Review of  the
FloCon Workshop,
Vancouver, WA
October 10-12, 2006

Review by Tim Shimeall
Nov. 13, 2006

The CERT® Network Situational Awareness group at Carnegie Mellon University's Software Engineering Institute sponsored the third Annual FloCon Workshop. This workshop was held on October 10 through 12, 2006 near Portland, OR (in Vancouver, WA). The workshop and its proceedings are described on the workshop web page: http://www.cert.org/flocon/.

FloCon is an open workshop that provides a forum for researchers, operational analysts, and other parties interested in the security analysis of large volumes of traffic to develop the next generation of flow-based analysis. Flow is an abstraction of network traffic in which packets are grouped together by common attributes over time. Being a traffic abstraction, use of flow makes tractable analyses over broad reaches of both time and network cardinality. By summarizing, rather than recording content, flow aids in respecting the privacy of network participants. In security, flow has been used to survey and analyze large networks over long periods of time, but the field is still in its infancy. A number of software systems (e.g., flowtools, Argus, and the System for Internet-Level Knowledge[SiLK]) support flow-based analysis.

FloCon 2006 was an active workshop for discussing flow and network security analysis, and improving these technologies. The workshop structure with presentations, moderated discussion panels, and birds-of-a-feather (BoF) sessions supported frank and productive discussion on ideas submitted by attendees.

In order to promote discussion and brainstorming, presenters submitted a short paper discussing current or proposed work in flow analysis. The program committee reviewed these submissions and approved them for presentation. These submissions are published as proceedings via the workshop web page.

The first day of FloCon 2006 lead off with a keynote speech by Prof. John McHugh of Dalhousie University, who cited several challenges in the future of flow-based analysis, based on long experience in this form of analysis. A series of presentations followed this speech, discussing the efforts of the IETF Standard for Flow data exchange (IPFIX, together with visualization tools and hardware support for flow processing. Presentations were made by a mix of researchers, practitioners and infrastructure providers. IPFIX was further discussed in depth during a moderated panel and a BoF session. A panel discussion on flow analysis methods lead to two BoF sessions on security analyses using flow (one on analytical tools, the other on multistage analytical techniques). The open and interactive BoF sessions set the tone for the second day of the workshop.

The second day of FloCon 2006 focused on security analyses using flow via presentations by researchers and by operational practitioners of real-world network defense. These presentations discussed scalability of flow analysis, the use of flows for identifying anomalous network traffic, sampling methods to produce unbiased analysis from flows in environments where complete flow capture is not achievable, attribution and aggregation issues and the use of flow-based analysis in small-scale networks.

The third day of FloCon 2006 focused around efforts to support and extend the community of security researchers and practioners using flow-based information. A number of productive insights were shared, and several efforts are currently underway based on these insights. Planning for FloCon 2007, to be held in the second or third quarter of 2007 at an East coast location, is currently in its preliminary stages.

The FloCon program committee for 2006 was:
Timothy Shimeall, CERT NetSA group, Carnegie Mellon University, chair
Anukool Lakhina, Boston University
Colleen Shannon, CAIDA
Troy Thompson, PNNL
Arno Wagner, ETH
Bill Yurcik, NCSA