2008

• Existence Plots: A Low-Resolution Time Series for Port Behavior Analysis - Janies (pdf)
• Responsible Disclosure: A Case Study of CERT VU#800133, "DNS Cache Poisoning Issue" - Faber (pdf) OARC Workshop 2008
• Investigating AS112 Routing and New Server Discovery - Wright (pdf)

2007

• Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs - Collins, et al. (pdf) RAID 2007
• Using Uncleanliness to Predict Future Botnet Addresses - Collins et al. (pdf) IMC
• Fishing for Phishes: Applying Capture-Recapture Methods to Estimate Phishing Populations - Weaver and Collins (pdf) APWG eCrime
• Bidirectional Flow Export Using IPFIX - Trammell IETF (html)
• An IPFIX-Based File Format - Trammell IETF (html)

2006

• Finding Peer-to-Peer File-sharing Using Coarse Network Behaviors - Collins and Reiter ESORICS (pdf)
• A Model for Opportunistic Network Exploits: The Case of P2P Worms - Collins, Gates, and Kataria WEIS (pdf)
• Detecting Scans at the ISP Level - Gates, McNutt, Kadane, and Kellner SEI Technical Report (pdf)
• Requirements for the Format for Incident Information Exchange (FINE) - Danyliw IETF (txt)

2005

• Correlations between Quiescent Ports in Network Flows - McNutt and Deshon FloCon (pdf)
• Simple IPFIX Files for Persistent Storage - Trammell IETF (txt)
• The Incident Object Description Exchange Format Data Model and XML Implementation - Danyliw IETF (txt)

2004

• An Empirical Analysis of Target Resident DoS Filters - Collins and Reiter Oakland (pdf)
• Sets, Bags & Rock and Roll: Analyzing Large Sets of Network Data - McHugh ESORICS (pdf)
• Preparing RIR Allocation Data for Network Security Analysis Tasks - Trammell NANOG31 (pdf slides)
• More Netflow Tools: For Performance and Security - Gates, Collins, Duggan, Kompanek and Thomas LISA (pdf)
• The Incident Object Description Exchange Format (IODEF) Implementation Guide - Danyliw (txt)

2003

• Locality: A New Paradigm for Thinking About Normal Behavior and Outsider Threat - McHugh and Gates NSPW (pdf)

FloCon is an annual workshop providing a forum for researchers, operational analysts, and other parties in the DoD, DoE, federal civilian community, international response teams, and academia to discuss the analysis of flow from the perspective of security. For more information, visit the FloCon page.

Presentations at Conferences

• RSA 2007
  Mitigating Network Events Through Structured Information Sharing (February 2007) (pdf)
• OARC Workshop
  Analysis of AS112 Traffic (November 2007) (pdf)
• NANOG
  From NetFlow to IPFIX: the Evolution of IP Flow Information Export (pdf)

• SiLK (System for Internet Level Knowledge)
  a collection of netflow tools that facilitates security analysis in large networks; enables analysts to rapidly query large sets of data traffic volumes
  

• YAF (YAF Flow Sensor)
  a tool that processes packet data into bidirectional flow records that can be used as input to an IPFIX Collecting Process; the output can be used with the NetSA Aggregated Flow (NAF) toolchain and the SiLK tools
  

• NAF (NetSA Aggregated Flow)
  tools that create and manipulate the IPFIX-based NAF file format, designed as a common format for aggregate network flow analysis
  

• fixbuf
  a library that provides a set of functions for processing the IPFIX protocol message format; using fixbuf, developers can build IPFIX Collecting and Exporting Processes
  

• RAVE (Retrospective Analysis and Visualization Engine)
  an extensible analysis middleware platform based on Python that simplifies the task of building analysis environments on top of a network monitoring and collection infrastructure
  

• IPA
  a library that provides efficient data structures for manipulating labelings of IP addresses and IP address ranges
  

• Port and Payload Agnostic Application Identification
  To properly understand the threats that a network faces, network administrators must access current, accurate information about the composition of their networks. However, the considerable expense of continuous traffic monitoring and deep packet examination raises the need for a method that can identify applications without relying on payload.
  

• RAVE: Network Flow Visualization
  Fully automated analysis is a valuable tool for network situational awareness, but few techniques can discern subtle patterns in noisy data as well as human visual inspection. The CERT Network Situational Awareness Group has developed the Retrospective Analysis and Visualization Environment (RAVE), an operational environment for generating visualizations and making them available to presentation applications.
  

• The Uncleanliness Vector: Histories of Hostile Activity
  In an operational network security analysis environment, there is little time for gathering context information on attackers. Analysts need tools that present background information in an easily digestible way. The Uncleanliness Vector (UV) project is an attempt to provide context information on external networks to security analysts that indicates whether the network in question has engaged in other malicious activity and, if so, what kind.