CERT-SEI

Network Situational Awareness (NetSA)

Open Source Tools

Our open source tools help you monitor large-scale networks using flow data.
Explore our tools

FloCon 2015

Registration for FloCon 2015 is now open. FloCon 2015 is an open network security conference taking place in Portland, Oregon on January 12-15, 2015 at the Hilton Portland and Executive Tower.
Register to attend FloCon 2015

Report on Network Traffic Data Storage

In our recent blog post and SEI technical report, we explore how to improve network traffic data storage by determining what data to store to meet organizational needs.
Read how to improve network traffic data storage

CERT Study on Chinese Cyber Espionage Unit's Infrastructure

An analysis from CERT combines unclassified information and describes a large, malicious network used to steal important information.
Read more about this study

Our Publications

Our publications cover topics such as monitoring networks and analyzing network data, detecting malicious activity, and developing and deploying tools to help you strengthen your networks.
Access our publications

Our Mission: We improve network security by identifying and detecting threats early;sharing data in near real time;and playing an active role in providing the knowledge, capability, and capacity to secure and monitor valuable networks.

Achieving network situational awareness depends on an organization's ability to effectively monitor its networks and, ultimately, to analyze that data to detect malicious activity. The CERT Network Situational Awareness (NetSA) group has analyzed hundreds of real-world cases of malicious activity on large, enterprise-scale networks to develop tools and approaches that can help organizations defend their networks from potential attacks.

The CERT NetSA group works to provide broad quantitative insights on network traffic characteristics relevant to the security of the networks involved. This insight ranges from descriptive (What is happening on the network right now? What changed before and after an incident?) to exploratory (What new traffic is appearing on the network? How often does an event happen?) to predictive (If this change is made, what will the impact be? How effective will this kind of additional protection be?). The tools and methods providing this insight are in a constant state of development and improvement. Learn more about our work.

We automate the analysis of large-scale network traffic.

Large networks can generate billions of network transactions each day. Unassisted, network security analysts cannot possibly analyze this volume of data. We develop approaches to automate that analysis and find malicious activity within these huge data sets, and we transition these techniques to our sponsors and the larger network security community.

We develop large-scale, open source tools.

Our open source tools enable organizations to monitor large-scale networks using flow data. These tools grew out of the AirCERT and SiLK projects, and the effort to integrate those projects into a unified, standards-compliant flow collection and analysis platform.

Engage with Us

Contact us to learn more about our research, collaborate on new research, seek our help with your critical problems, or provide feedback.

Contact Us

What Is Network Situational Awareness?

Network situational awareness is the systematic gathering, analysis, and interpretation of data from local and remote networks, regarding structure, applications, traffic, and resources to produce actionable information for decision making in network operations and defense.

—Richard Friedberg

News & Announcements

Publications & Media

Insights from the FloCon Conference
In this September 2014 webinar, Jonathan Spring discusses the theme for FloCon 2015 and how to make network analysis more formal, rigorous, reliable, well-grounded, or repeatable. Jono also surveys past FloCon successful presentations and gives advice for submitting a successful abstract for consideration at FloCon 2015.

Learn How to Improve Network Traffic Data Storage
In our recent blog post and SEI technical report, we explore how to improve network traffic data storage by determining what data to store to meet organizational needs.

ALTernatives to Signatures (ALTS)
This paper presents the results of a study of non-signature-based approaches to detecting malicious activity in computer network traffic.

Submit Papers for FloCon 2015
We are accepting abstracts for presentations, posters, and demonstrations that support this year's conference theme, "Formalizing the Art." FloCon 2015 is a network security conference that takes place in Portland in January 2015.

CERT Study Examines Chinese Cyber Espionage Unit's Infrastructure
An analysis from CERT, based on data from Mandiant, combines unclassified information and describes a large, malicious network used to steal important information.