search menu icon-carat-right cmu-wordmark

Posts by Angela Horneman

Best Practices in Network Traffic Analysis: Three Perspectives

Best Practices in Network Traffic Analysis: Three Perspectives

• Blog
Angela Horneman

This post is also authored by Tim Shimeall and Timur Snoke. In July of this year, a major overseas shipping company had its U.S. operations disrupted by a ransomware attack, one of the latest attacks to disrupt the daily operation of a major, multi-national organization. Computer networks are complex, often tightly coupled systems; operators of such systems need to maintain awareness of the system status or disruptions will occur. In today's operational climate, threats and...

Read More
How to Think Like an Analyst

How to Think Like an Analyst

• Blog
Angela Horneman

When I was pursuing my master's degree in information security, two of the required classes were in cognitive psychology and human factors: one class about how we think and learn and one about how we interact with our world. Students were often less interested in these courses and preferred to focus their studies on more technical topics. I personally found them to be two of the most beneficial. In the years since I took those...

Read More
Choosing the History for a Profile in Simple Network Flow Anomaly Detection

Choosing the History for a Profile in Simple Network Flow Anomaly Detection

• Blog
Angela Horneman

One of my responsibilities on the Situational Awareness Analysis team is to create analytics for various purposes. For the past few weeks, I've been working on some anomaly detection analytics for hunting in the network flow traffic of common network services. I decided to start with a very simple approach using mean and standard deviation for a historical period to create a profile that I could compare against current volumes. To do this, I planned...

Read More
YAF App Label Signature Context with Analysis Pipeline

YAF App Label Signature Context with Analysis Pipeline

• Blog
Angela Horneman

In my last post, I presented how to create a YAF application label signature rule that corresponds to a text-based Snort-type rule. In this post, I discuss methods for using Analysis Pipeline to provide context to those signatures. The context for signatures can take many forms. Some context can be derived from the individual flows that match the signatures. This information is easy to obtain from either SiLK or another traffic analysis tool--just look at...

Read More
Making YAF App Labels from Text-Based Snort Rules

Making YAF App Labels from Text-Based Snort Rules

• Blog
Angela Horneman

Ever want to use a Snort-like rule with SiLK or Analysis Pipeline to find text within packets? Timur Snoke and I were recently discussing how we could do this and realized that while neither SiLK nor Analysis Pipeline themselves do packet inspection, YAF can be used to create an application label that can be used in analyses in both SiLK and Pipeline (field 29, application). This post outlines the steps required and provides an example....

Read More
Baseline Network Flow Examples

Baseline Network Flow Examples

• Blog
Angela Horneman

Hi. This is Angela Horneman of the SEI's Situational Awareness team. I've generated service specific network flows to use as baseline examples for network analysis and am sharing them since others may find them helpful. We have been looking at implementing Network Profiling in Analysis Pipeline to automatically generate lists of active servers and to alert when new IPs start acting as servers. As part of this initiative, we started looking at alternatives to using...

Read More
Smart Collection and Storage Method for Network Traffic Data

Smart Collection and Storage Method for Network Traffic Data

• Blog
Angela Horneman

Hi, this is Angela Horneman from the CERT Situational Awareness Analysis team. Recently, Nathan Dell and I were asked to explore ways to improve network traffic data storage by determining what data to store to meet organizational needs. Our research, brainstorming, and discussions led us to create a methodology to help organizations determine what types of traffic to collect and what parts of the collected traffic to keep....

Read More

Contact the Author

Angela Horneman

SEI Digital Library

SEI Publications

Visit the SEI Digital Library to see other publications by Angela Horneman

View publications