Rob King

Describes how event correlation is critical for building an accurate picture of an organization's security posture. Discusses the challenges of building accurate and efficient engines, and provides a brief survey of the state of the art. Introduces the Giles production system compiler and describes how it may be used to build powerful embedded event correlation engines.

Describes the Giles event correlation engine compiler. The compiler creates embedded event correlation engines and production systems by creating database schemas implementing these engines. This article introduces the compiler, its uses, and some details of its implementation and performance.

Provided an overview of a novel web application framework that I designed. The framework was based around the creation of a parsing framework running entirely in-browser that defined a declarative and functional programming language that was a superset of XHTML. The framework functions by the evaluation of expressions which, as side effects, render pages and respond to user input.

The framework involved the creation of a complete parsing framework, compiler, and virtual machine, as well… Show more

Provided an overview of a novel web application framework that I designed. The framework was based around the creation of a parsing framework running entirely in-browser that defined a declarative and functional programming language that was a superset of XHTML. The framework functions by the evaluation of expressions which, as side effects, render pages and respond to user input.

The framework involved the creation of a complete parsing framework, compiler, and virtual machine, as well as the creation of a complete programming language. Show less

Described the implementation of the SCREAM technique I developed at TippingPoint, which in addition to being interesting from an information security standpoint also offered a real-world example of an unusual use of Erlang.

Presented by special invitation several times, including to the United States Army (other agencies attending), the IEEE Joint Communications and Signal Processing Texas Chapter, and the University of Texas at Austin IEEE Student Chapter. This talk described mechanisms for static analysis and transformation of regular expressions to match the original input when that input has been encoded using various schemes. These techniques allowed the development of low-level traffic analysis and… Show more

Presented by special invitation several times, including to the United States Army (other agencies attending), the IEEE Joint Communications and Signal Processing Texas Chapter, and the University of Texas at Austin IEEE Student Chapter. This talk described mechanisms for static analysis and transformation of regular expressions to match the original input when that input has been encoded using various schemes. These techniques allowed the development of low-level traffic analysis and data-mining signatures that could work on encoded data without first decoding it, for use in environments where decoding is impossible or expensive. Show less

Served as co-editor for four years for one of the largest information security newsletters in the industry, read by over 250,000 subscribers weekly.

Served as contributor and co-editor for several of the yearly editions of the SANS Top-20 state-of-the-industry publications.

A joint presentation with Rohit Dhamankar, this is a two-day class presented four times at Black Hat USA and once at SANS Network Security, detailing how to perform live network traffic analysis, protocol decoding, and penetration testing to detect attacks and vulnerabilities, and then how to develop signatures for various network intrusion prevention systems to prevent these attacks.

Presented at both Black Hat USA and ShmooCon, this talk describes research into detecting what clear-text protocol is encrypted, using still visible attributes like packet size and inter-packet delay.