2011

• Network Monitoring for Web-Based Threats - Heckathorn (pdf)

2010

• A Continuous Time List Capture Model for Internet Threats - Weaver (pdf) published at the Joint Statistical Meetings (JSM) conference on August 4, 2010; Modeling Populations of Large-Scale Internet Threats - Weaver (pdf) presented at the same conference
• A Probabilistic Population Study of the Conficker-C Botnet - Weaver, PAM 2010 (pdf)
• Identifying Anomalous Port-Specific Network Behavior - Weaver (pdf)

2008

• Existence Plots: A Low-Resolution Time Series for Port Behavior Analysis - Janies (pdf)
• Responsible Disclosure: A Case Study of CERT VU#800133, "DNS Cache Poisoning Issue" - Faber (pdf) OARC Workshop 2008
• Investigating AS112 Routing and New Server Discovery - Wright (pdf)

2007

• Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs - Collins, et al. (pdf) RAID 2007
• Using Uncleanliness to Predict Future Botnet Addresses - Collins et al. (pdf) IMC
• Fishing for Phishes: Applying Capture-Recapture Methods to Estimate Phishing Populations - Weaver and Collins (pdf) APWG eCrime
• Bidirectional Flow Export Using IPFIX - Trammell IETF (html)
• An IPFIX-Based File Format - Trammell IETF (html)

2006

• Finding Peer-to-Peer File-sharing Using Coarse Network Behaviors - Collins and Reiter ESORICS (pdf)
• A Model for Opportunistic Network Exploits: The Case of P2P Worms - Collins, Gates, and Kataria WEIS (pdf)
• Detecting Scans at the ISP Level - Gates, McNutt, Kadane, and Kellner SEI Technical Report (pdf)
• Requirements for the Format for Incident Information Exchange (FINE) - Danyliw IETF (txt)

2005

• Correlations between Quiescent Ports in Network Flows - McNutt and Deshon FloCon (pdf)
• Simple IPFIX Files for Persistent Storage - Trammell IETF (txt)
• The Incident Object Description Exchange Format Data Model and XML Implementation - Danyliw IETF (txt)

2004

• An Empirical Analysis of Target Resident DoS Filters - Collins and Reiter Oakland (pdf)
• Sets, Bags & Rock and Roll: Analyzing Large Sets of Network Data - McHugh ESORICS (pdf)
• Preparing RIR Allocation Data for Network Security Analysis Tasks - Trammell NANOG31 (pdf slides)
• More Netflow Tools: For Performance and Security - Gates, Collins, Duggan, Kompanek and Thomas LISA (pdf)
• The Incident Object Description Exchange Format (IODEF) Implementation Guide - Danyliw (txt)

2003

• Locality: A New Paradigm for Thinking About Normal Behavior and Outsider Threat - McHugh and Gates NSPW (pdf)

FloCon is an annual workshop providing a forum for researchers, operational analysts, and other parties in the DoD, DoE, federal civilian community, international response teams, and academia to discuss the analysis of flow from the perspective of security. For more information, visit the FloCon page.

Presentations at Conferences

• RSA 2007
  Mitigating Network Events Through Structured Information Sharing (February 2007) (pdf)
• OARC Workshop
  Analysis of AS112 Traffic (November 2007) (pdf)
• NANOG
  From NetFlow to IPFIX: the Evolution of IP Flow Information Export (pdf)

• SiLK (System for Internet-Level Knowledge)
  a collection of netflow tools that facilitates security analysis in large networks; enables analysts to rapidly query large sets of data traffic volumes
  

• YAF (YAF Flow Sensor)
  a tool that processes packet data into bidirectional flow records that can be used as input to an IPFIX Collecting Process; the output can be used with the NetSA Aggregated Flow (NAF) toolchain and the SiLK tools
  

• NAF (NetSA Aggregated Flow)
  tools that create and manipulate the IPFIX-based NAF file format, designed as a common format for aggregate network flow analysis
  

• fixbuf
  a library that provides a set of functions for processing the IPFIX protocol message format; using fixbuf, developers can build IPFIX Collecting and Exporting Processes
  

• RAVE (Retrospective Analysis and Visualization Engine)
  an extensible analysis middleware platform based on Python that simplifies the task of building analysis environments on top of a network monitoring and collection infrastructure
  

• IPA
  a library that provides efficient data structures for manipulating labelings of IP addresses and IP address ranges
  

• Probabilistic Population Studies
  Measurements of the size of malware infections and botnets are characterized by wild variations and lack of consistent or reproducible methodology. CERT/NetSA is applying proper statistical technique to this problem in order to establish best practices in population measurement. The first area where we applied these techniques was in studying the population of the Conficker.C botnet.
  

• Large-scale DNS Analysis
  The Domain Name System is a vital component of the internet, and nearly every transaction on the internet uses it. It contains a wealth of Network Situational Awareness information that can be used to discover malicious traffic. This report describes specific techniques to detect certain types of malicious traffic. These techniques have been developed through analyzing a large amount of DNS traffic data. CERT has developed specific tools that apply these techniques in an ongoing way. Future research will include enhancing the developed tools, developing new techniques and tools to work with known malicious patterns, and discovering new malicious patterns.
  

• Rayon: A Unified Framework for Data Visualization
  Data visualization summarizes large volumes of data and represents this data pictorially. Data visualization is used in a wide variety of applications, but visualization techniques that are effective in one application can often be used as well or better in another application. When organizations depend on good data visualization, a unified visualization capability will often increase that effectiveness; this is especially important if an organization relies on internal experts to create new visualization techniques appropriate to their environment. The Rayon visualization toolkit was developed to augment large-scale network analytic information and to improve the visualization capability and productivity of analytic operations by making it possible to share visualization techniques between applications.