Runtime Analysis of Whole-System Provenance

Thomas Pasquier, Xueyuan Han, Thomas Moyer, Adam Bates, Olivier Hermant, David Eyers, Jean Bacon, Margo Seltzer

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)

12 Citations (Scopus)
268 Downloads (Pure)

Abstract

Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses. We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications.We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security.
Original languageEnglish
Title of host publicationCCS’18: 25th ACM Conference on Computer and Communications Security, October 15–19, 2018, Toronto, ON, Canada
PublisherAssociation for Computing Machinery (ACM)
Pages1601-1616
Number of pages16
ISBN (Print)9781450356930
DOIs
Publication statusPublished - 8 Oct 2018
Event25th ACM Conference on Computer and Communications Security - XHotel, Toronto, Canada
Duration: 15 Oct 201819 Oct 2018
https://www.sigsac.org/ccs/CCS2018/

Conference

Conference25th ACM Conference on Computer and Communications Security
Abbreviated titleCCS 2018
CountryCanada
CityToronto
Period15/10/1819/10/18
Internet address

Structured keywords

  • Cyber Security

Keywords

  • Whole-system Provenance
  • Information Flow Tracking
  • Graph Processing
  • Linux Kernel

Fingerprint Dive into the research topics of 'Runtime Analysis of Whole-System Provenance'. Together they form a unique fingerprint.

Cite this