search menu icon-carat-right cmu-wordmark

FloCon 2016 Presentations

FloCon 2016 is a conference where attendees discuss large-scale network flow analytics.

These presentations were given at FloCon 2016, a network security conference that provides a forum to discuss large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic.

Browse the collection of presentations and contact us if you have questions.

Keynote: Achieving a Secure and Resilient Cyber Ecosystem: A Way Ahead

January 2016

This keynote presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.

A Meaningful Metric for IPv4 Addresses

January 2016

This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.

Better Reporting Guidelines for Better Data

January 2016

This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.

Capturing and Processing One Million Network Flows Per Second with SiLK: Challenges and Strategies

January 2016

This presentation describes flow data collection at the Mayo Clinic.

Classifying Encrypted Traffic with TLS-Aware Telemetry

January 2016

In this presentation, the authors propose augmenting the typical 5-tuple with TLS-aware telemetry elements.

Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware

January 2016

In this FloCon 2016 presentation, the author provides a brief summary of common C2 TTPs observed during 2015.

Data Fusion: Enhancing NetFlow Graph Analytics

January 2016

In this FloCon 2016 presentation, the authors explain RDP logins and why they are important to analyze in the context of NetFlow.

Detecting Traffic to Recently Unparked Domains with Analysis Pipeline

January 2016

In this presentation, the authors discuss using Analysis Pipeline to detect (1) changes in the control plane and (2) data going to recently unparked IP addresses.

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis

January 2016

In this FloCon 2016 presentation, the author discusses his experiences with analyzing data collected from distributed honeypot sensors, p0f, snort/suricata, and botnet sinkholes.

Gosh Wow, Volusia Networks!

January 2016

This FloCon 2016 presentation describes network operations at Volusia County, Florida.

Graph Analysis Techniques for Network Flow Records Using Open Cyber Ontology Group (OCOG) Format

January 2016

In this FloCon 2016 presentation, the author describes integrating network flow data in the OCOG format with other data sources and presents practical queries and results of graph analysis.

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling

January 2016

This presentation discusses using behavioral markers of malware can be used as a focal point for malware analysis that can augment/enhance threat intelligence and information sharing.

Making the Most of a Lot [of Data]: Netflow in US-CERT Operations

January 2016

In this FloCon 2016 presentation, the author reviews uses of netflow in US-CERT's daily monitoring, analysis, and incident response operations.

Merging Network Configuration and Network Traffic Data in ISP-Level Analyses

January 2016

This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.

Minimizing the Gaps with Bro, GRR, and Elk (Brogrrelk)

January 2016

The presentation describes a solution that allows incident responders to conduct multiple data collection tasks from one platform.

Monitoring and Classification of Active IPv6 Addresses

January 2016

In this presentation, the author introduces IP address classification methods and how IPv6 addresses are more than just larger IP addresses.

Netflow Analysis - Intrusion Detection, Protection, and Usage Reporting

January 2016

This presentation covers detecting problematic traffic via NetFlow and the use of traffic alerts and daily reports.

Netflow in Daily Information Security Operations

January 2016

In this FloCon 2016 presentation, the author describes how the SEI utilizes free netflow collection and analysis tools to strengthen its enterprise security posture.

Network Monitoring and Deceptive Defenses

January 2016

In this FloCon 2016 presentation, the authors discuss the use of network monitoring to support deceptive defenses.

Network Security Analytics, HPC Platforms, Hadoop, and Graphs.. Oh, My

January 2016

This presentation describes the techniques and approach that Cray, Inc. uses to discover malicious activity.

Network Traffic Analysis - SiLK

January 2016

This presentation, given at FloCon 2016, introduces you to network flow analysis using the CERT open source SiLK tool suite.

New DNS Traffic Analysis Techniques to Identify Global Internet Threats

January 2016

In this presentation, the authors describe how they extracted domains associated with Exploit kit, DGA, and spam-run campaigns from their worldwide live DNS traffic.

Planning Curricula for the Network Traffic Analyst of 2018-2020

January 2016

This FloCon 2016 presentation describes the likely skills, abilities, and challenges for network traffic analysts in the next three to five years.

Role Model Transformations for Flow Analysis in Cyberdefense

January 2016

In this presentation, the author shows mathematical operations that can be used to transform between and organize flow data for different role models.

The Security Wolf of Wall Street: Fighting Crime with High-Frequency Classification and Natural Language Processing

January 2016

This presentation focuses on how to build a scalable machine learning infrastructure in real-time.

Situational Awareness Threat Report (SATR)

January 2016

This FloCon 2016 presentation describes US-CERT's Cyber Hygiene Project project and its results.

Sources and Applications of Performance and Security-Augmented Flow Data

January 2016

This FloCon 2016 presentation includes a survey of traditional and non-traditional sources of augmented flow data.

Suricata Tutorial

January 2016

This presentation demonstrates the dynamic capabilities of Suricata, the world's leading IDS/IPS engine.

Towards 100 Gbit Flow-Based Network Monitoring

January 2016

In this presentation, the authors describe nProbe "cento," a software probe that tackles monitoring challenges that arose with the advent of 100-Gbit networks.

Understanding Network Traffic Through Intraflow Data

January 2016

In this presentation, the authors describe experiments to collect intraflow data from network taps, endpoints, and malware sandbox runs.

Using Domain Name Registrant Information to Identify Malicious Domains

January 2016

In this this FloCon presentation, the author describes how phony addresses may be predictive of future bad behavior from domains not yet known to be malicious.