For Eric Pauley PhDx’25, Outstanding Graduate Student Research Award is just the beginning

It’s a manifestation of the opportunities that have been available to me with Wisconsin and CDIS,” says Pauley. “Since moving here, I’ve just been inspired.”

By Rachel Robey

Recently, Eric Pauley PhDx’25 received the Department of Computer Sciences’ 2024 Graduate Student Research Award. Presented annually, the award distinguishes a student whose research contributions stand out in both quality and impact. Advised by Patrick McDaniel, Pauley researches cloud security by identifying new vantage points from which to measure—and protect against—the most sophisticated attacks occurring on public clouds.

Eric Pauley PhDx’25

“Receiving the Graduate Student Research Award makes me feel really fortunate to work with my advisor,” says Pauley, who moved with McDaniel from Penn State to UW–Madison in 2022. “He always promises that if you stay the course and trust his judgment, it’ll pay off.”

“Eric is one of the most innovative and insightful students I’ve ever worked with,” says McDaniel, who’s worked with Pauley for eight years. “His work here at the University of Wisconsin will have a lasting impact on the field of cybersecurity. His dissertation in particular has redefined the way the technical community identifies and characterizes adversaries on the internet.” 

A pervasive security risk on public clouds

Pauley’s research focuses on public clouds: shared hosting environments run by just a handful of massive companies (like Amazon, Google, IBM, Oracle, and so on). Clouds, which offer computing services for the cost of rent, have “altered the fundamental structure of the Internet” over the past 10–15 years, says Pauley. Widely used across the globe, the cloud is where the likes of banks, hospitals, hedge funds, and universities all store their data. 

Before clouds, security experts ran their own servers in data centers—these were called “honeypots”—and measured incoming attacks to gain intelligence. With research collaborators, Pauley built “a new kind of honeypot” that’s deployed on the Amazon Web Services (AWS) cloud and indistinguishable from real cloud customers. They called it DScope: a cloud-native internet telescope. 

DScope is operated by the Security and Privacy Research Group (MadS&P) and funded by grants from the National Science Foundation (NSF). It’s how Pauley, McDaniel, and close collaborator Paul Barford (“A pioneer in the field of Internet measurement and an absolute privilege to work with on this!” says Pauley) were able to diagnose the real problem: a mismanagement of configuration on public clouds causing businesses to send information to the wrong place.

According to Pauley, between 10 and 15% of the top 1,000 organizations “have some known vulnerability in this space.” The implications of this are staggering: data related to high stakes mergers and acquisitions may leak from a major financial institution, while a healthcare organization unknowingly sends HIPAA-protected information to random cloud users. 

Both are real examples from Pauley’s research.

“We can’t just fix this problem generally, so it’s an ongoing effort to increase awareness and advocate to cloud providers to improve best practices so organizations don’t fall into these traps,” he says. To do so, Pauley—already an entrepreneur through Sendtric, a company he co-founded and recently sold—co-founded DScope Security with McDaniel and Barford as a way to offer real-time intelligence and support to companies that need it.

Providing solutions through entrepreneurship 

Because the problem is an issue of configuration, cloud providers can only do so much, even as Pauley provides data and direct feedback on his findings. As DScope Security, which offers “cloud-based threat intelligence services,” he can step in almost like a technician, offering real security to companies at risk of this incredibly pervasive vulnerability.

Unfortunately, the vulnerability is widely abused, too: due to the rise of automation, it’s cheap for adversaries to cast these extremely broad nets of attack. Predictably, larger organizations storing more “valuable” information may receive targeted attacks, too. 

As part of a pilot study DScope is conducting with the University of Wisconsin, the team provides sometimes weekly feedback to keep the University more secure. “And that’s not to say that UW does a bad job with security—in fact, the University does a really good job,” Pauley explains. “It’s just that as organizations increase in size and include ever more diverse sets of people managing infrastructure, these vulnerabilities will inevitably appear.”

But with DScope, Pauley’s team is able to detect whenever a user makes a mistake—and then correct it before the attackers are able to exploit it. 

“It’s a manifestation of the opportunities that have been available to me with Wisconsin and CDIS,” says Pauley. “Since moving here, I’ve just been inspired.”

Congratulations again to Pauley on receiving this well-deserved honor, and to all the collaborators involved!