4th International Workshop on Traffic Measurements for Cybersecurity
(WTMC 2019)

co-located with
40th IEEE Symposium on Security and Privacy

logo logo_sandp logo_COMSOC

San Francisco, California
Thursday, May 23, 2019

Current communication networks are increasingly becoming pervasive, complex, and ever-evolving due to factors like enormous growth in the number of network users, continuous appearance of network applications, increasing amount of data transferred, and diversity of user behaviors. Understanding and measuring traffic in such networks is a difficult yet vital task for network management but recently also for cybersecurity purposes. Network traffic measuring and monitoring can, for example, enable the analysis of the spreading of malicious software and its capabilities or can help to understand the nature of various network threats including those that exploit users’ behavior and other user’s sensitive information. On the other hand network traffic investigation can also help to assess the effectiveness of the existing countermeasures or contribute to building new, better ones. Recently, traffic measurements have been utilized in the area of economics of cybersecurity e.g. to assess ISP “badness” or to estimate the revenue of cyber criminals.

The aim of this workshop is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of cybersecurity and understand how traffic measurements can influence it. We encourage prospective authors to submit related distinguished research papers on the subject of both: theoretical approaches and practical case reviews. This workshop presents some of the most relevant ongoing research in cybersecurity seen from the traffic measurements perspective.

The workshop will be accessible to both non-experts interested in learning about this area and experts interesting in hearing about new research and approaches.

Topics of interest include, but are not limited to:

  • Measurements for network incidents response, investigation and evidence handling
  • Measurements of cyber attacks (e.g. DDoS, botnet, malware and phishing campaigns)
  • Measurements for security of web-based applications and services (e.g., social networking)
  • Measurements for network anomalies detection
  • Measurements for economics of cybersecurity and privacy
  • Measurements of security and privacy for the Internet of Things
  • Network traffic analysis to discover the nature and evolution of the cybersecurity threats
  • Measurements for assessing the effectiveness of the threats detection/prevention methods and countermeasures
  • Novel passive, active and hybrid measurements techniques for cybersecurity purposes
  • Traffic classification and topology discovery tools for monitoring the evolving status of the network from the cybersecurity perspective
  • Correlation of measurements across multiple layers, protocols or networks for cybersecurity purposes
  • Machine learning and data mining for analysis of network traffic measurements for cybersecurity
  • Novel approaches for large-scale measurements for cybersecurity (e.g. crowd-sourcing)
  • Novel visualization approaches to detect network attacks and other threats
  • Analysis of network traffic to provide new insights about network structure and behavior from the security perspective
  • Measurements of network protocol and applications behavior and its impact on cybersecurity and users' privacy
  • Vulnerability notifications
  • Measurements for new cybersecurity settings
  • Ethical issues in measurements for cybersecurity
  • Reappraisal of previous empirical findings


Papers will be accepted based on peer review (3-4 per paper) and should contain original, high quality work. All papers must be written in English.

Authors are invited to submit regular papers (maximum 6 pages) via EasyChair. Papers must be formatted for US letter (not A4) size paper. The text must be formatted in a two-column layout, with columns no more than 9.5 in. tall and 3.5 in. wide. The text must be in Times font, 10-point or larger, with 11-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. LaTeX submissions should use IEEEtran.cls version 1.8. Failure to adhere to the page limit and formatting requirements will be grounds for rejection.

Papers describing cybersecurity measurement studies should include an ethical considerations paragraph, and where applicable reach out to their institutional ethics committee or institutional review board. For guidance see the Menlo Report and its companion document.

Authors are encouraged to share developed software implementations, measurement datasets, simulation models, etc. used in articles allowing other researchers to build upon and extend current results. Authors may include a paragraph about reproducible research.

Submission page: https://easychair.org/conferences/?conf=wtmc2019

Submission of a paper implies that should the paper be accepted, at least one of the authors will register and present the paper in the conference.

Papers accepted by the workshop will be published in the Conference Proceedings published by IEEE Computer Society Press. The extended versions of all accepted papers will be considered for publication in a special issue of the Journal of Cyber Security and Mobility (confirmed). The decision will depend on the quality of the paper and quality of the presentation at WTMC 2019. The final decision will be made by co-chairs after the workshop.


January 25, 2019 (AoE, UTC -12, EXTENDED): Regular Paper Submission
February 23, 2019: Notification Date
March 18, 2019: Camera-Ready Paper Deadline

Registration is now open (early registration by April 19, 2019, 11:59pm PDT)!
The 4th WTMC workshop will be held at the Hyatt Regency, San Francisco, California.
7:30-8:30 Breakfast
8:50-9:00 Opening remarks (Maciej Korczyński, Grenoble Institute of Technology, France)
9:00-10:00 Keynote: Alvaro A. Cardenas (University of California Santa Cruz, USA)
Title: Measuring SCADA Networks: Towards an Industrial Security Operations Center
10:15-10:45 Coffee break
10:45-12:30 Session 1: Measurements for DNS Security (Session Chair: Zhaoyan Xu, Palo Alto Networks, USA)
Victor Le Pochat, Tom Van Goethem and Wouter Joosen. A Smörgåsbord of Typos: Exploring International Keyboard Layout Typosquatting
Marcin Skwarek, Maciej Korczyński, Wojciech Mazurczyk and Andrzej Duda. Characterizing Vulnerability of DNS AXFR Transfers with Global-Scale Scanning
Thomas Vissers, Peter Janssen, Wouter Joosen and Lieven Desmet. Assessing the Effectiveness of Domain Blacklisting Against Malicious DNS Registrations
Oliver Farnan, Joss Wright and Alexander Darer. Analysing Censorship Circumvention with VPNs via DNS Cache Snooping
12:30-13:30 Lunch
13:30-14:30 Keynote: Roya Ensafi (University of Michigan, USA)
Title: Making Sense of Censorship
14:30-15:20 Session 2: Measurements for Web Security (Session Chair: Victor Le Pochat, KU Leuven, Belgium)
Vinnie Monaco. Feasibility of a Keystroke Timing Attack on Search Engines with Autocomplete
Oleksii Starov, Yuchen Zhou and Jun Wang. Detecting malicious campaigns in obfuscated JavaScript with scalable behavioral analysis
15:20-15:45 Mid-afternoon Break
15:45-17:30 Session 3: Measurements for Network Security (Session Chair: Vinnie Monaco, Naval Postgraduate School, USA)
Alexander Vetterl, Richard Clayton and Ian Walden. Counting Outdated Honeypots: Legal and Useful
Pedro Casas, Gonzalo Marín, Germán Capdehourat and Maciej Korczyński. MLSEC - Benchmarking Shallow and Deep Machine Learning Models for Network Security
Kelvin Mai, Xi Qin, Neil Ortiz Silva and Alvaro A. Cardenas. IEC-60870-5-104 Network Characterization of a Large-Scale Operational Power Grid
Abhishta Abhishta, Marianne Junger, Reinoud Joosten and Lambert J. M. Nieuwenhuis. Victim Routine Influences the Number of DDoS Attacks: Evidence from Dutch Educational Network
17:30-17:45 Closing Remarks and Distinguished Paper Award

pv Alvaro A. Cardenas, University of California Santa Cruz, USA

Title: Measuring SCADA Networks: Towards an Industrial Security Operations Center


Protecting Industrial Control Systems requires solutions that not disturb existing operations, which is essential for large-scale systems and, especially for legacy systems. In talk we discuss our efforts for collecting SCADA network data, the challenges in getting access to these networks, and the variety of systems and industrial protocols. We then discuss our efforts in profiling the behavior of SCADA systems at different layers of packet inspection. By combining information extraction through network analysis, and semantics-aware network-based monitoring we build and maintain models of different perspectives of the system to help security analysts and operators better understand their systems and identify threats.

Short Bio

Alvaro A. Cardenas is an Associate Professor at the University of California Santa Cruz. He holds M.S. and Ph.D. degrees from the University of Maryland, College Park. Before joining UC Santa Cruz he was a Eugene McDermott Associate Professor at the University of Texas at Dallas. His research interests focus on cyber-physical systems and IoT security and privacy. He is the recipient of the NSF CAREER award, the 2018 faculty excellence in research award from the Erik Johnson School of Engineering and Computer Science, and best paper awards from the IEEE Smart Grid Communications Conference and the U.S. Army Research Conference.

pv Roya Ensafi, University of Michigan, USA

Title: Making Sense of Censorship


Interference with users’ online activities is on the rise, through behaviors that range from censorship and surveillance to content injection, traffic throttling, and violations of net neutrality. Reliably investigating interference requires new frameworks for measuring and interpreting network behavior. Understanding these complex phenomena requires longitudinal studies, observation from multiple vantage points, the ability to reverse engineer network traffic, and even application-specific techniques. In this talk, I will describe my efforts to design and build scalable, statistically robust measurement systems that use novel side channels to remotely infer network- and application-layer content filtering at global (Internet-wide) scale. My lab has deployed these systems in Censored Planet, a service that continuously monitors global Internet censorship and publishes semiweekly datasets about the availability of thousands of sensitive websites across more than 180 countries.

Short Bio

Roya Ensafi is a Research Assistant Professor in Computer Science and Engineering at the University of Michigan, where her research focuses on computer networking, security, and privacy. She designs scalable techniques and systems to protect users’ Internet connections from disruption and surveillance. Roya is best known for her work in the area of Internet censorship, where she pioneered the use of side-channels to remotely measure adversarial manipulation of Internet traffic, including attempts to censor or tamper with users’ online activities. Her work on studying how the Great Firewall of China discovers hidden circumvention servers received an IRTF Applied Networking Research Prize (ANRP) in 2016. She has received the NSF CISE Research Initiation Initiative award and Google Faculty Research Award. Prior to joining Michigan, she was a postdoc at Princeton University’s Center for Information Technology Policy (CITP).

Maciej Korczyński, Grenoble Institute of Technology, France
Wojciech Mazurczyk, Warsaw University of Technology, Poland
Pedro Casas, AIT, Austria
kc Claffy, CAIDA, USA
Aiko Pras, University of Twente, Netherlands
Kensuke Fukuda, National Institute of Informatics, Japan


Hadi Asghari, Delft University of Technology, Netherlands
Elias Bou-Harb, National Cyber Forensics and Traning Alliance and FAU, USA
Giovane C. M. Moura, SIDN Labs, Netherlands
Luca Caviglione, CNR - ISSIA, Italy
Eric Chan-Tin, Loyola University Chicago, USA
Richard Clayton, University of Cambridge, UK
Amogh Dhamdhere, CAIDA/UCSD, USA
Simone Ferlin, Ericsson Research, Sweden
Romain Fontugne, Internet Initiative Japan (IIJ), Japan
Paweł Foremski, Farsight Security and Polish Academy of Sciences, Poland
Oliver Gasser, Technical University of Munich, Germany
Mehmet Gunes, University of Nevada, USA
Carlos H. Gañán, Delft University of Technology, Netherlands
Amir Houmansadr, The University of Texas at Austin, USA
Artur Janicki, Warsaw University of Technology, Poland
Mobin Javed, ICSI, USA/LUMS, Pakistan
Christian Keil, DFN-CERT, Germany
Jörg Keller, Fern Universität in Hagen, Germany
Igor Kotenko, SPIIRAS, Russia
Christian Kraetzer, Otto-von-Guericke University Magdeburg, Germany
Jean-Francois Lalande, CentraleSupélec, France
Matthew Luckie, University of Waikato, New Zealand
Jelena Mirkovic, USC Information Sciences Institute, USA
Vinnie Monaco, Naval Postgraduate School, USA
Tyler Moore, University of Tulsa, USA
Philippe Owezarski, LAAS-CNRS, France
Franck Rousseau, Grenoble Institute of Technology, France
Ramin Sadre, KU Louvain, Belgium
Quirin Scheitle, Technical University of Munich, Germany
Anna Sperotto, University of Twente, Netherlands
Stephen Strowes, RIPE NCC, Netherlands
Ewa Syta, Yale University, USA
Hu Tian, National Huaqiao University, China
Guillaume Urvoy-Keller, Université de Nice Sophia-Antipolis, France
Jeroen van der Ham, National Cyber Security Center, Netherlands
Tom van Goethem, KU Leuven, Belgium
Roland van Rijswijk-Deij, University of Twente and NLnet Labs, Netherlands
Steffen Wendzel, Worms University of Applied Sciences and Fraunhofer FKIE, Germany
Katsunari Yoshioka, Yokohama National University, Japan
Nur Zincir-Heywood, Dalhousie University, Canada

WTMC 2018 at ACM SIGCOMM Budapest, Hungary
WTMC 2017 at IEEE S&P, San Jose, California, USA
WTMC 2016 at ACM ASIACCS, Xi'an, China

Contact WTMC 2019 chairs using this email address: wtmc2019@easychair.org.