Mike Fisk

Mike Fisk
Los Alamos National Laboratory | LANL · Cyber Futures Lab

Computer Science

About

37
Publications
4,750
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,156
Citations

Publications

Publications (37)
Conference Paper
In this paper we present FileMap, an open-source, alternative map-reduce-based computing system that we have developed and utilized over the last 5 years. This system features several significant design decisions and performance aspects that are not found in prevalent map-reduce systems such as Hadoop [16]. The prevailing design goal is to have a s...
Article
We introduce a computationally scalable method for detecting small anomalous areas in a large, time-dependent computer network, motivated by the challenge of identifying intruders operating inside enterprise-sized computer networks. Time-series of communications between computers are used to detect anomalies, and are modeled using Markov models tha...
Article
Traditional software and security patch update delivery mechanisms rely on a client/server approach where clients pull updates from servers regularly. This approach, however, suffers a high window of vulnerability (WOV) for clients and the risk of a single point of failure. Overlay-based information dissemination schemes overcome these problems, bu...
Article
Automated network defense is a necessity for dealing with the rapid paceof modern cyber attacks. To combat this threat, we have created a real-timeflow-based change detection system to automate network defense. We havedeveloped the Exponential Moving Average Anomaly Detector (EMAAD) to detectchanges on our network. EMAAD uses a specialized asymmetr...
Article
Cyber security is emerging as a data-rich analytical domain that challenges both traditional analytical computing capabilities as well as HPC architectures. Cyber data sets are based on observation rather than simulation and that implies, like other observational domains, data sets that are large (multiple-terabytes/day is small-scale), and continu...
Conference Paper
Full-text available
Information providers on networks such as the global information grid need to share sensitive information while still protecting that information from misuse. We show how common information-sharing mechanisms encourage and allow high-bandwidth, hard-to-detect information exfiltration by malicious insiders, and by adversaries in the field. By levera...
Article
Full-text available
This paper presents a family of bitmap algorithms that address the problem of counting the number of distinct header patterns (flows) seen on a high-speed link. Such counting can be used to detect DoS attacks and port scans and to solve measurement problems. Counting is especially hard when processing must be done within a packet arrival time (8 ns...
Conference Paper
Full-text available
Our analytics task is to identify, characterize, and visualize anomalous subsets of as large of a collection of network connection data as possible. We use a combination of HPC resources, advanced algorithms, and visualization techniques. To effectively and efficiently identify the salient portions of the data, we rely on a multistage workflow that...
Article
Full-text available
In this paper we present our system for efficiently exe-cuting queries on network data streams. Our high-level query language resembles a database query language but allows the user to easily add new data types and analy-sis functions. This express-ability is a superset of previ-ous packet classification, filtering and content-based for-warding exp...
Article
Full-text available
The performance of signature-based network intrusion detection tools is dominated by the string matching of packets against many signatures. In this paper we study how the popular intrusion detecton system Snort can be best op-timized to utilize different string matching algorithms. We analyze the perfor-mance of Snort's current string matching alg...
Article
This paper presents a family of bitmap algorithms that address the problem of counting the number of distinct header patterns (flows) seen on a high speed link. Such counting can be used to detect DoS attacks and port scans, and to solve measurement problems. Counting is especially hard when processing must be done within a packet arrival time (8 n...
Article
Full-text available
In this paper we present our immersive network monitoring system that is used for real-time and retrospective analysis of network traffic. Our 3-D representations are designed from the perspective of monitoring traffic at an administrative boundary between the Internet and an internal network. In our virtual environment, a physical boundary and def...
Article
The state of the art in general purpose software systems for large-scale traffic measurement has not progressed much past the venerable libpcap. In this paper we describe a new data analysis system that provides a scalable, flexible system for composing ad-hoc analyses of highspeed, streaming data. This agility allows researchers, network security...
Conference Paper
Full-text available
Active wardens have been an area of postulation in the community for nearly two decades, but to date there have been no published implementations that can be used to stop steganography as it transits networks. In this paper we examine the techniques and challenges of a high-bandwidth, unattended, real-time, active warden in the context of a network...
Article
Internet links operate at high speeds, and past trends predict that these speeds will continue to increase rapidly. Routers and Intrusion Detection Systems that operate at up to OC-768 speeds (40 Gigabits/second) are currently being developed. In this paper we address a basic function common to several security and measurement applications running...
Conference Paper
Full-text available
With the advent of computational grids, networking performance over the wide-area network (WAN) has become a critical component in the grid infrastructure. Unfortunately, many high-performance grid applications only use a small fraction of the available bandwidth because operating systems and their associated protocol stacks are still tuned for yes...
Conference Paper
With the advent of computational grids, networking performance over the wide-area network (WAN) has become a critical component in the grid infrastructure. Unfortunately, many high-performance grid applications only use a small fraction of their available bandwidth because operating systems and their associated protocol stacks are still tuned for y...
Article
Full-text available
It is widely accepted that computer systems could be designed much more securely that they currently are, so why is it that quality does not seem to be improving? In this paper we will argue that security is being held back not by technical problems, but by social acceptance of network insecurity. We argue that only legal and economic systems such...
Article
Full-text available
With the advent of computational grids, networking performance over the wide-area network (WAN) has become a critical component in the grid infrastructure. Unfortunately, many high-performance grid applications only use a small fraction of their available bandwidth because operating systems and their associated protocol stacks are still tuned for y...
Article
Full-text available
Virtual supercomputing, (i.e., high-performance grid computing) , is poised to revolutionize the way we think about and use computing. However, the security of the links interconnecting the nodes within such an environment will be its Achilles heel, particularly when secure communication is required to tunnel through heterogeneous domains. In this...
Article
Full-text available
It is becoming increasingly common for network devices to handle packets based on the contents of packet payloads. Example applications include intrusion detection, firewalls, web proxies, and layer seven switches. This paper analyzes the problem of intrusion detection and its reliance on fast string matching in packets. We show that the problem ca...
Article
Full-text available
With the widespread arrival of bandwidth-intensive applications such as bulk-data transfer, multi-media web streaming and computational grids for high-performance computing, networking performance over the wide-area network has become a critical component in the infrastructure. Tragically, operating systems are still tuned for yesterday's WAN speed...
Article
Full-text available
The original design of TCP failed to support reasonable performance over networks with large bandwidths and high round-trip times. Subsequent work on TCP has enabled the use of larger flow-control windows, yet the use of these options is still relatively rare, because manual tuning has been required. Other work has developed means for avoiding this...
Chapter
As computer networks, specifically the Internet, become more and more integral to business and society, the performance and availability of services on the Internet become more critical. It is now a common need to provide a reliable network service to millions of Internet users and customers. The performance of these services is commonly a key fact...
Conference Paper
The areas of machine configuration and software package installation and maintenance have been frequent areas of work in recent years. This paper describes a hybrid system developed to address both problems and more. The resulting system is designed to reduce the complexity of the administration of a large network of computers down to that of the a...
Article
Full-text available
One of the design principles of the Internet is that the network is made more flexible, and therefore useful, by placing functionality in end applications rather than in network infrastruc-ture. Network gateways that violate this princi-ple are considered harmful. This paper demon-strates that such upper-level gateways exist be-cause of realm-speci...
Article
We use network packet captures and flow data extensively for forensic analysisof traffic involving detected anomalies, detected signatures, and suspicioustraffic identified through other means. Doing so requires a low-latency queryinterface that allows analysts to explore forensic data quickly and interactivelywith easy drilldown to additional cont...
Article
Application- and transport-layer gateways are considered harmful to the Internet since they hinder the operation of existing and new end-to-end protocols. A survey of such upper-level gateways shows that they exist because of realm-specific performance, security, and protocol needs of certain portions of the Internet. Expecting this realm-specific...

Network

Cited By

Projects

Projects (5)
Project
Application of machine learning to detecting and classifying malware
Project
Statistical and computational methods for identifying anomalous behavior in large dynamic multigraphs