Introduction and welcome by Ramin (0900-0905) === Corinna Schmitt (UZH) presentation on TinyIPFIX, a measurement protocol for constrained devices. - Pascal Thubert (Cisco): remark that monitoring is getting more and more restrictive in terms of how many bytes you can transfer through channels in sensor networks. - Jochen Kügel (IsarNet): what is the difference between IPFIX and Tiny IPFIX in terms of energy consumption? Unfortunately nothing was measured yet. Perhaps in the paper an idea of these numbers can be found. - Jochen Kügel (IsarNet): will be any dynamic adaptation of what is measured in the scenario where sensors are deployed? Answer: depends on what you are interest to measure indeed. For that you can change the metering periodicity, template is automatically built depending on what you want to measure. Sending intervals are fixed at this moment. - Jürgen Schönwälder (Jacobs U. Bremen): how does it compare to coap? There are no numbers to build a comparison but it is believed to scale similarly. === Viktor Pus (CESNET) presentation on L7 monitoring at 100Gbps, using hardware accelerated monitoring and offloading flow processing from software to hardware. - Liang Xia (Huawei): there are other projects that have L7 monitoring that can scale to 100Gbps, some of them focusing on L7 threat detection? Answer: this is not detection, just parsing of packet information, metering and exporting. Detection should be made at the collector side. There are no number of comparison with other devices that do monitor at up to 100Gbps. - Liang Xia (Huawei): How to differentiate what to send parts of the packet to software or hardware? Answer: the basis is L3-L4 measurement, NetFlow-style. If there is anything of interest in L7, the monitoring is enriched with such additional information and exported via IPFIX. The software application is responsible to identify whether there is additional information of interest and whether to offload to hardware processing. === Jeferson Campos Nobre (UFRGS) presentation on interactive monitoring of OpenFlow-based SDNs. - Ricardo de O. Schmidt (U. Twente): Does the system reads any sort of counters or use timeouts defined by the switch? This might not be a problem because the management system is based on the controller implementation and not really dependent on the OpenFlow switch/router. === Ramin: makes a remark that the workshop, differently from previous years, is more open to flow-level measurements with different technologies and paradigms, such as SDN/OpenFlow. Any feedback from the community? No objections. === Abdelkader Lahmadi (INRIA) announcement on the changes and updates of the draft-irtf-nmrg-location-ipfix-04.txt and asks for feedback from the NMRG community. === Christian Dietz (UniBW) presentation on botnet detection using flow-level data. - Liang Xia (Huawei): dots wg in security mainly focuses on detect and mitigate DDoS. The presented work is related to the group's topic and could also be used there, perhaps even as an internet-draft. - Liang Xia (Huawei): what is the meaning of multi-layer in this solution? The concept of using normalized behaviors and filters makes it multi-layer. - Ricardo de O. Schmidt (U. Twente): Same remark as made before, about the currently unreliable implementations of OpenFlow for the scenario of SDN botnet detection using flow-level measurements. - Liang Xia (Huawei): complementing the remark from Ricardo, beware of the support of old versions of NetFlow or alike tools across different vendors. Perhaps the authors should consider to propose an extension of the current IPFIX standard to address the problem. === Viktor Pus (CESNET) presentation on using big data approaches for flow data storage and retrieval. - Liang Xia (Huawei): What is the security project mentioned in the presentation? Answer: building big data base for data analysis towards security. It is a platform to define specific applications. - Ramin Sadre (UCL): What are the implementations? nfdump storage format on individual nodes, orchestrated to work in a cluster environment. - Ramin Sadre (UCL): NFSen adaptation? No answer at the moment. - Luuk Hendriks (U. Twente): Is there any considerations towards fbitdump? Answer: not at the moment. There are no numbers comparing performance of nfdump and fbitdump at this moment. This was not part of the main concern of the research problem. - Abdelkader Lahmadi (INRIA): Why is the aggregation for the ElasticSearch so slow? Answer: there is no clear understanding why the aggregation is too slow, but perhaps sorting might have a big share on this problem. - Yu Kaneko (Toshiba): asks about availability of data from this work. The speaker suggests to further discuss this privately after the session. === Luuk Hendriks (U. Twente) presentation on characterizing IPv6 security by means of measurements. - Liang Xia (Huawei): What are the key differences between v4 and v6 in relation to security, that motivates your research? Answer: there is a big overlap between both versions. The problem is the new characteristics/features introduced by IPv6 that are/can be abused towards attacks such as DoS. Among the things we are interested: does the source of attacks differ from v4-based attacks? - Liang Xia (Huawei): Perhaps you could focus on the functional differences between v4 and v6 and then go towards the security aspect. Answer: there are already many works on this angle. - Carlos Garcia Cordero (TU Darmstadt): How will you characterize the attack? Have you considered using open datasets available for your research? Do you need payload information? Answer: although payload is useful, but not strictly necessary. Datasets can be used, but first we are focusing on polishing and finalizing the flow-based characterization approach. Concerning the characterization process, at the moment we capture all v6 traffic at a university gateway, using Bro to make a first-level analysis and create some flow-level characterization. === Cristian Hammerschmidt (U. Luxembourg) presentation on fingerprinting and classification of network users using automation models. - Carlos Garcia Cordero (TU Darmstadt): can provide help with labeled datasets. The idea of gathering normal data/flows and inject botnet traffic previously captured. === Carlos Garcia Cordero (TU Darmstadt) presentation on flow-based distributed anomaly detection. - Liang Xia (Huawei): What about storing data centralized? It is stored locally and models are not as accurate as if they were based on centralized data. - Ramin Sadre (UCL): Is the novelty to do it distributed? Answer: yes, it is. The data is located in many different points. === Catalin Meirosu (Ericsson Research) presentation on draft-unify-nfvrg-devops. - Ricardo de O. Schmidt (U. Twente): What is the level of flow aggregation at telecom operators? Answer: It is mostly defined by the equipment operators have. === Summary: This was a very nice workshop, with presentations covering a broad range of topics on the use of flow-level data: from hardware accelerated, to IPv6, to storage, to security, and to new paradigms using OpenFlow in SDN. Attendees number was also very good. We had 32 people attending the NMRG workshop, proportionating interesting discussions and feedback to the presenters.