FloCon 2019 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

General Session [clear filter]
Thursday, January 10

10:30am EST

Identifying Automatic Flows
One of the limitations of solely using flow metadata (e.g. Netflow) for network analysis is the difficulty in differentiating flows generated by user activities and flows generated by automatic processes. Most personal computers generate network flows continuously, performing actions such as checking for system updates, new messages, or network resources. We investigated how to identify automatic flows as a means of enhancing Netflow-based analyses of user behaviors; this approach however can be used to isolate and evaluate non-user generated flows as well. To develop this methodology this we created two virtual machines, one Windows 7 and one Ubuntu, and performed typical user activities on each VM while capturing the resultant flow data generated. User actions were scripted, with times logged and actions separated by intervals long enough for user initiated flows to complete. This allowed us to label all captured flow data as being either automatic or user generated. The labeled data was assessed, and used to develop and test algorithms to identify and label automatic flows. The resulting algorithms are not dependent on the ports or platform used. We present our observations on the discriminators we identified, the algorithms we generated and how well they performed.

Attendees will Learn:
Attendees will learn about specific Netflow-derived features that can be used to discriminate between flows generated by user actions and those generated automatically by applications or systems. This can improve security operations by enabling analysts to focus on either set of flows.

avatar for Jeffrey Dean

Jeffrey Dean

Electrical Engineer, USAF
Jeffrey Dean received his PhD in Computer Science from the Naval Postgraduate School in 2017. His dissertation focused on evaluating the use of organizational roles in comparing user network behaviors, using Netflow as source data. He served in the U.S. Air Force as an officer (active... Read More →

Thursday January 10, 2019 10:30am - 11:00am EST
Grand Ballroom 300 Bourbon St, New Orleans, LA 70130

11:00am EST

Network throughput and complexity are increasing due to the increasing number of devices and data-driven applications, especially at universities and Research and Education (R&E) Networks. In this talk we present InSight2, an open platform, intended to monitor and facilitate the development of network analytics for these large-scale networks. University and R&E networks are facing a deficiency in operational and security awareness. Real-time behavioral visibility and analysis of networks are crucial to detect problems, predict patterns and protect the data and critical assets. Conventional monitoring techniques and tools do not scale well in these environments. Novel analytics must be developed to understand traffic behavior and security issues, addressing the complexity and throughput of these networks. Network managers, operators and analysts face difficulty finding tools to analyze the amount of the data they collect. Researchers and educators encounter a barrier to entry to develop network analytics. These issues can be addressed by an open platform, that facilitates collaboration among the global community for the development and improvement of network analytics. We present two analytics modules. The predictive analytics module forecasts network utilization and enables the detection of unexpected behavior. The botnet detection module identifies botnet activity in network traffic. Results from its various deployments as well as benchmarks are also presented.

avatar for Angel Kodituwakku

Angel Kodituwakku

PhD candidate Computer Engineering, concentrating in Cybersecurity, The University of Tennessee, Knoxville
Angel Kodituwakku is currently a PhD candidate in Computer Engineering with a concentration in Cybersecurity at the University of Tennessee, Knoxville. He served as a Research Associate for two years on a National Science Foundation funded project. He received his MS in Computer Engineering... Read More →

Thursday January 10, 2019 11:00am - 11:30am EST
Grand Ballroom 300 Bourbon St, New Orleans, LA 70130

11:30am EST

Good and interesting research starts with good and interesting data. Jeff Schmidt will introduce a U.S. Department of Homeland Security (DHS) program called Information Marketplace for Policy and Analysis of Cyber-risk & Trust (IMPACT). The IMPACT project supports the global cyber-risk research community by coordinating and developing real-world data and information-sharing capabilities—tools, models and methodologies. To accelerate solutions around cyber-risk issues and infrastructure security, the IMPACT project enables empirical data and information-sharing between and among the global cybersecurity research and development (R&D) community in academia, industry and government. Importantly, IMPACT also addresses the cybersecurity decision-analytic needs of Homeland Security Enterprise (HSE) customers in the face of high volume, high-velocity, high-variety and/or high-value data through its network of Decision Analytics-as-a-Service Providers (DASP). These resources are a service technology or tool capable of supporting the following types of analytics: descriptive (what happened), diagnostic (why it happened), predictive (what will happen) and prescriptive (what should happen).

avatar for Jeff Schmidt

Jeff Schmidt

VP, Chief Cyber Security Innovator, Columbus Collaboratory
Jeff is an accomplished cybersecurity expert with a background in security and risk management. He was the founder and CEO of JAS Global Advisors LLC, a security consulting firm in Chicago, and founded Authis, a provider of innovative risk-managed identity services for the financial... Read More →

Thursday January 10, 2019 11:30am - 12:00pm EST
Grand Ballroom 300 Bourbon St, New Orleans, LA 70130