Network Situational Awareness Publications

ALTernatives to Signatures (ALTS)
This paper presents the results of a study of non-signature-based approaches to detecting malicious activity in computer network traffic.

10 Years of FloCon
In this blog post, George Jones, chair of the 10th FloCon Conference, discusses the conference's general topics and themes, which have included community building, flow as a study, beaconing and distributed threats, the practical use of flow, flow in the context of other data, learning about your network, progression of analytics from ideas to prototypes to tools, and analysis at scale and perspectives.

FloCon Presentations
Download the presentations from FloCon 2014, where attendees discussed flow analysis in terms of perspectives and FloCon 2013, where organizers and participants focused on the challenges of "Analysis at Scale." Visit the FloCon website to download the presentations from the keynote guest and event speakers, tutorials, and posters.

Practical Math for Your Security Operations - Part 3 of 3
In this blog post, Vijay Sarvepalli introduces a way to use entropy to detect anomalies in network communications patterns.

  • 05/24/2016 Persistent Little IP, Aren't You? What does it mean to say that an indicator is exhibiting persistent behavior? This is a question that Timur, Angela, and I have been asking each other for the past couple of months. In this blog post, we show you...
  • 04/08/2016 Choosing the History for a Profile in Simple Network Flow Anomaly Detection One of my responsibilities on the Situational Awareness Analysis team is to create analytics for various purposes. For the past few weeks, I've been working on some anomaly detection analytics for hunting in the network flow traffic of common network...
  • 12/15/2015 Border Gateway Protocol Update Metric Analysis MRT is a file format used in BGP; in particular, it is used when the router writes updates into a log file. There are many programs out there for parsing these files, but I'm going to talk about a new...
  • 06/18/2015 Domain Blacklist Ecosystem - A Case Study Hi all, this is Jonathan Spring with my colleagues Leigh Metcalf and Rhiannon Weaver. We've been studying the dynamics of the Internet blacklist ecosystem for a few years now and the 2015 Verizon Data Breach Investigations Report has corroborated our...
  • 03/20/2015 Baseline Network Flow Examples Hi. This is Angela Horneman of the SEI's Situational Awareness team. I've generated service specific network flows to use as baseline examples for network analysis and am sharing them since others may find them helpful. We have been looking at...