Loading…
FloCon 2017 has ended
Back To Schedule
Tuesday, January 10 • 9:00am - 9:30am
Finding the Needle in the Haystack

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

With all the information available via NetFlows, finding the "Needle in the Haystack" (the bad actor in NetFlows), can be somewhat difficult at best. Methods to discover illegitimate traffic can be as simple as looking at TCP flags, to more complex procedure such as defining thresholds for number of flows with ratios to unique destinations. There are other methods available, but I will be focusing on these thresholds and ratios and why this approach turns the needle into a goal post. The CPU cycles needed for this analysis are reduced by implementation of AVL trees (Balanced Binary Trees), and knowing the bottleneck to process the data is based on reading the data from disc. The algorithm used takes less then a second to process 3 million flows collected over a 5 minute time span. Both inbound and outbound, as well as local, traffic needs to be considered. Inbound analysis will help protect against external threats, outbound traffic protects yourself from external With all the information available via NetFlows, finding the "Needle in the Haystack" (the bad actor in NetFlows), can be somewhat difficult at best. Methods to discover illegitimate traffic can be as simple as looking at TCP flags, to more complex procedure such as defining thresholds for number of flows with ratios to unique destinations. There are other methods available, but I will be focusing on these thresholds and ratios and why this approach turns the needle into a goal post. The CPU cycles needed for this analysis are reduced by implementation of AVL trees (Balanced Binary Trees), and knowing the bottleneck to process the data is based on reading the data from disc. The algorithm used takes less then a second to process 3 million flows collected over a 5 minute time span. Both inbound and outbound, as well as local, traffic needs to be considered. Inbound analysis will help protect against external threats, outbound traffic protects yourself from external embarassment, and local analysis identifies local problems that can lead to bigger problems., and local analysis identifies local problems that can lead to bigger problems.

Speakers
JJ

Jonzy Jones

University of Utah
Jonzy has been an employee at the University of Utah for more than 30 years.  He started out as email Postmaster and moved into security after a system breach. Prior to getting into security he was the author of Jughead, now called Jugtail, which was a search engine in Gopher space... Read More →



Tuesday January 10, 2017 9:00am - 9:30am PST
Great Room V-VIII 7450 Hazard Center Dr.