search menu icon-carat-right cmu-wordmark

Network Situational Awareness

Created December 2017

Organizations that seek to secure their networks must first monitor and analyze their network data to understand normal activity and detect abnormal activity. Armed with this understanding, they can reduce their attack surface and protect their data and computing environment. CERT researchers help you understand what’s happening on your organization's networks, effectively monitor and analyze your traffic, and learn how to best protect your data and information assets.

The Challenges of Protecting Networks

How do you know when your networks are under attack? Do you know when and how to respond? One of the biggest challenges you face in protecting your organization’s networks is recognizing when they’re compromised.

Organizations learn about their network activity by baselining typical patterns of behavior over a period of time to recognize trends and differentiate normal from abnormal activity. However, many organizations don’t know how to form such a baseline, so they attempt to understand their network activity without knowing its normal state.

Protecting your organization’s data and networks goes beyond baselining typical activity. You also must establish a monitoring capability that shows you in real time what’s happening on your networks. However, this monitoring results in mountains of data that you must then analyze to identify trends, and flag and block malicious activity without compromising legitimate network activity. Even if you are using tools to filter the data, without priorities and procedures in place, analyzing the data from these tools can be daunting and resource intensive.

The Solution: Layering Tools and Techniques for a Complete Approach to Security

Gone are the days when a good firewall is your best and only defense. Protecting your networks requires a multifaceted and multilayered approach to security that includes defining cybersecurity strategies, developing and enforcing security policies, establishing sound protections for data and assets—internally, at the network border, in the cloud, and on mobile devices—and baselining and monitoring network activity.

CERT researchers help you understand how to design your network and monitor your infrastructure so you can see the widest range of activity, recognize your normal network traffic patterns, and know when and how to respond when anomalies are detected. Our research also helps you understand how to monitor the systems and issues most important to your organization’s operations and recognize trends in normal and abnormal network activity so you can act quickly in the face of an attack.

Our researchers developed and maintain a suite of open source tools to help you monitor your large-scale networks using network data. Researchers explore and develop analysis techniques that enable you to use the output of these tools efficiently and effectively. Our researchers also provide frameworks and models that help you understand and mitigate the threats your network may face. Best practices guide you in how to architect, engineer, and monitor your own network to improve its security.

The CERT Division also sponsors the annual FloCon conference where those with common security concerns gather to discuss cutting-edge techniques. Applying what you learn at FloCon helps you analyze and visualize large data sets so that you can protect and defend your networked systems.

Beginning with FloCon 2018, the conference has expanded to focus on analytics of any large-scale data set—not just network flow data. If you are interested in data-driven security, you can participate in this conference and discuss these issues, including innovative ways to use big data to address security problems.

Software and Tools

Analysis Pipeline

June 2018

The Analysis Pipeline supports inspection of flow records as they are created.



November 2017

YAF, Yet Another Flowmeter, processes packet data from pcap(3) dumpfiles and exports the flows to IPFIX Collecting Processes or an IPFIX-based file format.


CERT super_mediator

October 2017

CERT super_mediator is an IPFIX mediator for use with the yaf and SiLK tools.



June 2017

SiLK is a collection of traffic analysis tools used to facilitate security analysis of large networks.


Looking Forward

The expert researchers in the CERT Division continue to investigate cutting-edge data analysis techniques and network collection capabilities that you can use to protect your organization and keep pace with the threat environment.