FloCon 2016 Presentations

• These presentations were given at FloCon 2016, a network security conference that provides a forum to discuss large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic.

  Browse the collection of presentations and contact us if you have questions.
  

• Keynote: Achieving a Secure and Resilient Cyber Ecosystem: A Way Ahead January 2016 Author(s): Dr. Peter M. Fonash (Department of Homeland Security, CS&C) This keynote presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
• A Meaningful Metric for IPv4 Addresses January 2016 Author(s): Leigh B. Metcalf This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
• Better Reporting Guidelines for Better Data January 2016 Author(s): Christopher Washington (Department of Homeland Security), Brian Allen (US-CERT) This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
• Capturing and Processing One Million Network Flows Per Second with SiLK: Challenges and Strategies January 2016 Author(s): Robert Techentin (Mayo Clinic), David R. Holmes (Mayo Clinic), James C. Nelms (Mayo Clinic), Barry K. Gilbert (Mayo Clinic) This presentation describes flow data collection at the Mayo Clinic.
• Classifying Encrypted Traffic with TLS-Aware Telemetry January 2016 Author(s): Blake Anderson (Cisco Systems, Inc.), David McGrew (Cisco Systems, Inc.), Alison Kendler (Cisco Systems, Inc.) In this presentation, the authors propose augmenting the typical 5-tuple with TLS-aware telemetry elements.
• Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware January 2016 Author(s): Mark Mager In this FloCon 2016 presentation, the author provides a brief summary of common C2 TTPs observed during 2015.
• Data Fusion: Enhancing NetFlow Graph Analytics January 2016 Author(s): Emilie Purvine, Bryan Olsen (Pacific Northwest National Laboratory), Cliff Joslyn (Pacific Northwest National Laboratory) In this FloCon 2016 presentation, the authors explain RDP logins and why they are important to analyze in the context of NetFlow.
• Detecting Traffic to Recently Unparked Domains with Analysis Pipeline January 2016 Author(s): Daniel Ruef In this presentation, the authors discuss using Analysis Pipeline to detect (1) changes in the control plane and (2) data going to recently unparked IP addresses.
• Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis January 2016 Author(s): Jason Trost (ThreatStream, Inc.) In this FloCon 2016 presentation, the author discusses his experiences with analyzing data collected from distributed honeypot sensors, p0f, snort/suricata, and botnet sinkholes.
• Gosh Wow, Volusia Networks! January 2016 Author(s): Brian Whiting This FloCon 2016 presentation describes network operations at Volusia County, Florida.
• Graph Analysis Techniques for Network Flow Records Using Open Cyber Ontology Group (OCOG) Format January 2016 Author(s): Robert Techentin (Mayo Clinic), David R. Holmes (Mayo Clinic), James C. Nelms (Mayo Clinic), Barry K. Gilbert (Mayo Clinic) In this FloCon 2016 presentation, the author describes integrating network flow data in the OCOG format with other data sources and presents practical queries and results of graph analysis.
• Intelligence Driven Malware Analysis (IDMA) Malicious Profiling January 2016 Author(s): Casey Kahsen (Northrop Grumman Corporation) This presentation discusses using behavioral markers of malware can be used as a focal point for malware analysis that can augment/enhance threat intelligence and information sharing.
• Making the Most of a Lot [of Data]: Netflow in US-CERT Operations January 2016 Author(s): Chad Hein (Phia, LLC) In this FloCon 2016 presentation, the author reviews uses of netflow in US-CERT's daily monitoring, analysis, and incident response operations.
• Merging Network Configuration and Network Traffic Data in ISP-Level Analyses January 2016 Author(s): Timothy J. Shimeall This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
• Minimizing the Gaps with Bro, GRR, and Elk (Brogrrelk) January 2016 Author(s): David Zito (Northrop Grumman Information Systems) The presentation describes a solution that allows incident responders to conduct multiple data collection tasks from one platform.
• Monitoring and Classification of Active IPv6 Addresses January 2016 Author(s): David Plonka (Akamai) In this presentation, the author introduces IP address classification methods and how IPv6 addresses are more than just larger IP addresses.
• Netflow Analysis - Intrusion Detection, Protection, and Usage Reporting January 2016 Author(s): Jonzy Jones (University of Utah) This presentation covers detecting problematic traffic via NetFlow and the use of traffic alerts and daily reports.
• Netflow in Daily Information Security Operations January 2016 Author(s): Mike Pochan In this FloCon 2016 presentation, the author describes how the SEI utilizes free netflow collection and analysis tools to strengthen its enterprise security posture.
• Network Monitoring and Deceptive Defenses January 2016 Author(s): Michael Collins (RedJack), Brian Satira (Noblis) In this FloCon 2016 presentation, the authors discuss the use of network monitoring to support deceptive defenses.
• Network Security Analytics, HPC Platforms, Hadoop, and Graphs.. Oh, My January 2016 Author(s): Aaron Bossert (Cray, Inc.) This presentation describes the techniques and approach that Cray, Inc. uses to discover malicious activity.
• Network Traffic Analysis - SiLK January 2016 Author(s): Paul Krystosek, Matthew Heckathorn This presentation, given at FloCon 2016, introduces you to network flow analysis using the CERT open source SiLK tool suite.
• New DNS Traffic Analysis Techniques to Identify Global Internet Threats January 2016 Author(s): Dhia Mahjoub (OpenDNS), Thomas Mathew (OpenDNS) In this presentation, the authors describe how they extracted domains associated with Exploit kit, DGA, and spam-run campaigns from their worldwide live DNS traffic.
• Planning Curricula for the Network Traffic Analyst of 2018-2020 January 2016 Author(s): Timothy J. Shimeall This FloCon 2016 presentation describes the likely skills, abilities, and challenges for network traffic analysts in the next three to five years.
• Role Model Transformations for Flow Analysis in Cyberdefense January 2016 Author(s): John Gerth (Stanford University) In this presentation, the author shows mathematical operations that can be used to transform between and organize flow data for different role models.
• The Security Wolf of Wall Street: Fighting Crime with High-Frequency Classification and Natural Language Processing January 2016 Author(s): Jeremiah O'Connor (OpenDNS), Thibault Reuille (OpenDNS) This presentation focuses on how to build a scalable machine learning infrastructure in real-time.
• Situational Awareness Threat Report (SATR) January 2016 Author(s): Stacie Green (Northrop Grumann Corporation), Casey Kahsen (Northrop Grumman Corporation) This FloCon 2016 presentation describes US-CERT's Cyber Hygiene Project project and its results.
• Sources and Applications of Performance and Security-Augmented Flow Data January 2016 Author(s): Avi Freedman (Kentik Technologies) This FloCon 2016 presentation includes a survey of traditional and non-traditional sources of augmented flow data.
• Suricata Tutorial January 2016 Author(s): Victor Julien, Eric Leblond This presentation demonstrates the dynamic capabilities of Suricata, the world's leading IDS/IPS engine.
• Towards 100 Gbit Flow-Based Network Monitoring January 2016 Author(s): In this presentation, the authors describe nProbe "cento," a software probe that tackles monitoring challenges that arose with the advent of 100-Gbit networks.
• Understanding Network Traffic Through Intraflow Data January 2016 Author(s): David McGrew (Cisco Systems, Inc.), Blake Anderson (Cisco Systems, Inc.) In this presentation, the authors describe experiments to collect intraflow data from network taps, endpoints, and malware sandbox runs.
• Using Domain Name Registrant Information to Identify Malicious Domains January 2016 Author(s): Mark Langston In this this FloCon presentation, the author describes how phony addresses may be predictive of future bad behavior from domains not yet known to be malicious.