Runtime Analysis of Whole-System Provenance

Thomas Pasquier, Xueyuan Han, Thomas Moyer, Adam Bates, Olivier Hermant, David Eyers, Jean Bacon, Margo Seltzer

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)

23 Citations (Scopus)
326 Downloads (Pure)


Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses. We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications.We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security.
Original languageEnglish
Title of host publicationCCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
Subtitle of host publicationToronto, Canada (2018)
PublisherAssociation for Computing Machinery (ACM)
Number of pages16
ISBN (Print)9781450356930
Publication statusPublished - 8 Oct 2018
Event25th ACM Conference on Computer and Communications Security - XHotel, Toronto, Canada
Duration: 15 Oct 201819 Oct 2018


Conference25th ACM Conference on Computer and Communications Security
Abbreviated titleCCS 2018
Internet address

Structured keywords

  • Cyber Security


  • Whole-system Provenance
  • Information Flow Tracking
  • Graph Processing
  • Linux Kernel


Dive into the research topics of 'Runtime Analysis of Whole-System Provenance'. Together they form a unique fingerprint.

Cite this