
By Mike Fisk (Los Alamos National Laboratory)
In this presentation, Mike Fisk shows how continuous queries provide a common query syntax, infrastructure, and framework for traffic analysis.
read