I am a Program Director of systems security research in the Computer Science Laboratory at SRI International, and have been a Principal
Investigator for many research projects sponsored by DARPA, DoD, NSF,
NSA, and others. Currently, I am a Principal Investigator in
a multi-organization NSF research project, entitled "Logic and Data
Flow Extraction for Live and Informed Malware
Execution." I am also the Principal Investigator
of a large ARO-sponsored research program entitled Cyber-TA, which is developing new
techniques to gather and analyze larges-scale malware threat
intelligence across the Internet. I have been an active
researcher, publishing and conducting technology development in botnet
and intrusion detection, alarm correlation, malware analysis, active
networks, and wireless security. Previously, I was a
manager in the Trusted Computer Systems Department of the Aerospace
Corporation, where I was also an experienced trusted product evaluator
for NSA (which includes security testing, risk assessment, and
penetration testing of systems and networks). I've participated on
numerous program committees, and editorial boards, and on multiple
commercial company technical advisory boards. I hold six
U.S. patents, and have been awarded Best Paper honors in 1995,
1999, and 2008.
San
Francisco Chronicle (10/08/2007), Microsoft
Certified Profession Magazine (09/2007), ComputerWorld
(09/28/2007), Windows IT Professional Magazine (09/2007), MSNBC
(04/10/2008), Informaiton
Security Magazine(3/202), KTVU Channel 2 News (10/08/2007), ZDNet (07/23/2008),
SecurityFocus (07/2008),
Silicon.com (07/2008),
Arc Technica (07/2008),
TechTarget (07/2008).
Security Focus [quoted] (04/2008).
Malware Threat Center - http://mtc.sri.com
Compendium Honeynet - http://www.cyber-ta.org/Honeynet
Highly Predictive Blacklists - http://www.cyber-ta.org/releases/HPB
BotHunter (detection software) - http://www.cyber-ta.org/BotHunter
Eureka Malware Analysis Service - http://eureka.cyber-ta.org
[pdf] P.A. Porras and R.A. Kemmerer, "Penetration State Transition Analysis - A Rule-Based Intrusion Detection Approach," in Proceedings of the Eighth Annual Computer Security Applications Conference, San Antonio, TX, pg. 220-229, November 1992.
[pdf] P.A. Porras, K. Ilgun, and R.A. Kemmerer, "State Transition Analysis: A Rule-Based Intrusion Detection Approach," in IEEE Transactions on Software Engineering, IEEE Press, New York, pg. 181-199, March 1995.
[pdf] P.A. Porras and P.G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anoma-lous Live Disturbances," in Proceedings National Information Systems Security Conference, NSA/NIST, Baltimore, MD, October 1997.
[pdf] P.A. Porras and A. Valdes, "Live Traffic Analysis of TCP/IP Gateways," in Proceedings of the Network and Distributed System Security Symposium (NDSS), Internet Society, San Diego, CA, March 11-13, 1998.
[pdf] U. Lindqvist, P.A. Porras, and M. Tyson, "Designing IDLE: The Intrusion Detection Library Enterprise," in Proceedings of the International Symposium on Recent Advances in Intru-sion Detection (RAID), Louvain-la-Neuve, Belgium, September 14-16, 1998.
[pdf] P.G. Neumann and P.A. Porras, (Best Paper Award), "Experience with EMERALD to Date," in Proceedings of the 1st Usenix Workshop on Intrusion Detection and Network Monitoring, Santa Clara, CA, April 11-12, 1999.
[pdf] U. Lindqvist and P.A. Porras, "Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST)", in Proceedings 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 9-12, 1999.
[pdf] U. Lindqvist and P. A. Porras, "eXpert-BSM: A Host-Based Intrusion Detection Solution for Sun Solaris," in Proceedings of the ACM Computer Security Applications Conference (ACSAC), New Orleans LA, November, 2001.
[pdf] P.A. Porras and R.A. Kemmerer, "Covert Flow Trees: A Technique for Identifying and Analyzing Covert Storage Channels," in Proceedings 1991 Symposium on Research in Security and Privacy, Oakland, CA, IEEE, New York, pg. 34-50, May 20-22, 1991.
[pdf] P.A. Porras and R.A. Kemmerer, "Covert Flow Trees: A Visual Approach to Covert Channel Analysis," in IEEE Transactions on Software Engineering, IEEE, New York, November 1991.
[pdf] O. Sibert, P.A. Porras, and R. Lindell, (Best Paper Award), "The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems," in Proceedings 1995 Symposium on Research in Security and Privacy, Oakland, CA, IEEE Press, New York, May 8-10, 1995.
[pdf] O. Sibert, P.A. Porras, and R. Lindell, "An Analysis of the Intel 80x86 Security Architecture and Implementations," in IEEE Transactions on Software Engineering, IEEE Press, New York, Vol. 22, Issue 5, May 1996.
Network Management and Alarm Correlation
[pdf] L. Ricuilli and P.A. Porras, "ANCORS: An Adaptable Network Control and Reporting System," in Proceedings of the 1999 Conference on Integrated Network Management, Boston, February 1999.
[pdf] Livio Ricciulli, Phillip A. Porras, Patrick Lincoln, Pankaj Kakkar, Steven Dawson, "An Adaptable Network COntrol and Reporting System (ANCORS)," in Proceedings of the DARPA Active Networks Conference and Exposition, 2002.
[pdf] Phillip A. Porras, Martin W. Fong, Alfonso Valdes, "A Mission-Impact-Based Approach to INFOSEC Alarm Correlation," in Proceedings of the International Symposium on Recent Advances in Intrusion Detection, October 2002.
[pdf] Linda Briesemeister, Patrick Lincoln, and Phillip Porras, "Epidemic Profiles and Defense of Scale-free Networks," in Proceedings of the 2003 ACM Workshop on Rapid Malcode (WORM), ACM Press, October 2003.
[pdf] Linda Briesemeister and Phillip Porras "Microscopic Simulation of a Group Defense Strategy," in Proceedings of Workshop on Principles of Advanced and Distributed Simulation (PADS), Monterey CA, June 2005.
Privacy-Preserving Collaborative Systems
[pdf] P.D. Lincoln, P.A. Porras, V. Shmatikov, "Privacy-Preserving Sharing and Correlation of Security Alerts," in Proceedings of the USENIX Security Symposium, San Diego CA, August 2004.
[pdf] P.A. Porras and V. Shmatikov, "Large-Scale Collection and Sanitization of Network Security Data: Risks and Challenges," in Proceedings of the New Security Paradigms Workshop, Dugstuhl, Germany, September 2006.
[pdf] P.A. Porras, "Privacy-Enabled Global Threat Monitoring," IEEE Security and Privacy Magazine, Vol. 4, Issue 6, IEEE Press, November 2006.
[pdf] R. Sharykin and P.A. Porras, "Applying Formal Evaluation to Worm Defense Design," in Proceedings of the 26th International Performance Computing and Communications Conference, New Orleans LA, March 2007.
[pdf] P.A Porras, L. Briesemeister, K. Skinner, K. Levitt, J. Rowe and A. Ting, "A Hybrid Quarantine Defense," in Proceeding of the ACM Workshop on Rapid Malcode (WORM 2004), October 29, 2004 George Mason University, Fairfax, Virginia, USA
[pdf] L. Briesemeister and P.A. Porras, "Automatically Deducing Propagation Sequences that Circumvent a Collaborative Worm Defense," in Proceedings of Workshop on New Generations of Malware: Models, Analysis, and Counter Measures (Malware), April 2006.
[pdf] L. Briesemeister and P.A. Porras, "Formally Specifying Design Goals of Worm Defense Strategies," in Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Testing, June2006.
[pdf] L. Briesemeister, P.A. Porras, and A. Tiwari. Model Checking of Worm Quarantine and Counter-Quarantine under a Group Defense. Technical Report SRI-CSL-05-03, SRI International, Computer Science Laboratory, October 2005.
[pdf] J. Jian, P. Porras, J. Ullrich, "A New Service for Increasing the Effectiveness of Network Address Blacklists," in Proceedings of the USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI'07), San Jose, CA, June 2007.
[pdf] J. Zhang and P. Porras, "Gaussian Process Learning for Cyber-Attack Early Warning," in Proceedings of SIAM International Conference on Data Mining (SDM), San Francisco CA, May 2008.
[pdf] J. Zhang and P. Porras and J. Ullrich, (Best Paper Award), "Highly Predictive Blacklisting," in Proceedings of USENIX Security Conference, San Jose CA, August 2008.
[pdf] R.Bajcsy, T. Benzel, M. Bishop, B. Braden, C.E. Brodley, S. Fahmy, S. Floyd, W. Hardaker, A. Joseph, G. Kesidis, K.N. Levitt, B. Lindell, P. Liu, D. Miller, R. Mundy, C. Neuman, R. Ostrenga, Vern Paxson, P.A. Porras, C. Rosenberg, J.D. Tygar, S. Sastry, D.F. Sterne, S.F. Wu, "Cyber Defense Technology Networking and Evaluation," Communications of the ACM 47(3): 58-61 (2004)
[pdf] G. Gu, P.A. Porras, V. Yegneswaran, M. Fong, W. Lee., "BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation," in Proceedings of the 16th USENIX Security Symposium (Security'07), Boston, MA, August 2007.
[pdf] G. Gu, Z. Chen, P.A. Porras, W. Lee, "Misleading and Defeating Importance-Scanning Malware Propagation," in Proceedings of the 3rd International Conference on Security and Privacy in Communication Networks (SecureComm 2007 ), Mice, France, September 2007.
[pdf] P.A Porras, H. Saidi, V. Yegneswaran. A multi-perspective analysis of the Storm (Peacomm) Worm. SRI Technical Report, November 20007 [approx. 10K downloads to date. http://www.cyber-ta.org/pubs/StormWorm/].
[pdf] M. Sharif, V. Yegneswaran, H. Saidi, P.A Porras, and W. Lee, "Eureka: A Framework for Enabling Static Malware Analysis," in Proceedings of the 13th European Symposium on Research in Computer Security, Malaga, Spain, October 2008.
[pdf] D. Nilsson, P.A. Porras, and E. Jonsson, "How to Secure Bluetooth-based Pico Networks," in Proceedings of the 26th International Conference on Computer Safety, Reliability, and Security (SAFECOMP 2007), Nuremberg, Germany, September 2007.
[pdf] P.A. Porras, Differentiating Features for the 2005 Enterprise WLAN Security Market. SRI Technical Report, March 2005.
[pdf] P.A. Porras, Security Features and Architectural Enhancements for Enterprise-Class WLAN Infrastructure Products. SRI Technical Report, March 2005.
[pdf] P.A. Porras, An Analysis of 802.11 Wireless Intrusion Detection - Capabilities, Limitations, and Current Directions. SRI Technical Report, January 2004.
National Computer Security Center, Final Evaluation Report of Gemini Computers Incorporated: Gemini Trusted Network Processor Release 1.01. Linthicum, MD, June 1995, NCSC-FER-94/34. (A1 Evaluation)
National Computer Security Center, Final Evaluation Report of Amdahl Corporation: UTS/MLS Release 2.1.5+. Linthicum, MD, May 1994, CSC-EPL-94/001. (B1 Evaluation)
National Computer Security Center, Final Evaluation Report of Tandem Computers Incorporated: Guardian 90 with Safeguard. Linthicum, MD, March 1994, CSC-EPL-93/001, No.07-94. (C2 Evaluation)
PRIORITIZING BAYES NETWORK ALERTS; Al Valdes, Martin Fong, and Phillip Porras. US Patent No. 7,379,993, 27 May 2008
APPLICATION-LAYER ANOMALY AND MISUSE DETECTION; Philip Porras, Magnus Almgren, Ulf Lindqvist, and Steven Dawson. US Patent No. 7,143,444, 28 November 2006
NETWORK SURVEILLANCE; Phillip A. Porras and Alfonso Valdes. US Patent Application No. 6,711,615, March 23, 2004
NETWORK SURVEILLANCE; Phillip A. Porras and Alfonso Valdes. US Patent Application No. 6,708,212, March 16, 2004
NETWORK-BASED ALERT MANAGEMENT; Phillip A. Porras and Martin Fong. US Patent Application No. 6,704,874, March 9, 2004
HIERARCHICAL EVENT MONITORING AND ANALYSIS; Phillip A. Porras and Alfonso Valdes. US Patent Application No 6,484,203, March 19, 2004
NETWORK SURVEILLANCE; Phillip A. Porras and Alfonso Valdes. US Patent Application No. 6,321,338, November 20, 2001
end http://www.csl.sri.com/users/porras/
