FloCon 2016 Presentations
FloCon 2016 is a conference where attendees discuss large-scale network flow analytics.
Publisher:
CERT Division
Abstract
These presentations were given at FloCon 2016, a network security conference that provides a forum to discuss large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic.
Browse the collection of presentations and
contact us if you have questions.
Collection Contents
-
Keynote: Achieving a Secure and Resilient Cyber Ecosystem: A Way Ahead
January 11, 2016 • Presentation
By Dr. Peter M. Fonash (Department of Homeland Security, CS&C)
This keynote presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
read -
A Meaningful Metric for IPv4 Addresses
January 11, 2016 • Presentation
By Leigh B. Metcalf
This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
read -
Better Reporting Guidelines for Better Data
January 11, 2016 • Presentation
By Christopher Washington (Department of Homeland Security), Brian Allen (US-CERT)
This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
read -
Capturing and Processing One Million Network Flows Per Second with SiLK: Challenges and Strategies
January 14, 2016 • Presentation
By Robert Techentin (Mayo Clinic), David R. Holmes (Mayo Clinic), James C. Nelms (Mayo Clinic), Barry K. Gilbert (Mayo Clinic)
This presentation describes flow data collection at the Mayo Clinic.
read -
Classifying Encrypted Traffic with TLS-Aware Telemetry
January 14, 2016 • Presentation
By Blake Anderson (Cisco Systems, Inc.), David McGrew (Cisco Systems, Inc.), Alison Kendler (Cisco Systems, Inc.)
In this presentation, the authors propose augmenting the typical 5-tuple with TLS-aware telemetry elements.
read -
Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware
January 11, 2016 • Presentation
By Mark Mager
In this FloCon 2016 presentation, the author provides a brief summary of common C2 TTPs observed during 2015.
read -
Data Fusion: Enhancing NetFlow Graph Analytics
January 11, 2016 • Presentation
By Emilie Purvine, Bryan Olsen (Pacific Northwest National Laboratory), Cliff Joslyn (Pacific Northwest National Laboratory)
In this FloCon 2016 presentation, the authors explain RDP logins and why they are important to analyze in the context of NetFlow.
read -
Detecting Traffic to Recently Unparked Domains with Analysis Pipeline
January 11, 2016 • Presentation
By Daniel Ruef
In this presentation, the authors discuss using Analysis Pipeline to detect (1) changes in the control plane and (2) data going to recently unparked IP addresses.
read -
Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis
January 11, 2016 • Presentation
By Jason Trost (ThreatStream, Inc.)
In this FloCon 2016 presentation, the author discusses his experiences with analyzing data collected from distributed honeypot sensors, p0f, snort/suricata, and botnet sinkholes.
read -
Gosh Wow, Volusia Networks!
January 11, 2016 • Presentation
By Brian Whiting
This FloCon 2016 presentation describes network operations at Volusia County, Florida.
read -
Graph Analysis Techniques for Network Flow Records Using Open Cyber Ontology Group (OCOG) Format
January 11, 2016 • Presentation
By Robert Techentin (Mayo Clinic), David R. Holmes (Mayo Clinic), James C. Nelms (Mayo Clinic), Barry K. Gilbert (Mayo Clinic)
In this FloCon 2016 presentation, the author describes integrating network flow data in the OCOG format with other data sources and presents practical queries and results of graph analysis.
read -
Intelligence Driven Malware Analysis (IDMA) Malicious Profiling
January 11, 2016 • Presentation
By Casey Kahsen (Northrop Grumman Corporation)
This presentation discusses using behavioral markers of malware can be used as a focal point for malware analysis that can augment/enhance threat intelligence and information sharing.
read -
Making the Most of a Lot [of Data]: Netflow in US-CERT Operations
January 11, 2016 • Presentation
By Chad Hein (Phia, LLC)
In this FloCon 2016 presentation, the author reviews uses of netflow in US-CERT's daily monitoring, analysis, and incident response operations.
read -
Merging Network Configuration and Network Traffic Data in ISP-Level Analyses
January 11, 2016 • Presentation
By Timothy J. Shimeall
This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
read -
Minimizing the Gaps with Bro, GRR, and Elk (Brogrrelk)
January 14, 2016 • Presentation
By David Zito (Northrop Grumman Information Systems)
The presentation describes a solution that allows incident responders to conduct multiple data collection tasks from one platform.
read -
Monitoring and Classification of Active IPv6 Addresses
January 11, 2016 • Presentation
By David Plonka (Akamai)
In this presentation, the author introduces IP address classification methods and how IPv6 addresses are more than just larger IP addresses.
read -
Netflow Analysis - Intrusion Detection, Protection, and Usage Reporting
January 14, 2016 • Presentation
By Jonzy Jones (University of Utah)
This presentation covers detecting problematic traffic via NetFlow and the use of traffic alerts and daily reports.
read -
Netflow in Daily Information Security Operations
January 11, 2016 • Presentation
By Mike Pochan
In this FloCon 2016 presentation, the author describes how the SEI utilizes free netflow collection and analysis tools to strengthen its enterprise security posture.
read -
Network Monitoring and Deceptive Defenses
January 11, 2016 • Presentation
By Michael Collins (RedJack), Brian Satira (Noblis)
In this FloCon 2016 presentation, the authors discuss the use of network monitoring to support deceptive defenses.
read -
Network Security Analytics, HPC Platforms, Hadoop, and Graphs.. Oh, My
January 14, 2016 • Presentation
By Aaron Bossert (Cray, Inc.)
This presentation describes the techniques and approach that Cray, Inc. uses to discover malicious activity.
read -
Network Traffic Analysis - SiLK
January 11, 2016 • Presentation
By Paul Krystosek, Matthew Heckathorn
This presentation, given at FloCon 2016, introduces you to network flow analysis using the CERT open source SiLK tool suite.
read -
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
January 11, 2016 • Presentation
By Dhia Mahjoub (OpenDNS), Thomas Mathew (OpenDNS)
In this presentation, the authors describe how they extracted domains associated with Exploit kit, DGA, and spam-run campaigns from their worldwide live DNS traffic.
read -
Planning Curricula for the Network Traffic Analyst of 2018-2020
January 11, 2016 • Presentation
By Timothy J. Shimeall
This FloCon 2016 presentation describes the likely skills, abilities, and challenges for network traffic analysts in the next three to five years.
read -
Role Model Transformations for Flow Analysis in Cyberdefense
January 11, 2016 • Presentation
By John Gerth (Stanford University)
In this presentation, the author shows mathematical operations that can be used to transform between and organize flow data for different role models.
read -
The Security Wolf of Wall Street: Fighting Crime with High-Frequency Classification and Natural Language Processing
January 14, 2016 • Presentation
By Jeremiah O'Connor (OpenDNS), Thibault Reuille (OpenDNS)
This presentation focuses on how to build a scalable machine learning infrastructure in real-time.
read -
Situational Awareness Threat Report (SATR)
January 11, 2016 • Presentation
By Stacie Green (Northrop Grumann Corporation), Casey Kahsen (Northrop Grumman Corporation)
This FloCon 2016 presentation describes US-CERT's Cyber Hygiene Project project and its results.
read -
Sources and Applications of Performance and Security-Augmented Flow Data
January 11, 2016 • Presentation
By Avi Freedman (Kentik Technologies)
This FloCon 2016 presentation includes a survey of traditional and non-traditional sources of augmented flow data.
read -
Suricata Tutorial
January 11, 2016 • Presentation
By Victor Julien, Eric Leblond
This presentation demonstrates the dynamic capabilities of Suricata, the world's leading IDS/IPS engine.
read -
Towards 100 Gbit Flow-Based Network Monitoring
January 11, 2016 • Presentation
In this presentation, the authors describe nProbe "cento," a software probe that tackles monitoring challenges that arose with the advent of 100-Gbit networks.
read -
Understanding Network Traffic Through Intraflow Data
January 11, 2016 • Presentation
By David McGrew (Cisco Systems, Inc.), Blake Anderson (Cisco Systems, Inc.)
In this presentation, the authors describe experiments to collect intraflow data from network taps, endpoints, and malware sandbox runs.
read -
Using Domain Name Registrant Information to Identify Malicious Domains
January 11, 2016 • Presentation
By Mark Langston
In this this FloCon presentation, the author describes how phony addresses may be predictive of future bad behavior from domains not yet known to be malicious.
read