International Workshop on Traffic Measurements for Cybersecurity
(WTMC 2016)


Xi'an, China
May 30, 2016

Today's world's societies are becoming more and more dependent on open networks such as the Internet - where commercial activities, business transactions and government services are realized. This has led to the fast development of new cyber threats and numerous information security issues which are exploited by cyber criminals. The inability to provide trusted secure services in contemporary computer network technologies has a tremendous socio-economic impact on global enterprises as well as individuals. Current communication networks are increasingly becoming pervasive, complex, and ever-evolving due to factors like enormous growth in the number of network users, continuous appearance of network applications, increasing amount of data transferred, and diversity of user behaviors. Understanding and measuring traffic in such networks is a difficult yet vital task for network management but recently also for cybersecurity purposes. Network traffic measuring and monitoring can, for example, enable the analysis of the spreading of malicious software and its capabilities or can help to understand the nature of various network threats including those that exploit users' behavior and other user's sensitive information. On the other hand network traffic investigation can also help to assess the effectiveness of the existing countermeasures or contribute to building new, better ones. Recently, traffic measurements have been utilized in the area of economics of cybersecurity e.g. to assess ISP "badness" or to estimate the revenue of cyber criminals.

The aim of this workshop is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of cybersecurity and understand how traffic measurements can influence it. We encourage prospective authors to submit related distinguished research papers on the subject of both: theoretical approaches and practical case reviews. This workshop presents some of the most relevant ongoing research in cybersecurity seen from the traffic measurements perspective.

The workshop will be accessible to both non-experts interested in learning about this area and experts interesting in hearing about new research and approaches.

Topics of interest include, but are not limited to:

  • Measurements for network incidents response, investigation and evidence handling
  • Measurements for network anomalies detection
  • Measurements for economics of cybersecurity
  • Network traffic analysis to discover the nature and evolution of the cybersecurity threats
  • Measurements for assessing the effectiveness of the threats detection/prevention methods and countermeasures
  • Novel passive, active and hybrid measurements techniques for cybersecurity purposes
  • Traffic classification and topology discovery tools for monitoring the evolving status of the network from the cybersecurity perspective
  • Correlation of measurements across multiple layers, protocols or networks for cybersecurity purposes
  • Novel visualization approaches to detect network attacks and other threats
  • Analysis of network traffic to provide new insights about network structure and behavior from the security perspective
  • Measurements of network protocol and applications behavior and its impact on cybersecurity and users' privacy
  • Measurements related to network security and privacy


Papers will be accepted based on peer review (3 per paper) and should contain original, high quality work. All papers must be written in English.

Authors are invited to submit their papers via Easychair. Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. All submissions should be appropriately anonymized (i.e., papers should not contain author names or affiliations, or obvious citations). Submissions must be in double-column ACM SIG Proceedings format (download here), and should not exceed 12 pages. Position papers and short papers of 5 pages describing the work in progress are also welcome. Only pdf files will be accepted.

Submission page:

Submission of a paper implies that should the paper be accepted, at least one of the authors will register and present the paper in the conference.

Accepted papers will be published by ACM Press as conference proceedings and in the ACM Digital Library. Extended versions of selected papers accepted for WTMC will be published in a special issue of the EURASIP Journal on Information Security. The decision will depend on the quality of the paper and quality of the presentation at WTMC. The final decision will be made by co-chairs after the workshop.


February 8, 2016 (EXTENDED) Regular Paper Submission
March 1, 2016: Notification Date
March 15, 2016: Camera-Ready Paper Deadline

The WTMC workshop will be held at Room 3 of the conference venue.
14:00-14:10 Opening remarks
14:10-15:00 Keynote: It's Time for An Internet-wide Recommitment to Measurement. And Here's How We Should Do It. Paul Vixie (Farsight Security)
15:00-15:15 Coffee break
15:15-16:30 Session 1: Measurements of Security, Attacks, and Fraud. Chair: Maciej Korczyński (Delft University of Technology)
15:15-15:40 An Efficient Method for Detecting Obfuscated Suspicious JavaScript Based on Text Pattern Analysis. Jiawei Su, Katsunari Yoshioka, Junji Shikata, and Tsutomu Matsumoto
15:40-16:05 Characterizing Roles and Spatio-Temporal Relations of C&C Servers in Large-Scale Networks. Romain Fontugne, Johan Mazel, and Kensuke Fukuda
16:05-16:30 FNFD: A Fast Scheme to Detect and Verify Non-Technical Loss Fraud in Smart Grid. Wenlin Han, and Yang Xiao
16:30-16:45 Coffee break
16:45-18:00 Session 2: Algorithms. Chair: Romain Fontugne (Internet Initiative Japan)
16:45-17:10 A High Performance IPv6 Flow Table Lookup Algorithm Based on Hash. Huan Guo, Zhengmin Li, Qingyun Liu, Jia Li, and Li Guo
17:10-17:35 Fast and Accurate Identification of Active Recursive Domain Name Servers in high-speed Network. Xiaomei Liu, Yong Sun, Caiyun Huang, Xueqiang Zou, and Zhi-Guang Qin
17:35-18:00 Image Processing Pipeline Model Integrating Steganographic Algorithms for Mobile Cameras. Prabhat Dahal, Dongming Peng, and Hamid Sharif
18:00-18:10 End and wrap up

pv Paul Vixie (CEO of Farsight Security, USA)


There has never been a greater need for comprehensive Internet metrics than now. Even basic security-critical facts about the Internet, such as “How many systems are botted?” or “What networks still don’t do Source Address Validation?” remain murky and poorly quantified. Likewise, traffic characterization and summary inter-AS flow data typically remain closely-held proprietary information, rather than routinely-shared basic operational data. Without trustworthy Internet measurements of this sort, we’re “driving blind” and will routinely make suboptimal choices about critical technical policies, including issues as fundamental as network neutrality. System and network measurements were once an integral part of Internet practice, something that was hardly surprising given the Internet’s roots in the university community. Scientists naturally make observations, record data, and analyze that data to document phenomena and advance the state-of-the-art. More recently, however, a variety of factors have created an online environment that’s hostile to legitimate academic Internet measurement and monitoring efforts. Major drivers contribute to that public hostility, including overlyaggressive marketing analytics and domestic pervasive monitoring by the intelligence community. It all feels like eavesdropping to the public, even though important real differences exist and reforms have taken place. Bottom line, the public is having none of any of it.


Short Bio

Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the boards of several forprofit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, as ARIN Chairman in 2008 and 2009, and was a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He operated the ISC's F-Root name server for many years, and is a member of Cogent's C-Root team. He is a sysadmin for Op-Sec-Trust. Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8, and he hired many of the people who wrote BIND 9. He has authored or coauthored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). His technical contributions include DNS Response Rate Limiting (RRL), DNS Response Policy Zones (RPZ), and Network Telemetry Capture (NCAP). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC, and was named to the Internet Hall of Fame in 2014.

Maciej Korczyński, Delft University of Technology, The Netherlands
Wojciech Mazurczyk, Warsaw University of Technology, Poland
Katsunari Yoshioka, Yokohama National University, Japan
Michel van Eeten, Delft University of Technology, The Netherlands
William Robertson, Northeastern University, USA


Benedict Addis, Shadowserver, UK
Pedro Casas, Austrian Institute of Technology, Austria
Luca Caviglione, CNR ISSIA, Italy
Eric Chan-Tin, Oklahoma State University, USA
Michal Choras, University of Technology and Life Sciences, Poland
Frederic Cuppens, TELECOM Bretagne, France
Andrzej Duda, Grenoble Institute of Technology, France
Romain Fontugne, Internet Initiative Japan (IIJ), Japan
Kensuke Fukuda, National Institute of Informatics, Japan
Carlos H. Gañán, Delft University of Technology, Netherlands
Zeno Geradts, Netherlands Forensic Institute, Netherlands
Amir Houmansadr, University of Massachusetts Amherst, USA
Artur Janicki, Warsaw University of Technology, Poland
Bartosz Jasiul, Military Communication Institute, Poland
Igor Kotenko, SPIIRAS, Russia
Zbigniew Kotulski, Warsaw University of Technology, Poland
Christian Kraetzer, Otto-von-Guericke University of Magdeburg, Germany
Jean-Francois Lalande, Inria, Univ. Rennes 1, INSA Centre Val de Loire, Univ. Orleans, France
Giovane C. M. Moura, SIDN, Netherlands
Tyler Moore, University of Tulsa, USA
Bou-Harb, National Cyber Forensics and Training Alliance (NCFTA) & Concordia University, Canada
Philippe Owezarski, LAAS-CNRS, France
Giancarlo Pellegrino, Saarland University, Germany
Pedro Prospero-Sanchez, Science and Technology University of Sao Paulo, Brazil
Christian Rossow, Saarland University, Germany
Hui Tian, National Huaqiao University, China
Johnson Thomas, Oklahoma State University, USA
Guillaume Urvoy-Keller, Université Nice Sophia Antipolis, France
Zachary Weinberg, Carnegie Mellon University, USA
George Weir, University of Strathclyde, UK
Steffen Wendzel, Fraunhofer FKIE, Germany




Contact WTMC 2016 chairs using this email address: