Research

My research confronts issues of security, privacy, and transparency in a broad range of computer systems and applications.

Some recent research themes:

Understanding SOC Phenomena

Modern Security Operation Centers (SOCs) deploy dozens of products so that analysts can monitor the organization from different perspectives for evidence of attack. Why, then, is news of another massive incident or breach a weekly occurrence? This failure is the result of a constellation of limitations in cybersecurity software that ultimately outsources the hardest work to the cognitive capabilities of human analysts. Recognizing SOC’s as complex sociotechnical systems, my recent work has attempted to directly measure SOC phenomena with the eventual goal of designing and validating effective interventions.

Detecting and Investigating Intrusions

Data provenance can be aggregatedfrom multiple operational layers of complex systems.

Our research also seeks to empower SOC analysts by improving the ways in which we audit computers, allowing them to understand and react to attacks before serious damage is inflicted. My earliest and ongoing contributions to this space attempt to directly address the shortcomings of security products through provenance analysis. Data Provenance is a transformation that can be performed on a time-series of log events to surface causal interdependencies. For endpoint events comprised of tuples, processes and objects become vertices in a graph while operations become directed edges that indicate the flow of information. The graph can then be used to produce causal explanations of inter-process workflows, such as identifying the root causes of an event. This straightforward procedure is nonetheless revolutionary when applied to security operations, as today’s products examine processes, endpoints, users in isolation without consideration for their interrelationships

Recent Papers:

Jason Liu, Adil Inam, Akul Goyal, Andy Riddle, Kim Westfall, and Adam Bates. What We Talk About When We Talk About Logs: Understanding the Effects of Dataset Quality on Endpoint Threat Detection Research. 46th IEEE Symposium on Security and Privacy (S&P'25). San Francisco, CA, USA. May 12, 2025.

Akul Goyal, Gang Wang, and Adam Bates. R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection. 45th IEEE Symposium on Security and Privacy (S&P'24). San Francisco, CA, USA. May 20, 2024.

Akul Goyal, Xueyuan Han, Gang Wang, and Adam Bates. Sometimes, You Aren't What You Do: Mimicry Attacks against Provenance Graph Host Intrusion Detection Systems. 30th ISOC Network and Distributed System Security Symposium (NDSS'23). San Diego, CA, USA. February 27, 2023.

Muhammad Adil Inam, Yinfang Chen, Akul Goyal, Jason Liu, Jaron Mink, Noor Michael, Sneha Gaur, Adam Bates, and Wajih Ul Hassan. SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions. 44th IEEE Symposium on Security and Privacy (S&P'23). San Francisco, CA, USA. May 22, 2023.

Consumer Device Security

Spanning smart phones and the Internet of Things, consumer-oriented computing devices are diverse and pervasive. While these technologies create unprecedented opportunity for innovation, they also expose novel attack surfaces that must be better understood in order to provide adequate protection to end users. Our work in this space is two fold: first, to reason about the security challenges created by consumer devices, but also to identify ways in which these technologies can be leveraged to address the broader goals of computer security.

Recent Papers:

Wajih Ul Hassan, Saad Hussain, and Adam Bates. Analysis of Privacy Protections in Fitness Tracking Social Networks -or- You can run, but can you hide? USENIX Security Symposium, August 2018.

Deepak Kumar, Riccardo Paccagnella, Paul Murley, Eric Hennenfent, Joshua Mason, Adam Bates, and Michael Bailey. Skill Squatting Attacks on Amazon Alexa. USENIX Security Symposium, August 2018.

Qi Wang, Wajih Ul Hassan, Adam Bates, and Carl Gunter. Fear and Logging in the Internet of Things. ISOC Network and Distributed System Security Symposium (NDSS), February 2018.

Network & Communications Security

An increasing proportion of the global economy is dependent on the security of network communications and infrastructures. Unfortunately, these security properties are violated with alarming frequency due to implementation errors or developer confusion, or because systems are made use of in unanticipated ways. This research seeks to better understanding this breakdown between theory and practice, and identify ways to restore correct functionality in vulnerable networked systems.

Recent Papers:

Pubali Datta, Isaac Polinsky, Muhammad Adil Inam, Adam Bates, and Will Enck. ALASTOR: Reconstructing the Provenance of Serverless Intrusions. USENIX Security Symposium. August 2022.

Benjamin E. Ujcich, Samuel Jero, Richard Skowyra, Adam Bates, William H. Sanders, and Hamed Okhravi. Causal Analysis for Software-Defined Networking Attacks. USENIX Security Symposium. August 2021.

Arnav Sankaran, Pubali Datta, and Adam Bates. Workflow Integration Alleviates Identity and Access Management in Serverless Computing. Annual Computer Security Applications Conference (ACSAC). December 2020.

Pubali Datta, Prabuddha Kumar, Tristan Morris, Michael Grace, Amir Rahmati, and Adam Bates. Valve: Securing Function Workfows on Serverless Computing Platforms. The Web Conference (WWW). April 2020.

Benjamin E. Ujcich, Samuel Jero, Anne Edmundson, Qi Wang, Richard Skowyra, James Landry, Willam H. Sanders, Christina Rita-Notaru, and Hamed Okravi. Cross-App Poisoning in Software-Defined Networking. ACM Conference on Computer and Communications Security (CCS), October 2018.