Merging Network Configuration and Network Traffic Data in ISP-Level Analyses
January 2016 • Presentation
This presentation was given in January 2016 at FloCon, a network security conference that provides a forum for large-scale network flow analytics.
The wealth of network data available to analysts is increasing steadily. This data often takes multiple forms: observations of network traffic (specifically network flow records), network population data (numbers of hosts, sometimes typified by operating system), and network architecture data (routing structure, topology information), among others. Population and architecture data is often provided via network configuration or management utilities. This presentation looks at merging this data to support a variety of analyses. The approach to this merger is first addressed broadly and then detailed in several specific examples. Along the way, several barriers to the merger are identified and workarounds are discussed. The presentation concludes with some practical tips for undertaking such merger.