FloCon 2016 Presentations
• Collection
Publisher
Software Engineering Institute
Subjects
Abstract
These presentations were given at FloCon 2016, a network security conference that provides a forum to discuss large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic.
Browse the collection of presentations and
contact us if you have questions.
Collection Items
Keynote: Achieving a Secure and Resilient Cyber Ecosystem: A Way Ahead
• Presentation
By Dr. Peter M. Fonash (Department of Homeland Security, CS&C)
This keynote presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
Learn More
A Meaningful Metric for IPv4 Addresses
• Presentation
By Leigh B. Metcalf
This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
Learn More
Better Reporting Guidelines for Better Data
• Presentation
By Christopher Washington (Department of Homeland Security), Brian Allen (US-CERT)
This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
Learn More
Capturing and Processing One Million Network Flows Per Second with SiLK: Challenges and Strategies
• Presentation
By Robert Techentin (Mayo Clinic), David R. Holmes (Mayo Clinic), James C. Nelms (Mayo Clinic), Barry K. Gilbert (Mayo Clinic)
This presentation describes flow data collection at the Mayo Clinic.
Learn More
Classifying Encrypted Traffic with TLS-Aware Telemetry
• Presentation
By Blake Anderson (Cisco Systems, Inc.), David McGrew (Cisco Systems, Inc.), Alison Kendler (Cisco Systems, Inc.)
In this presentation, the authors propose augmenting the typical 5-tuple with TLS-aware telemetry elements.
Learn More
Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware
• Presentation
By Mark Mager
In this FloCon 2016 presentation, the author provides a brief summary of common C2 TTPs observed during 2015.
Learn More
Data Fusion: Enhancing NetFlow Graph Analytics
• Presentation
By Emilie Purvine, Bryan Olsen (Pacific Northwest National Laboratory), Cliff Joslyn (Pacific Northwest National Laboratory)
In this FloCon 2016 presentation, the authors explain RDP logins and why they are important to analyze in the context of NetFlow.
Learn More
Detecting Traffic to Recently Unparked Domains with Analysis Pipeline
• Presentation
By Daniel Ruef
In this presentation, the authors discuss using an Analysis Pipeline to detect (1) changes in the control plane and (2) data going to recently unparked IP addresses.
Learn More
Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis
• Presentation
By Jason Trost (ThreatStream, Inc.)
In this FloCon 2016 presentation, the author discusses his experiences with analyzing data collected from distributed honeypot sensors, p0f, snort/suricata, and botnet sinkholes.
Learn More
Gosh Wow, Volusia Networks!
• Presentation
By Brian Whiting
This FloCon 2016 presentation describes network operations at Volusia County, Florida.
Learn More
Graph Analysis Techniques for Network Flow Records Using Open Cyber Ontology Group (OCOG) Format
• Presentation
By Robert Techentin (Mayo Clinic), David R. Holmes (Mayo Clinic), James C. Nelms (Mayo Clinic), Barry K. Gilbert (Mayo Clinic)
In this FloCon 2016 presentation, the author describes integrating network flow data in the OCOG format with other data sources and presents practical queries and results of graph analysis.
Learn More
Intelligence Driven Malware Analysis (IDMA) Malicious Profiling
• Presentation
By Casey Kahsen (Northrop Grumman Corporation)
This presentation discusses using behavioral markers of malware can be used as a focal point for malware analysis that can augment/enhance threat intelligence and information sharing.
Learn More
Making the Most of a Lot [of Data]: Netflow in US-CERT Operations
• Presentation
By Chad Hein (Phia, LLC)
In this FloCon 2016 presentation, the author reviews uses of netflow in US-CERT's daily monitoring, analysis, and incident response operations.
Learn More
Merging Network Configuration and Network Traffic Data in ISP-Level Analyses
• Presentation
By Timothy J. Shimeall
This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
Learn More
Minimizing the Gaps with Bro, GRR, and Elk (Brogrrelk)
• Presentation
By David Zito (Northrop Grumman Information Systems)
The presentation describes a solution that allows incident responders to conduct multiple data collection tasks from one platform.
Learn More
Monitoring and Classification of Active IPv6 Addresses
• Presentation
By David Plonka (Akamai)
In this presentation, the author introduces IP address classification methods and how IPv6 addresses are more than just larger IP addresses.
Learn More
Netflow Analysis - Intrusion Detection, Protection, and Usage Reporting
• Presentation
By Jonzy Jones (University of Utah)
This presentation covers detecting problematic traffic via NetFlow and the use of traffic alerts and daily reports.
Learn More
Netflow in Daily Information Security Operations
• Presentation
By Mike Pochan
This FloCon 2016 presentation describes how the SEI utilizes free Netflow collection and analysis tools to strengthen its enterprise security posture.
Learn More
Network Monitoring and Deceptive Defenses
• Presentation
By Michael Collins, Brian Satira (Noblis)
In this FloCon 2016 presentation, the authors discuss the use of network monitoring to support deceptive defenses.
Learn More
Network Security Analytics, HPC Platforms, Hadoop, and Graphs.. Oh, My
• Presentation
By Aaron Bossert (Cray, Inc.)
This presentation describes the techniques and approach that Cray, Inc. uses to discover malicious activity.
Learn More
Network Traffic Analysis - SiLK
• Presentation
By Paul Krystosek, Matthew Heckathorn
This presentation, given at FloCon 2016, introduces you to network flow analysis using the CERT open source SiLK tool suite.
Learn More
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
• Presentation
By Dhia Mahjoub (OpenDNS), Thomas Mathew (OpenDNS)
In this presentation, the authors describe how they extracted domains associated with Exploit kit, DGA, and spam-run campaigns from their worldwide live DNS traffic.
Learn More
Planning Curricula for the Network Traffic Analyst of 2018-2020
• Presentation
By Timothy J. Shimeall
This FloCon 2016 presentation describes the likely skills, abilities, and challenges for network traffic analysts in the next three to five years.
Learn More
Role Model Transformations for Flow Analysis in Cyberdefense
• Presentation
By John Gerth (Stanford University)
In this presentation, the author shows mathematical operations that can be used to transform between and organize flow data for different role models.
Learn More
The Security Wolf of Wall Street: Fighting Crime with High-Frequency Classification and Natural Language Processing
• Presentation
By Jeremiah O'Connor (OpenDNS), Thibault Reuille (OpenDNS)
This presentation focuses on how to build a scalable machine learning infrastructure in real-time.
Learn More
Situational Awareness Threat Report (SATR)
• Presentation
By Stacie Green (Northrop Grumman Corporation), Casey Kahsen (Northrop Grumman Corporation)
This FloCon 2016 presentation describes US-CERT's Cyber Hygiene Project project and its results.
Learn More
Sources and Applications of Performance and Security-Augmented Flow Data
• Presentation
By Avi Freedman (Kentik Technologies)
This FloCon 2016 presentation includes a survey of traditional and non-traditional sources of augmented flow data.
Learn More
Suricata Tutorial
• Presentation
By Victor Julien, Eric Leblond
This presentation demonstrates the dynamic capabilities of Suricata, the world's leading IDS/IPS engine.
Learn More
Towards 100 Gbit Flow-Based Network Monitoring
• Presentation
By Software Engineering Institute
In this presentation, the authors describe nProbe "cento," a software probe that tackles monitoring challenges that arose with the advent of 100-Gbit networks.
Learn More
Understanding Network Traffic Through Intraflow Data
• Presentation
By David McGrew (Cisco Systems, Inc.), Blake Anderson (Cisco Systems, Inc.)
In this presentation, the authors describe experiments to collect intraflow data from network taps, endpoints, and malware sandbox runs.
Learn More
Using Domain Name Registrant Information to Identify Malicious Domains
• Presentation
By Mark Langston
In this this FloCon presentation, the author describes how phony addresses may be predictive of future bad behavior from domains not yet known to be malicious.
Learn More