Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Tuesday, January 10 • 9:00am - 9:30am
Finding the Needle in the Haystack

Sign up or log in to save this to your schedule and see who's attending!

With all the information available via NetFlows, finding the "Needle in the Haystack" (the bad actor in NetFlows), can be somewhat difficult at best. Methods to discover illegitimate traffic can be as simple as looking at TCP flags, to more complex procedure such as defining thresholds for number of flows with ratios to unique destinations. There are other methods available, but I will be focusing on these thresholds and ratios and why this approach turns the needle into a goal post. The CPU cycles needed for this analysis are reduced by implementation of AVL trees (Balanced Binary Trees), and knowing the bottleneck to process the data is based on reading the data from disc. The algorithm used takes less then a second to process 3 million flows collected over a 5 minute time span. Both inbound and outbound, as well as local, traffic needs to be considered. Inbound analysis will help protect against external threats, outbound traffic protects yourself from external With all the information available via NetFlows, finding the "Needle in the Haystack" (the bad actor in NetFlows), can be somewhat difficult at best. Methods to discover illegitimate traffic can be as simple as looking at TCP flags, to more complex procedure such as defining thresholds for number of flows with ratios to unique destinations. There are other methods available, but I will be focusing on these thresholds and ratios and why this approach turns the needle into a goal post. The CPU cycles needed for this analysis are reduced by implementation of AVL trees (Balanced Binary Trees), and knowing the bottleneck to process the data is based on reading the data from disc. The algorithm used takes less then a second to process 3 million flows collected over a 5 minute time span. Both inbound and outbound, as well as local, traffic needs to be considered. Inbound analysis will help protect against external threats, outbound traffic protects yourself from external embarassment, and local analysis identifies local problems that can lead to bigger problems., and local analysis identifies local problems that can lead to bigger problems.

Speakers
JJ

Jonzy Jones

University of Utah
Jonzy has been an employee at the University of Utah for more than 30 years.  He started out as email Postmaster and moved into security after a system breach. Prior to getting into security he was the author of Jughead, now called Jugtail, which was a search engine in Gopher space. Over the past dozen years, he has been working with NetFlow, and wrote a NetFlow collector and processor.



Tuesday January 10, 2017 9:00am - 9:30am
Great Room V-VIII 7450 Hazard Center Dr.

Attendees (28)