FloCon 2016 Presentations
FloCon 2016 is a conference where attendees discuss large-scale network flow analytics.
Publisher:
CERT Division
Subjects
These presentations were given at FloCon 2016, a network security conference that provides a forum to discuss large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic.
Browse the collection of presentations and
contact us if you have questions.
Keynote: Achieving a Secure and Resilient Cyber Ecosystem: A Way Ahead
January 2016
This keynote presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
A Meaningful Metric for IPv4 Addresses
January 2016
This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
Better Reporting Guidelines for Better Data
January 2016
This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
Capturing and Processing One Million Network Flows Per Second with SiLK: Challenges and Strategies
January 2016
This presentation describes flow data collection at the Mayo Clinic.
Classifying Encrypted Traffic with TLS-Aware Telemetry
January 2016
In this presentation, the authors propose augmenting the typical 5-tuple with TLS-aware telemetry elements.
Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware
January 2016
In this FloCon 2016 presentation, the author provides a brief summary of common C2 TTPs observed during 2015.
Data Fusion: Enhancing NetFlow Graph Analytics
January 2016
In this FloCon 2016 presentation, the authors explain RDP logins and why they are important to analyze in the context of NetFlow.
Detecting Traffic to Recently Unparked Domains with Analysis Pipeline
January 2016
In this presentation, the authors discuss using Analysis Pipeline to detect (1) changes in the control plane and (2) data going to recently unparked IP addresses.
Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis
January 2016
In this FloCon 2016 presentation, the author discusses his experiences with analyzing data collected from distributed honeypot sensors, p0f, snort/suricata, and botnet sinkholes.
Gosh Wow, Volusia Networks!
January 2016
This FloCon 2016 presentation describes network operations at Volusia County, Florida.
Graph Analysis Techniques for Network Flow Records Using Open Cyber Ontology Group (OCOG) Format
January 2016
In this FloCon 2016 presentation, the author describes integrating network flow data in the OCOG format with other data sources and presents practical queries and results of graph analysis.
Intelligence Driven Malware Analysis (IDMA) Malicious Profiling
January 2016
This presentation discusses using behavioral markers of malware can be used as a focal point for malware analysis that can augment/enhance threat intelligence and information sharing.
Making the Most of a Lot [of Data]: Netflow in US-CERT Operations
January 2016
In this FloCon 2016 presentation, the author reviews uses of netflow in US-CERT's daily monitoring, analysis, and incident response operations.
Merging Network Configuration and Network Traffic Data in ISP-Level Analyses
January 2016
This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
Minimizing the Gaps with Bro, GRR, and Elk (Brogrrelk)
January 2016
The presentation describes a solution that allows incident responders to conduct multiple data collection tasks from one platform.
Monitoring and Classification of Active IPv6 Addresses
January 2016
In this presentation, the author introduces IP address classification methods and how IPv6 addresses are more than just larger IP addresses.
Netflow Analysis - Intrusion Detection, Protection, and Usage Reporting
January 2016
This presentation covers detecting problematic traffic via NetFlow and the use of traffic alerts and daily reports.
Netflow in Daily Information Security Operations
January 2016
In this FloCon 2016 presentation, the author describes how the SEI utilizes free netflow collection and analysis tools to strengthen its enterprise security posture.
Network Monitoring and Deceptive Defenses
January 2016
In this FloCon 2016 presentation, the authors discuss the use of network monitoring to support deceptive defenses.
Network Security Analytics, HPC Platforms, Hadoop, and Graphs.. Oh, My
January 2016
This presentation describes the techniques and approach that Cray, Inc. uses to discover malicious activity.
Network Traffic Analysis - SiLK
January 2016
This presentation, given at FloCon 2016, introduces you to network flow analysis using the CERT open source SiLK tool suite.
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
January 2016
In this presentation, the authors describe how they extracted domains associated with Exploit kit, DGA, and spam-run campaigns from their worldwide live DNS traffic.
Planning Curricula for the Network Traffic Analyst of 2018-2020
January 2016
This FloCon 2016 presentation describes the likely skills, abilities, and challenges for network traffic analysts in the next three to five years.
Role Model Transformations for Flow Analysis in Cyberdefense
January 2016
In this presentation, the author shows mathematical operations that can be used to transform between and organize flow data for different role models.
The Security Wolf of Wall Street: Fighting Crime with High-Frequency Classification and Natural Language Processing
January 2016
This presentation focuses on how to build a scalable machine learning infrastructure in real-time.
Situational Awareness Threat Report (SATR)
January 2016
This FloCon 2016 presentation describes US-CERT's Cyber Hygiene Project project and its results.
Sources and Applications of Performance and Security-Augmented Flow Data
January 2016
This FloCon 2016 presentation includes a survey of traditional and non-traditional sources of augmented flow data.
Suricata Tutorial
January 2016
This presentation demonstrates the dynamic capabilities of Suricata, the world's leading IDS/IPS engine.
Towards 100 Gbit Flow-Based Network Monitoring
January 2016
In this presentation, the authors describe nProbe "cento," a software probe that tackles monitoring challenges that arose with the advent of 100-Gbit networks.
Understanding Network Traffic Through Intraflow Data
January 2016
In this presentation, the authors describe experiments to collect intraflow data from network taps, endpoints, and malware sandbox runs.
Using Domain Name Registrant Information to Identify Malicious Domains
January 2016
In this this FloCon presentation, the author describes how phony addresses may be predictive of future bad behavior from domains not yet known to be malicious.