Douglas B. Moran

Table of Contents

• Employment History
• Computer Security Activities
• Publications: http://dbmoran.users.sonic.net/dougmoran-com/dmoran/publications.html
• Education
• Professional Societies
• Other Activities

Employment History

Present: retired

April 2004 - 2007 : Independent security consultant.

May 2003 - March 2004 : PacketMotion, Inc : a computer security startup.

Funded January 2004 by ONSET Ventures and Mohr, Davidow Ventures.

September 2001 - May 2003: Independent consultant.

Evaluation of massively distributed multiagent system; Computer security component of IT proposal for developing country; Participant in several potential startups; Other projects, reports and proposals.

May 1999 - August 2001: Recourse Technologies, Inc.

A start-up developing computer security software for Threat Management. Acquired by Symantec in August 2002. Products: ManTrap (a honeypot), ManHunt (Intrusion Detection and DDoS response), and TipOff (forensics, not released).

Title: Vice President, Research and Development

• Early employee (#4), with consequent contributions to early growth of company.
• System architect and lead programmer for the TipOff product. TipOff was based on the approach that I developed under the DERBI project at SRI. System was terminated in response to the recession — had just entered testing.
  Patents:
  1. 6,647,400: System and method for analyzing filesystems to detect intrusions
  2. 6,826,697: System and method for detecting buffer overflow attacks
  3. 6,996,843 System and method for detecting computer intrusions
  4. 7,032,114 System and method for using signatures to detect computer intrusions
  5. 7,065,657 Extensible intrusion detection system
  6. 7,085,936 System and method for using login correlations to detect intrusions
  7. 7,203,962 & 8578490 System and method for using timestamps to detect attacks
• Supported the development of the other products, primarily in requirements, testing and evaluation. Used contacts to acquire sophisticated test data sets that found bugs not exercised by the existing testing.
• Supported the marketing activities for the company and the individual products. Wrote the basic whitepapers for both ManTrap and ManHunt and both of the company's published papers. Assisted Marketing Communications by identifying themes that would appeal to journalists and by translating technical details into appropriate descriptions and analogies. Significant contributor to the company's basic positioning.
• Supported sales by aggressively evangelizing the products to my contacts, many of whom were in the position of "evaluators" or "influencer." with resulting sales.
• Created and championed a plan to greatly expand the market for the ManTrap product by making it practical and useful to deploy more and larger clusters of them. Was pursuing government funding for much of this work.

1983-1999: SRI International (formerly Stanford Research Institute)

Note: At SRI, researchers routinely work on multiple projects, with senior staff having leadership/management roles on their primary projects.

Title: Senior Computer Scientist

Departments:

• 1987-1999: Artificial Intelligence Center: widely regarded as a world class research group in AI
• 1986-1987: Cambridge (England) Computer Science Research Centre: Co-founder of SRI's first non-US research facility (others: Dr. Robert C. Moore, subsequently of Microsoft Research and Dr. Hiyan Alshawi, subsequently of Google Research).
• 1983-1986: Telecommunications Sciences Laboratory

Projects

• Three of these projects are listed in SRI's Timeline of Innovations: Inventing the future for more than 55 years (circa early 2000s): OAA and SLS (as part of "Speech Recognition") in the 1990's (2 of 33 listings), and CCWS (for "Multimedia Electronic Mail System") in the 1980's (1 of 16 listings).
• 1996-1999: Diagnosis, Explanation and Recovery from Break-Ins (DERBI): A host-based intrusion detection system (HIDS) that assumed an out-of-the-box configuration (no special tools or settings). In DARPA IDS Evaluations (1998 and 1999), it used only end-of-day dumps as its data, but its performance was comparable to HIDS that used full real-time auditing data (Sun's BSM). Although it was also applicable to realtime and near-realtime detection, DERBI focused on after-the-fact detection. To overcome the intruder's attempts to camouflage his presence and actions, DERBI used information from a wide range of sources to identify likely times and elements of the intrusion, and then use that information to identify additional elements that could be part of the intrusion.
  • I created the project and obtained funding (DARPA), and then was system architect, lead programmer and project leader. Team of 3-6.
  • Final Report: http://dbmoran.users.sonic.net/dougmoran-com/dmoran/PAPERS/DerbiFinal.pdf
• 1994-1998: Open Agent Architecture™ (OAA). A distributed multi-agent system that focused on rapid assembly of new systems from existing applications. Included a multimodal user interface (speech, natural language, gesture and WIMPS). It was inspired by the experiences of the ShopTalk project (below).

  The focus was facilitating the creation of systems from components that were not intended to work together by providing a significantly higher level of abstraction than that found in objected-oriented methodologies and Object Request Brokers. An SDK simplified "wrapping" existing (legacy) applications to transform them into OAA agents. The UI was implemented with agents for each supported modality, with multiple alternatives for most modalities. Because the UI was implemented with agents, the user appeared to be just another agent to the rest of the application, eliminating the need for the non-UI agents to differentiate between interactions with the user vs. automated agents.

  • Co-founder, subsequently Project Leader/Supervisor for suite of related projects. Team of 3-7 SRI staff, plus 1-4 visitors from sponsors (primarily Japanese and Korean).
  • Focused on management, marketing, sales, and customer relations, winning contracts from a range of clients (government and commercial, US and international).
  • Formulated technical requirements and approaches, but being the only senior staff member, I had to forgo participating in the implementation.
  • Honed the marketing message (presentation and demonstration) and technology to the extent that the OAA became one of SRI's "Top 10" technologies. My ability to quickly customize the presentation to a particular client or audience resulted in it being heavily used to promote SRI in general, including a presentation to a head-of-state.
  • The success of the OAA design and implementation was testified to by its incorporation into a range of other SRI systems.
  • One of featured projects in "Computing Goes Everywhere:: The dream of ‘ubiquitous computing’ has been around for a while. Now it's serious enough that a company like IBM is willing to throw $500 million at it.", by Robert Buderi, Technology Review magazine, January 1, 2001.
  • Videos at http://www.ai.sri.com/~oaa/distrib.html#videos.
  • Patent 6,859,931: Extensible software-based architecture for communication and cooperation within and between communities of distributed agents and distributed objects
  This research became a core technology of the DARPA CALO research program. It was subsequently spun-off into a start-up that was purchased by Apple and became their SIRI intelligent assistant.
• 1985-1992: ShopTalk: An evolving series of research prototypes that demonstrated the effectiveness of multimodal user interfaces. The user interface provide transparent, integrated access to multiple applications, for example, processing a query could involve combining historical data from a database with projected results from a simulator. This project arose from the merger of two related activities: a colleague's established marketing activity and my robust implementation of a prototype containing many of those ideas (as part of the CCWS project (below)).
  • Deputy project leader, focusing on internal activities: lead programmer and researcher. Team of 4-8.
  • Substantial contribution to marketing activities: Created and customized presentations and demonstrations, presenting part or all to many audiences.
• 1987-1994: Spoken Language Systems: The Gemini system was based on the CLE system (below), re-implementing many of the algorithms thereby allowing application of "lessons learned" and design changes to better accommodate integration with existing speech recognizers.
  • Researcher and developer focusing on the integration of speech recognition and natural language understanding technologies. The speech recognizer generated a large weighted set of possible word sequences, but the initial Gemini system expected a single input and produced an ordered (but unweighted) list of results.
• 1986-1987: Core Language Engine (CLE): A highly capable natural language processing system that integrated promising new technologies and approaches while applying the lessons learned from earlier large-scale systems.
  • Researcher and developer, contributing to the development of the overall system, with primary responsibility for the pragmatics component (quantifier scoping).
• 1986-1988: Delphi: course-grained OR-parallelism in logic programs.
• 1983-1986: Command & Control Workstation (CCWS): Design and implement multimedia mail and multimodal conferencing applications. System was installed on an aircraft carrier (USS Carl Vinson) and used during an operational deployment.
  • Project leader (replacing original) for a team of 6-7.
  • Designer and implementer of automated agent in the conferencing system that added graphical information to the conference workspace using spoken language access to databases.
  • Developed a commercial quality GUI toolkit. A software vendor (Quintus Computer Systems, acquired by Avaya 4/2001) explored licensing it for sale, and although it was judged to be technically superior (functionality, maturity, stability), they chose to license one of the alternatives for unspecified "business reasons."
• Computer Facility (1983-1994) (part-time): This activity provided the practical experience that led to the DERBI project and the TipOff product (above).
  • Developed extensive collection of tools to simplify the administration of a rapidly growing computer facility. The initial set of processes and tools was designed for my project's Sun workstations, but they were so successful that other projects arranged to have their computer become part of my cluster, resulting in my becoming manager for all the department's Suns. The Sun cluster scaled from an initial 4 workstations to 60 without an increase in support staff.

1980 - 1983: Oregon State University, Assistant Professor in Dept. of Computer Science.

• Teaching effectiveness: During those 3 years, my primary undergraduate programming course grew from an initial enrollment of 50 to 400, with a substantial wait-list.
• Computer facility: As part of the move of the department to a different building, I supervised construction of computer rooms and upgrade and expansion of the computer equipment.

1974 - 1979: The University of Michigan (Ann Arbor), Department of Computer and Communication Sciences

• Teaching Assistant: Head TA for the second course on programming. Taught recitation sections for that course and others.
• Research Assistant: Transformed an abstract system based on formal logic into a computationally viable system, and in the process unified what had been distinct components.

  Details: I was responsible for the semantic component of a project that produced a computationally viable version of a sophisticated formal linguistic theory. The semantics were based on formal mathematical models, and the smallest non-trivial model for the basic theory had (2^2^523) elements, but only tens of those elements were actually used. I developed a system that allowed the models to be incrementally built and used without introducing inconsistencies. This system was subsequently used a several universities as both a teaching and research tool.

  As part of this work, I recognized that the linguistic phenomena that had been described as a separate topic could be unified with semantics as a side-effect of a process-oriented treatment: the sentence being processed could add information to the knowledge base (the model) and consistency checks on the new information needed to be performed "on the fly."

• President of the Graduate Employees Organization (1976). The GEO represented the 2100 graduate students working as teaching, research and staff assistants. Learned meeting management skills and honed advocacy writing.

Computer Security Activities

My introduction to computer security came as a side-effect of my managing a computer facility. Through the early 1990's, SRI was a high-profile site on the Internet and hence was a frequent target for hackers. Diagnosing and tracking back attacks was labor-intensive, and hence slow. Too often the trail would go cold because of the substantial delays in tracking an attack through even a small number of sites. The DERBI research project resulted from the realization that a large portion of this process could be automated, making diagnosis and trackback more effective (faster and more accurate). I then joined Recourse Technologies to commercialize this approach.

Representative sample of activities in this area:

1. Manual trackback of attacks (most of my activity)
   • Wrote an extensive collection of tools to simplify the administration of the computer cluster. These tools provided notification of inconsistencies, developing problems and other anomalous situations, and, as a side-effect, revealed a variety of probes and attacks (both attempted and successful). My successor stated that the most important lesson I taught him was "Good system administration is good security, and vice versa."
   • Aggressively pursued evidence of hacker activity. We collected evidence of attacks, analyzed it and reported the results. We contacted sites that the attacker was using to launch attacks and passed on our knowledge of the attacker's tools and techniques.

     We decided to not ignore probes and unsuccessful attacks because our group had collaborative relationship with organizations with poor security practices: By taking countermeasures against attackers we would somewhat decrease the probability of those other sites being compromised, which would in turn decrease the risk of one of those sites being used to compromise ours.

   • Established a reputation for quickly detecting hacker activity that had gone unnoticed in other parts of the company. Became lead for company-wide computer security activities.
   • Most notable instance: In August 1993, we detected an early instance of Rootkit. We captured much of the toolkit, including the sniffer. We tracked back the attacks to other compromised sites and worked with them to extend the trackback. We were extremely alarmed to find attempts against hosts that were two of the root name servers. We notified CERT and worked with the FBI. The FBI told us they thought they had identified the culprit, and asked us not to go public while they investigated. I wrote and distributed a sniffer-detector to affected sites and to CERT. Based on my information to New York Times reporter John Markoff, the story Computer Insecurity On the Rise (November 1) about thousands of computers that had been compromised by this attack. Aside: CERT did not release an advisory (CA-1994-01) until February 3, and it contained a sniffer detector similar to the one I had provided to them.
     We received no public credit, although from everything I could determine, we were the first to report this attacker.
2. Interaction with CERTs and law enforcement agencies
   • Reports and follow-up of attacks (above)
   • Comments on requirements and effectiveness
     • Critique of that became part of documentation for the need for CERT (below)
     • Critiques on non-responsiveness of CERT, for example, "security incident" handling -- comments on CERT's policy from Risks Digest, 15, 18 (27 October 1993) (http://catless.ncl.ac.uk/Risks/15.18.html#subj6.1)
3. Expert consultant and witness
   • 1999: Consultant for attorney for corporation (defendant) in suit claiming unwarranted disciplinary action based upon allegation of computer misuse.
   • 1996: Consultant and witness for San Mateo District Attorney. A system administrator fabricated evidence of misconduct by his supervisor, causing him to be fired. Featured in a page 1 story in the October 11, 1997 Washington Post: "Mainframed: Computers Become a Weapon in Office Warfare" (by John Boudreau).
   • 1996: Consultant for San Mateo District Attorney. Provided independent assessment of data being provided by a corporation's system administrators as evidence in a felony case.
   • 1993: Consultant for Santa Clara District Attorney. Defendant pleaded guilty.
   • Consultant for attorney for a student charged by his university with hacking university computers and a corporate network. Charges were dismissed.
4. Reports and other feedback on security problems to vendors.
   • Example: REXD (1987): First report of vulnerability to Sun. Provided a demonstration of its severity that motivated Sun to deactivate this server in subsequent releases.
   • Morris Worm follow-up (1988): Authored summary of pattern of known vulnerabilities being allowed to persist from release to release. Sent as letter by SRI CEO to Sun CEO (McNealy). Was also used by DARPA (Bill Sherlis) as part of the justification for the creation of CERT.
5. Public distribution of patches and scripts for various vulnerabilities and configuration problems. Except for the simplest cases, we worked through an intermediary, such as the vendor or CERT, because we lacked the resources needed for answering questions and the other inevitable follow-up. Most visible examples of these distributions:
   • TFTP CHROOT patch for SunOS (1986): subsequent SunOS release incorporated the CHROOT capability.
   • Anonymous FTP installation script automating extended sequence of steps described in manual. Modified version subsequently distributed by CERT.

Areas of Technical Expertise

• Computer Security, Multi-agent Systems, Artificial Intelligence, Natural Language Processing
• Primary programming languages: C, Prolog
• Primary scripting languages: PERL and various UNIX languages (shells, awk, sed, ...)
• Operating Systems:
  • UNIX & variants:
    • System programmer (non-kernel), system administrator, expert user
    • UNIX: from V7 to BSD 4.x to SunOS 0.7 to SunOS 5.8 (Solaris 8)
    • Linux: from RedHat 5.2
    • Limited usage of other variants
  • Microsoft Windows: advanced user (W95, W98, NT, W2000 Professional)

Education

University of Massachusetts (Amherst),

Fellow, A.P. Sloan Foundation grant for Interdisciplinary Studies in Cognitive Sciences in Dept. of Linguistics and Dept. of Computer and Information Sciences.

The University of Michigan (Ann Arbor),

M.S. and Ph.D. from the Dept. of Computer and Communication Sciences.

Concentration: Artificial Intelligence and Computational Linguistics

Dissertation: Model-Theoretic Pragmatics: Dynamic Models and an Application to Presupposition and Implicature

Massachusetts Institute of Technology,

Bachelor of Science from the Computer Science program in the Dept. of Electrical Engineering (VI-3).

Professional Societies

Former/Retired member of:

• American Association for Artificial Intelligence (AAAI)
• Association for Computing Machinery (ACM)
• IEEE and IEEE Computer Society

Other Activities

1994-2013: Neighborhood Association: Barron Park, Palo Alto (approx 1600 households): various roles, including President, e-mail list manager and co-webmaster

Other formats and additional information: see http://dbmoran.users.sonic.net/dougmoran-com/dmoran/.
A short version of this resume is available, as well as some additional detail.