Runtime Analysis of Whole-System Provenance

Thomas Pasquier; Xueyuan Han; Thomas Moyer; Adam Bates; Olivier Hermant; David Eyers; Jean Bacon; Margo Seltzer

doi:10.1145/3243734.3243776

Runtime Analysis of Whole-System Provenance

Thomas Pasquier, Xueyuan Han, Thomas Moyer, Adam Bates, Olivier Hermant, David Eyers, Jean Bacon, Margo Seltzer

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

64 Citations (Scopus)

524 Downloads (Pure)

Abstract

Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses. We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications.We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security.

Original language	English
Title of host publication	CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
Subtitle of host publication	Toronto, Canada (2018)
Publisher	Association for Computing Machinery (ACM)
Pages	1601-1616
Number of pages	16
ISBN (Print)	9781450356930
DOIs	https://doi.org/10.1145/3243734.3243776
Publication status	Published - 8 Oct 2018
Event	25th ACM Conference on Computer and Communications Security - XHotel, Toronto, Canada Duration: 15 Oct 2018 → 19 Oct 2018 https://www.sigsac.org/ccs/CCS2018/

Conference

Conference	25th ACM Conference on Computer and Communications Security
Abbreviated title	CCS 2018
Country/Territory	Canada
City	Toronto
Period	15/10/18 → 19/10/18
Internet address	https://www.sigsac.org/ccs/CCS2018/

Research Groups and Themes

Cyber Security

Keywords

Whole-system Provenance
Information Flow Tracking
Graph Processing
Linux Kernel

Access to Document

10.1145/3243734.3243776

Full-text PDF (accepted author manuscript)
This is the author accepted manuscript (AAM). The final published version (version of record) is available online via ACM at https://dl.acm.org/citation.cfm?doid=3243734.3243776 . Please refer to any applicable terms of use of the publisher.
Accepted author manuscript, 1.2 MB

Handle.net

Persistent link

Cite this

@inproceedings{d8ce031bfa854242afc0c14dae25d477,

title = "Runtime Analysis of Whole-System Provenance",

abstract = "Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses. We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications.We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security.",

keywords = "Whole-system Provenance, Information Flow Tracking, Graph Processing, Linux Kernel",

author = "Thomas Pasquier and Xueyuan Han and Thomas Moyer and Adam Bates and Olivier Hermant and David Eyers and Jean Bacon and Margo Seltzer",

year = "2018",

month = oct,

day = "8",

doi = "10.1145/3243734.3243776",

language = "English",

isbn = "9781450356930",

pages = "1601--1616",

booktitle = "CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

note = "25th ACM Conference on Computer and Communications Security, CCS 2018 ; Conference date: 15-10-2018 Through 19-10-2018",

url = "https://www.sigsac.org/ccs/CCS2018/",

}

Pasquier, T, Han, X, Moyer, T, Bates, A, Hermant, O, Eyers, D, Bacon, J & Seltzer, M 2018, Runtime Analysis of Whole-System Provenance. in CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security: Toronto, Canada (2018). Association for Computing Machinery (ACM), pp. 1601-1616, 25th ACM Conference on Computer and Communications Security, Toronto, Canada, 15/10/18. https://doi.org/10.1145/3243734.3243776

Runtime Analysis of Whole-System Provenance. / Pasquier, Thomas; Han, Xueyuan; Moyer, Thomas et al.
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security: Toronto, Canada (2018). Association for Computing Machinery (ACM), 2018. p. 1601-1616.

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

TY - GEN

T1 - Runtime Analysis of Whole-System Provenance

AU - Pasquier, Thomas

AU - Han, Xueyuan

AU - Moyer, Thomas

AU - Bates, Adam

AU - Hermant, Olivier

AU - Eyers, David

AU - Bacon, Jean

AU - Seltzer, Margo

PY - 2018/10/8

Y1 - 2018/10/8

N2 - Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses. We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications.We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security.

AB - Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses. We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications.We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security.

KW - Whole-system Provenance

KW - Information Flow Tracking

KW - Graph Processing

KW - Linux Kernel

U2 - 10.1145/3243734.3243776

DO - 10.1145/3243734.3243776

M3 - Conference Contribution (Conference Proceeding)

SN - 9781450356930

SP - 1601

EP - 1616

BT - CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery (ACM)

T2 - 25th ACM Conference on Computer and Communications Security

Y2 - 15 October 2018 through 19 October 2018

ER -

Runtime Analysis of Whole-System Provenance

Abstract

Conference

Research Groups and Themes

Keywords

Access to Document

Handle.net

Fingerprint

Cite this