Enabling Large-Scale Network Flow Analysis
Today, network analysts in the DoD and federal agencies use the SEI CERT Division's network situational awareness technologies to characterize network threats, assess the impact of security events, and identify vulnerable network infrastructures.
In the early 1990s, the CERT Division developed Argus, one of the first software-based network flow analysis tools, to support incident response activity. In 2000, the Automated Incident Reporting to CERT (AirCERT) initiative released data conversion, sharing, and analysis tools (Analysis Console for Incident Data—ACID) and supported the development of Internet Engineering Task Force (IETF) standards to establish a data format for exchanging information on computer security incidents among response teams around the world.
The Einstein program, mandatory for all federal civilian agencies, integrates several distinct data collection and analysis systems and uses tool sets for network traffic analysis developed by the CERT Division. Through the years, the SEI's CERT Division has developed and released open source tools such as
- the System for Internet-Level Knowledge (SiLK) tool suite, which enables the DoD to conduct security analysis not driven by known-bad signatures
- Yet Another Flowmeter (YAF), which leverages additional data sources, including Domain Name System, Secure Socket Layer certificates, and application banners stored in the IP Flow Information eXport standard format
YAF, SiLK, and associated tools have been widely adopted. Telecommunication providers, government defense contractors, and many other high-tech companies use this technology to help protect their own networks and the networks of their clients.