Runtime Analysis of Whole-System Provenance

Abstract : Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses. We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications. We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security. Preprint: the final version of this paper will appear in the proceedings of the 25th ACM Conference on Computer and Communications Security in October 2018 (https://www.sigsac.org/ccs/CCS2018/).
Type de document :
Communication dans un congrès
Liste complète des métadonnées

https://hal-mines-paristech.archives-ouvertes.fr/hal-01859773
Contributeur : Claire Medrala <>
Soumis le : mercredi 22 août 2018 - 15:36:41
Dernière modification le : mercredi 21 août 2019 - 10:22:04

Identifiants

  • HAL Id : hal-01859773, version 1

Citation

Thomas Pasquier, Xueyuan Han, Thomas Moyer, Adam Bates, Olivier Hermant, et al.. Runtime Analysis of Whole-System Provenance. The 25th ACM Conference on Computer and Communications Security, Oct 2018, Toronto, Canada. pp.1601-1616. ⟨hal-01859773⟩

Partager

Métriques

Consultations de la notice

132