research-article

Hi-Fi: collecting high-fidelity whole-system provenance

Authors:

Devin J. Pohly,

Stephen McLaughlin,

Patrick McDaniel,

Kevin ButlerAuthors Info & Claims

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

Pages 259 - 268

https://doi.org/10.1145/2420950.2420989

Published: 03 December 2012 Publication History

Abstract

Data provenance---a record of the origin and evolution of data in a system---is a useful tool for forensic analysis. However, existing provenance collection mechanisms fail to achieve sufficient breadth or fidelity to provide a holistic view of a system's operation over time. We present Hi-Fi, a kernel-level provenance system which leverages the Linux Security Modules framework to collect high-fidelity whole-system provenance. We demonstrate that Hi-Fi is able to record a variety of malicious behavior within a compromised system. In addition, our benchmarks show the collection overhead from Hi-Fi to be less than 1% for most system calls and 3% in a representative workload, while simultaneously generating a system measurement that fully reflects system evolution. In this way, we show that we can collect broad, high-fidelity provenance data which is capable of supporting detailed forensic analysis.

References

[1]

J. P. Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51, AFSC, Hanscom AFB, Bedford, MA, Oct. 1972. AD-758 206, ESD/AFSC.

[2]

U. Braun, S. Garfinkel, D. Holland, K. Muniswamy-Reddy, and M. Seltzer. Issues in automatic provenance collection. In Proceedings of the 2006 International Provenance and Annotation Workshop, pages 171--183, 2006.

Digital Library

[3]

A. Edwards, T. Jaeger, and X. Zhang. Runtime verification of authorization hook placement for the Linux Security Modules framework. In V. Atluri, editor, ACM Conference on Computer and Communications Security, pages 225--234. ACM, 2002.

Digital Library

[4]

Filesystem in userspace. http://fuse.sourceforge.net.

[5]

V. Ganapathy, T. Jaeger, and S. Jha. Automatic placement of authorization hooks in the Linux Security Modules framework. In V. Atluri, C. Meadows, and A. Juels, editors, ACM Conference on Computer and Communications Security, pages 330--339. ACM, 2005.

Digital Library

[6]

D. Garg, L. Jia, and A. Datta. Policy auditing over incomplete logs: theory, implementation and applications. In Proceedings of the 18th ACM conference on Computer and Communications Security, CCS '11, pages 151--162, New York, NY, USA, 2011. ACM.

Digital Library

[7]

A. Goel, K. Farhadi, K. Po, and W.-c. Feng. Reconstructing system state for intrusion analysis. SIGOPS Oper. Syst. Rev., 42(3): 21--28, Apr. 2008.

Digital Library

[8]

A. Goel, W.-C. Feng, D. Maier, and J. Walpole. Forensix: a robust, high-performance reconstruction system. In Distributed Computing Systems Workshops, 2005. 25th IEEE International Conference on, pages 155--162, june 2005.

Digital Library

[9]

R. Ikeda and J. Widom. Panda: A system for provenance and data. IEEE Data Engineering Bulletin, September 2010.

[10]

S. N. Jones, C. R. Strong, D. D. Long, and E. L. Miller. Tracking emigrant data via transient provenance. In Third Workshop on the Theory and Practice of Provenance. USENIX, June 2011.

[11]

J. Katcher. Postmark: a new file system benchmark. Network Appliance Tech Report TR3022, Oct. 1997.

[12]

L. Lamport. Time, clocks, and the ordering of events in a distributed system. Communications of the ACM, 21(7): 558--565, July 1978.

Digital Library

[13]

Metasploit Project. http://www.metasploit.com.

[14]

L. Moreau, B. Clifford, J. Freire, J. Futrelle, Y. Gil, P. T. Groth, N. Kwasnikowska, S. Miles, P. Missier, J. Myers, B. Plale, Y. Simmhan, E. G. Stephan, and J. V. den Bussche. The Open Provenance Model core specification (v1.1). Future Generation Comp. Syst., 27(6): 743--756, 2011.

Digital Library

[15]

K. Muniswamy-Reddy, J. Barillari, U. Braun, D. Holland, D. Maclean, M. Seltzer, and S. Holland. Layering in provenance-aware storage systems. In Proceedings of the 2009 USENIX Annual Technical Conference, San Diego, CA, 2009.

[16]

K. Muniswamy-Reddy and D. Holland. Causality-based versioning. ACM Transactions on Storage (TOS), 5(4): 13, 2009.

Digital Library

[17]

Phoronix Test Suite. http://phoronix-test-suite.com.

[18]

C. F. Reilly and J. F. Naughton. Transparently gathering provenance with provenance aware Condor. In First workshop on theory and practice of provenance, TAPP'09, pages 13:1--13:10, Berkeley, CA, USA, 2009. USENIX Association.

Digital Library

[19]

C. Sar and P. Cao. Lineage file system. Online at http://crypto.stanford.edu/cao/lineage.html, 2005.

[20]

R. Sion. Strong worm. In Proceedings of the 2008 The 28th International Conference on Distributed Computing Systems, 2008.

Digital Library

[21]

R. P. Spillane, R. Sears, C. Yalamanchili, S. Gaikwad, M. Chinni, and E. Zadok. Story Book: An efficient extensible provenance framework. In J. Cheney, editor, Workshop on the Theory and Practice of Provenance. USENIX, 2009.

Digital Library

[22]

S. Sundararaman, G. Sivathanu, and E. Zadok. Selective versioning in a secure disk system. In Proceedings of the 17th conference on Security symposium, 2008.

Digital Library

[23]

Symantec Security Response. http://www.symantec.com/security_response.

[24]

L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: Automatically inferring security specification and detecting violations. In P. C. van Oorschot, editor, USENIX Security Symposium, pages 379--394. USENIX Association, July 2008.

Digital Library

[25]

J. Widom. Trio: A system for integrated management of data, accuracy, and lineage. In CIDR, pages 262--276, 2005.

[26]

C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux Security Modules: General security support for the Linux kernel. In USENIX, editor, Proceedings of the 11th USENIX Security Symposium 2002, August 5--9, 2002, San Francisco, CA, pages 17--31. USENIX, 2002.

Digital Library

[27]

T. Zanussi, K. Yaghmour, R. Wisniewski, R. Moore, and M. Dagenais. relayfs: An efficient unified approach for transmitting data from kernel to user space. In Proceedings of the 2003 Linux Symposium, Ottawa, ON, Canada, pages 494--506, July 2003.

[28]

X. Zhang, A. Edwards, and T. Jaeger. Using CQUAL for static analysis of authorization hook placement. In D. Boneh, editor, USENIX Security Symposium, pages 33--48. USENIX, 2002.

Digital Library

Cited By

CHEN CWAN HZHAO X(2024)Log refusion: adversarial attacks against the integrity of application logs and defense methodsSCIENTIA SINICA Informationis10.1360/SSI-2024-004254:9(2157)Online publication date: 10-Sep-2024
https://doi.org/10.1360/SSI-2024-0042
Bhattarai BHuang H(2024)Prov2vec: Learning Provenance Graph Representation for Anomaly Detection in Computer SystemsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664494(1-14)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664494
Grayson SAguilar FMilewicz RKatz DMarinov D(2024)A benchmark suite and performance analysis of user-space provenance collectorsProceedings of the 2nd ACM Conference on Reproducibility and Replicability10.1145/3641525.3663627(85-95)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3641525.3663627
Show More Cited By

Index Terms

Hi-Fi: collecting high-fidelity whole-system provenance
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Practical whole-system provenance capture
SoCC '17: Proceedings of the 2017 Symposium on Cloud Computing

Data provenance describes how data came to be in its present form. It includes data sources and the transformations that have been applied to them. Data provenance has many uses, from forensics and security to aiding the reproducibility of scientific ...
Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory

A solution for trusted detection of unknown ransomware in VMs is proposed.Valuable data is extracted from the VM's memory dump using the Volatility framework.General descriptive features are proposed and successfully leveraged by ML algorithms.The ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

December 2012

464 pages

ISBN:9781450313124

DOI:10.1145/2420950

Conference Chair:
Robert H'obbes' Zakon
Zakon Group LLC

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ACSAC '12

Sponsor:

ACSA

ACSAC '12: Annual Computer Security Applications Conference

December 3 - 7, 2012

Florida, Orlando, USA

Acceptance Rates

ACSAC '12 Paper Acceptance Rate 44 of 231 submissions, 19%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

106
Total Citations
View Citations
494
Total Downloads

Downloads (Last 12 months)40
Downloads (Last 6 weeks)8

Reflects downloads up to 26 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

CHEN CWAN HZHAO X(2024)Log refusion: adversarial attacks against the integrity of application logs and defense methodsSCIENTIA SINICA Informationis10.1360/SSI-2024-004254:9(2157)Online publication date: 10-Sep-2024
https://doi.org/10.1360/SSI-2024-0042
Bhattarai BHuang H(2024)Prov2vec: Learning Provenance Graph Representation for Anomaly Detection in Computer SystemsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664494(1-14)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664494
Grayson SAguilar FMilewicz RKatz DMarinov D(2024)A benchmark suite and performance analysis of user-space provenance collectorsProceedings of the 2nd ACM Conference on Reproducibility and Replicability10.1145/3641525.3663627(85-95)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3641525.3663627
Chen CYan TShi CXi HFan ZWan HZhao X(2024)The Last Mile of Attack Investigation: Audit Log Analysis Toward Software Vulnerability LocationIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345961619(9566-9581)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3459616
Sekar RKimm HAich R(2024) eAudit: A Fast, Scalable and Deployable Audit Data Collection System * 2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00087(3571-3589)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00087
Cheng ZLv QLiang JWang YSun DPasquier THan X(2024)Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00005(3533-3551)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00005
Nakamura YMalik T(2024)Differential Analysis for System Provenance2024 IEEE 40th International Conference on Data Engineering (ICDE)10.1109/ICDE60146.2024.00455(5649-5653)Online publication date: 13-May-2024
https://doi.org/10.1109/ICDE60146.2024.00455
Wang LFang LHu Y(2024)A dynamic provenance graph-based detector for advanced persistent threatsExpert Systems with Applications10.1016/j.eswa.2024.125877(125877)Online publication date: Nov-2024
https://doi.org/10.1016/j.eswa.2024.125877
Smyrlis MFloros EBasdekis IPrelipcean DSotiropoulos ADebar HZarras ASpanoudakis G(2024)RAMA: a risk assessment solution for healthcare organizationsInternational Journal of Information Security10.1007/s10207-024-00820-423:3(1821-1838)Online publication date: 1-Mar-2024
https://doi.org/10.1007/s10207-024-00820-4
Ding HZhai JDeng DMa SCalandrino JTroncoso C(2023)The case for learned provenance graph storage systemsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620421(3277-3294)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620421
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents