Skip to content

Runtime Analysis of Whole-System Provenance

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Original languageEnglish
Title of host publicationCCS’18: 25th ACM Conference on Computer and Communications Security, October 15–19, 2018, Toronto, ON, Canada
Publisher or commissioning bodyAssociation for Computing Machinery (ACM)
Number of pages16
ISBN (Print)9781450356930
DateAccepted/In press - 23 Jul 2018
DatePublished (current) - 8 Oct 2018
Event25th ACM Conference on Computer and Communications Security - XHotel, Toronto, Canada
Duration: 15 Oct 201819 Oct 2018


Conference25th ACM Conference on Computer and Communications Security
Abbreviated titleCCS 2018
Internet address


Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses. We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications.We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security.

    Research areas

  • Whole-system Provenance, Information Flow Tracking, Graph Processing, Linux Kernel

    Structured keywords

  • Cyber Security


25th ACM Conference on Computer and Communications Security

Abbreviated titleCCS 2018
Duration15 Oct 201819 Oct 2018
Location of eventXHotel
Web address (URL)
Degree of recognitionInternational event

Event: Conference

Download statistics

No data available



  • Full-text PDF (accepted author manuscript)

    Rights statement: This is the author accepted manuscript (AAM). The final published version (version of record) is available online via ACM at . Please refer to any applicable terms of use of the publisher.

    Accepted author manuscript, 1.2 MB, PDF document


View research connections

Related faculties, schools or groups