Network Situational Awareness (NetSA)

Network Analysis Network Situational Awareness
Engineering Solutions Cyber Security Engineering Software Assurance Curriculum Security Quality Requirements Engineering (SQUARE)

Historical Documents CMU Heinz College CMU School of Computer Science

Network Situational Awareness (NetSA)

The CERT Network Situational Awareness group develops engineering solutions and research approaches for analyzing broad network activity. The goal is to quantitatively characterize threats and targeted intruder activity.

Publications

2013

Watching Domains That Change DNS Servers Frequently (blog entry)
Network Analysis with SiLK
(a FloCon 2013 presentation by Ron Bandes)
Situational Awareness Metrics from Flow and Other Data Sources
(a FloCon 2013 presentation by Soumyo D. Moitra)
Introduction to Anomaly Detection
(a FloCon 2013 presentation by Char Sample and George Jones)
Behavioral Whitelists of High-Volume Web Traffic to Specific Domains
(a FloCon 2013 poster by George Jones and Tim Shimeall)
Network Flow 2012: Year in Review
(a FloCon 2013 presentation by George Warnagiris)

2012

Network Profiling Using Flow
(an SEI technical report by Austin Whisnant and Sid Faber)

2011

Network Monitoring for Web-Based Threats
(an SEI technical report by Matthew Heckathorn)

2010

A Continuous Time List Capture Model for Internet Threats - Weaver (pdf) published at the Joint Statistical Meetings (JSM) conference on August 4, 2010; Modeling Populations of Large-Scale Internet Threats - Weaver (pdf) presented at the same conference

A Probabilistic Population Study of the Conficker-C Botnet - Weaver, PAM 2010 (pdf)

Identifying Anomalous Port-Specific Network Behavior - Weaver (pdf)

2008

Existence Plots: A Low-Resolution Time Series for Port Behavior Analysis - Janies (pdf)

Responsible Disclosure: A Case Study of CERT VU#800133, "DNS Cache Poisoning Issue" - Faber (pdf) OARC Workshop 2008

Investigating AS112 Routing and New Server Discovery - Wright (pdf)

2007

2006

Finding Peer-to-Peer File-sharing Using Coarse Network Behaviors - Collins and Reiter ESORICS (pdf)
A Model for Opportunistic Network Exploits: The Case of P2P Worms - Collins, Gates, and Kataria WEIS (pdf)
Detecting Scans at the ISP Level - Gates, McNutt, Kadane, and Kellner SEI Technical Report (pdf)
Requirements for the Format for Incident Information Exchange (FINE) - Danyliw IETF (txt)

2005

Correlations between Quiescent Ports in Network Flows - McNutt and Deshon FloCon (pdf)
Simple IPFIX Files for Persistent Storage - Trammell IETF (txt)

The Incident Object Description Exchange Format Data Model and XML Implementation - Danyliw IETF (txt)

2004

An Empirical Analysis of Target Resident DoS Filters - Collins and Reiter Oakland (pdf)
Sets, Bags & Rock and Roll: Analyzing Large Sets of Network Data - McHugh ESORICS (pdf)
Preparing RIR Allocation Data for Network Security Analysis Tasks - Trammell NANOG31 (pdf slides)
More Netflow Tools: For Performance and Security - Gates, Collins, Duggan, Kompanek and Thomas LISA (pdf)
The Incident Object Description Exchange Format (IODEF) Implementation Guide - Danyliw (txt)

2003

Locality: A New Paradigm for Thinking About Normal Behavior and Outsider Threat - McHugh and Gates NSPW (pdf)

Announcements

Call for Participation: FloCon 2014
We are accepting abstracts for presentations, posters, and demonstrations for FloCon 2014, a network security conference that takes place in Charleston, South Carolina, on January 13–16, 2014.

Visit the FloCon website for more details about submission requirements, important dates, and the location.

Our Latest Blog Posts
The Growth of IPv6 Announcements presents a method for assessing how popular IPv6 is on the internet.

An Alternate View of Announced IPv4 Space describes an alternate way to view advertised IP address space on the internet using publicly available information.

The Growth Rate of IP Addresses That Are Advertised as Usable on the Internet describes how you can calculate the growth rate of advertised IP address space on the internet using publicly available information.

Watching Domains That Change DNS Servers Frequently describes the results of our three-month study of domains that change their name servers frequently.

Podcast

Using Network Flow Data to Profile Your Network and Reduce Vulnerabilities

Open Source Tools

Source code for the following tools is released under the GPL and LGPL licenses.

SiLK (System for Internet-Level Knowledge)
a collection of netflow tools that facilitates security analysis in large networks; enables analysts to rapidly query large sets of data traffic volumes
YAF (YAF Flow Sensor)
a tool that processes packet data into bidirectional flow records that can be used as input to an IPFIX Collecting Process; the output can be used with the NetSA Aggregated Flow (NAF) toolchain and the SiLK tools
NAF (NetSA Aggregated Flow)
tools that create and manipulate the IPFIX-based NAF file format, designed as a common format for aggregate network flow analysis
fixbuf
a library that provides a set of functions for processing the IPFIX protocol message format; using fixbuf, developers can build IPFIX Collecting and Exporting Processes
RAVE (Retrospective Analysis and Visualization Engine)
an extensible analysis middleware platform based on Python that simplifies the task of building analysis environments on top of a network monitoring and collection infrastructure
IPA
a library that provides efficient data structures for manipulating labelings of IP addresses and IP address ranges

Current Projects

Probabilistic Population Studies
Measurements of the size of malware infections and botnets are characterized by wild variations and lack of consistent or reproducible methodology. CERT/NetSA is applying proper statistical technique to this problem in order to establish best practices in population measurement. The first area where we applied these techniques was in studying the population of the Conficker.C botnet.

Large-Scale DNS Analysis
The Domain Name System is a vital component of the internet, and nearly every transaction on the internet uses it. It contains a wealth of Network Situational Awareness information that can be used to discover malicious traffic. This report describes specific techniques to detect certain types of malicious traffic. These techniques have been developed through analyzing a large amount of DNS traffic data. CERT has developed specific tools that apply these techniques in an ongoing way. Future research will include enhancing the developed tools, developing new techniques and tools to work with known malicious patterns, and discovering new malicious patterns.

Rayon: A Unified Framework for Data Visualization
Data visualization summarizes large volumes of data and represents this data pictorially. Data visualization is used in a wide variety of applications, but visualization techniques that are effective in one application can often be used as well or better in another application. When organizations depend on good data visualization, a unified visualization capability will often increase that effectiveness; this is especially important if an organization relies on internal experts to create new visualization techniques appropriate to their environment. The Rayon visualization toolkit was developed to augment large-scale network analytic information and to improve the visualization capability and productivity of analytic operations by making it possible to share visualization techniques between applications.

Last updated June 07, 2013