6th International Workshop on Traffic Measurements for Cybersecurity
(WTMC 2021)

co-located with
42nd IEEE Symposium on Security and Privacy

logo logo_sandp logo_COMSOC

Virtual Workshop
Thursday, May 27, 2021

Current communication networks are increasingly becoming pervasive, complex, and ever-evolving due to factors like enormous growth in the number of network users, continuous appearance of network applications, increasing amount of data transferred, and diversity of user behaviors. Understanding and measuring traffic in such networks is a difficult yet vital task for network management but recently also for cybersecurity purposes. Network traffic measuring and monitoring can, for example, enable the analysis of the spreading of malicious software and its capabilities or can help to understand the nature of various network threats including those that exploit users’ behavior and other user’s sensitive information. On the other hand network traffic investigation can also help to assess the effectiveness of the existing countermeasures or contribute to building new, better ones. Recently, traffic measurements have been utilized in the area of economics of cybersecurity e.g. to assess ISP “badness” or to estimate the revenue of cybercriminals.

The aim of this workshop is to bring together the research accomplishments provided by researchers from academia and the industry. The other goal is to show the latest research results in the field of cybersecurity and understand how traffic measurements can influence it. We encourage prospective authors to submit related distinguished research papers on the subject of both: theoretical approaches and practical case reviews. This workshop presents some of the most relevant ongoing research in cybersecurity seen from the traffic measurements perspective.

The workshop will be accessible to both non-experts interested in learning about this area and experts interested in hearing about new research and approaches.

Topics of interest include but are not limited to:

  • Measurements for network incidents response, investigation, and evidence handling
  • Measurements of cyber attacks (e.g. DDoS, botnet, malware, and phishing campaigns)
  • Measurements for security of web-based applications and services (e.g. social networking)
  • Measurements for network anomalies detection
  • Measurements for economics of cybersecurity and privacy
  • Measurements of security and privacy for the Internet of Things
  • Measurements of Internet censorship
  • Measurement studies describing the impacts of regulations on cybersecurity and users' privacy (e.g. GDPR)
  • Network traffic analysis to discover the nature and evolution of the cybersecurity threats
  • Measurements of cyber-physical systems security
  • Measurements for assessing the effectiveness of the threats detection/prevention methods and countermeasures
  • Novel passive, active and hybrid measurements techniques for cybersecurity purposes
  • Traffic classification and topology discovery tools for monitoring the evolving status of the network from the cybersecurity perspective
  • Correlation of measurements across multiple layers, protocols or networks for cybersecurity purposes
  • Machine learning and data mining for analysis of network traffic measurements for cybersecurity
  • Novel approaches for large-scale measurements for cybersecurity (e.g. crowd-sourcing)
  • Novel visualization approaches to detect network attacks and other threats
  • Analysis of network traffic to provide new insights about network structure and behavior from the security perspective
  • Measurements of network protocol and applications behavior and its impact on cybersecurity and users' privacy
  • Vulnerability notifications
  • Measurements for new cybersecurity settings
  • Ethical issues in measurements for cybersecurity
  • Reappraisal of previous empirical findings


Papers will be accepted based on peer review (3-4 per paper) and should contain original, high-quality work. All papers must be written in English.

Authors are invited to submit regular papers (maximum 6 pages) including references and appendices via EasyChair. Papers must be formatted for US letter (not A4) size paper. The text must be formatted in a two-column layout, with columns no more than 9.5 in. tall and 3.5 in. wide. The text must be in Times font, 10-point or larger, with 11-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. LaTeX submissions should use IEEEtran.cls version 1.8. Failure to adhere to the page limit and formatting requirements will be grounds for rejection.

Papers describing cybersecurity measurement studies should include an ethical considerations paragraph, and where applicable reach out to their institutional ethics committee or institutional review board. For guidance see the Menlo Report and its companion document.

Authors are encouraged to share developed software implementations, measurement datasets, simulation models, etc. used in articles allowing other researchers to build upon and extend current results. Authors may include a paragraph about reproducible research.

Submission page: https://easychair.org/conferences/?conf=wtmc2021

Submission of a paper implies that should the paper be accepted, at least one of the authors will register and present the paper at the conference.

Papers accepted by the workshop will be published through IEEE Xplore in a volume accompanying the main IEEE S&P conference proceedings. All WTMC workshop authors are also invited to present a poster during the IEEE S&P Symposium. The extended versions of all accepted papers will be considered for publication in a special issue of the Journal of Cyber Security and Mobility (confirmed). The decision will depend on the quality of the paper and the quality of the presentation at WTMC 2021. The final decision will be made by co-chairs after the workshop.


February 1, 2021 (AoE, UTC -12) [Extended]: Paper Submission
March 1, 2021: Notification Date
April 18, 2021: Camera-Ready Paper Deadline (hard)

The workshop registration is now open. Please follow the instructions on the IEEE S&P conference page here.

Registration grants are available to cover the expenses of student attendees to the IEEE S&P Symposium and WTMC. We encourage applications from students from a wide variety of institutions, diverse backgrounds, and first-time attendees. Undergraduate and graduate students will be considered for this award. Applications are due by May 14, 2021. You can find more details about Student Registration Grants here: here.


The 6th WTMC workshop will be held as a virtual workshop.

Time zone: Central European Summer Time (CEST)
15:00-15:05 Opening Remarks
15:05-15:50 Session 1: Measurements for mobile security and privacy (Session Chair: Giovane C. M. Moura, SIDN)
Keynote: Narseo Vallina Rodriguez (IMDEA Networks, Spain). Measuring the Android Supply Chain: Privacy and Security Risks
José Antonio Gómez-Hernández, Pedro García-Teodoro, Juan Antonio Holgado-Terriza, Gabriel Maciá-Fernández, José Camacho-Páez and Margarita Robles-Carrillo. AMon: A Monitoring Multidimensional Feature Android Application to Secure Mobile Environments
15:50-16:00 Break
16:00-16:45 Session 2: Machine learning and intrusion detection (Session Chair: Samaneh Tajalizadehkhoob, ICANN)
Gints Engelen, Vera Rimmer and Wouter Joosen. Troubleshooting an Intrusion Detection Dataset: the CICIDS2017 Case Study
Duc Le, Nur Zincir-Heywood and Malcolm Heywood. Training Regime Influences to Semi-supervised Learning for Insider Threat Detection
Henry Clausen and David Aspinall. Examining Traffic Micro-structures to Improve Model Development
16:45-17:00 Break
17:00-17:45 Session 3: Measurements of DDoS attacks and DNS abuse (Session Chair: Maciej Korczyński, Grenoble Alps University)
Keynote: Johannes Krupp (CISPA, Germany). Using Honeypots to Fight Amplification DDoS
Zhouhan Chen and Juliana Freire. Discovering and Measuring Malicious URL Redirection Campaigns from Fake News Domains
17:45-18:00 Break
18:00-18:05 Best Paper Award
18:05-18:50 Session 4: Network traffic monitoring and analysis for cybersecurity (Session Chair: Carlos Gañán, ICANN)
Tobias Höller, Thomas Raab, Michael Roland and René Mayrhofer. On the Feasibility of Short-lived Dynamic Onion Services
Tommaso Rescio, Thomas Favale, Francesca Soro, Marco Mellia and Idilio Drago. DPI Solutions in Practice: Benchmark and Comparison
Philippe Elbaz-Vincent and Mohamed Traoré. Revisiting the Pervasiveness of Weak Keys in Network Devices
18:50-19:00 Closing Remarks


pv Narseo Vallina Rodriguez, IMDEA Networks (Spain) and ICSI (USA)

Title: Measuring the Android Supply Chain: Privacy and Security Risks


The open-source nature of the Android OS makes it possible for manufacturers to ship custom versions of the OS along with a set of pre-installed apps, often for product differentiation. Yet, the Android supply chain lacks transparency and has facilitated potentially harmful behaviours and backdoored access to sensitive data without user consent or awareness. This talk will describe our ongoing efforts to systematically and empirically characterise the Android supply chain, its stakeholders, and to reveal overlooked privacy intrusive and potentially harmful pre-installed software resulting from the lack of control over device manufacturers.

Short Bio

Narseo obtained his Ph.D. at the University of Cambridge in 2014. His research interests fall in the area of network measurements, with a focus on measuring online privacy and security risks. During his academic career, Narseo has won best paper awards at some of the most prestigious peer-reviewed conferences in networking and security including the 2020 IEEE Symposium on Security and Privacy (S&P), USENIX Security’19, ACM IMC’18, and ACM CoNEXT'14 and he has also received several industry grants including a Google Faculty Research Awards in 2018, a DataTransparency Lab Grant in 2016, and a Qualcomm Innovation Fellowship in 2012. His work in the mobile security and privacy domain has influenced policy changes and security improvements in the Android platform, while his study on the privacy and security risks of pre-installed Android software has received the recognition of several EU Data Protection Agencies as reflected by the AEPD Emilio Aced Award and the CNIL-INRIA Privacy Protection Awards. International media outlets like The Washington Post, The New York Times, The Guardian, or the Financial Times have covered Narseo’s research.

pv Johannes Krupp, CISPA (Germany)

Title: Using Honeypots to Fight Amplification DDoS


Amplification DDoS attacks plague the Internet for a long time. Although quite simple from a technical point of view, these attacks can reach powerful attack bandwidths of several Tbps while also hiding the attacker behind a veil of IP spoofing. This talk will discuss how honeypots can be used to observe these attacks, which trends can be observed from multiple years of datacollection, and how honeypot data can be ultimately used to uncover attacking infrastructures responsible for such attacks.

Short Bio

Johannes Krupp is a researcher at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. He joined CISPA as a Ph.D. candidate after receiving a bachelor degree in computer science from Saarland University in 2014. His research on DDoS attacks and attack attribution has been recognized by the academic community with publications at RAID, CCS, and EuroS&P, and was awarded a SRL graduate fellowship.

Maciej Korczyński, Grenoble Alps University, France
Wojciech Mazurczyk, Warsaw University of Technology, Poland
Pedro Casas, AIT, Austria
Nicolas Christin, Carnegie Mellon University, USA
Wouter Joosen, Katholieke Universiteit Leuven, Belgium
Anna Sperotto, University of Twente, Netherlands


Giovane C. M. Moura, SIDN Labs, Netherlands
Luca Caviglione, CNR - IMATI, Italy
Isabelle Chrisment Université de Lorraine, France
Simone Ferlin, Ericsson research, Sweeden
Romain Fontugne, Internet Initiative Japan, Japan
Paweł Foremski, IITiS PAN / Farsight Security Inc, Poland
Jérôme François, Inria Nancy Grand Est, France
Carlos Gañán, ICANN / Delft University of Technology, Netherlands
Mehmet Gunes, Stevens Institute of Technology, USA
Artur Janicki, Warsaw University of Technology, Poland
Christian Keil, DFN-CERT, Germany
Jörg Keller, Fern Universität in Hagen, Germany
Igor Kotenko, SPIIRAS, Russia
Christian Kraetzer, Otto-von-Guericke University Magdeburg, Germany
Jean-Francois Lalande, Centrale Supélec, France
Victor Le Pochat, Katholieke Universiteit Leuven, Belgium
Qasim Lone, Delft University of Technology, Netherlands
Jelena Mirkovic, USC Information Sciences Institute, USA
Vinnie Monaco, Naval Postgraduate School, USA
Moritz Müller, SIDN / University of Twente, Netherlands
Arman Noroozian, University of Amsterdam, Netherlands
Philippe Owezarski, LAAS-CNRS, France
Davy Preuveneers, Katholieke Universiteit Leuven, Belgium
Ramin Sadre, Université catholique de Louvain, Belgium
José Jair Santanna, University of Twente, Netherlands
Oleksii Starov, Palo Alto Networks, USA
Ewa Syta, Yale University, USA
Samaneh Tajalizadehkhoob, ICANN, USA
Hui Tian, National Huaqiao University, China
Guillaume Urvoy-Keller, Université de Nice Sophia-Antipolis, France
Tom van Goethem, Katholieke Universiteit Leuven, Belgium
Roland van Rijswijk-Deij, University of Twente, Netherlands
Thomas Vissers, Cloudflare, USA
Steffen Wendzel, Worms University of Applied Sciences, Germany
Nur Zincir-Heywood, Dalhousie University, Canada





We are grateful to our supporters who will help us make WTMC'21 a great event.

WTMC 2020 at IEEE Euro S&P, Virtual Event
WTMC 2019 at IEEE S&P, San Francisco, California, USA
WTMC 2018 at ACM SIGCOMM Budapest, Hungary
WTMC 2017 at IEEE S&P, San Jose, California, USA
WTMC 2016 at ACM ASIACCS, Xi'an, China

Contact WTMC 2021 chairs using this email address: wtmc2021@easychair.org.