Taming the costs of trustworthy provenance through policy reduction

Adam Bates, Dave Jing Tian, Grant Hernandez, Thomas Moyer, Kevin R.B. Butler, Trent Ray Jaeger

Research output: Contribution to journalArticle

2 Citations (Scopus)

Abstract

Provenance is an increasingly important tool for understanding and even actively preventing system intrusion, but the excessive storage burden imposed by automatic provenance collection threatens to undermine its value in practice. This situation is made worse by the fact that the majority of this metadata is unlikely to be of interest to an administrator, instead describing system noise or other background activities that are not germane to the forensic investigation. To date, storing data provenance in perpetuity was a necessary concession in even the most advanced provenance tracking systems in order to ensure the completeness of the provenance record for future analyses. In this work, we overcome this obstacle by proposing a policybased approach to provenance filtering, leveraging the confinement properties provided by Mandatory Access Control (MAC) systems in order to identify and isolate subdomains of system activity for which to collect provenance. We introduce the notion of minimal completeness for provenance graphs, and design and implement a system that provides this property by exclusively collecting provenance for the trusted computing base of a target application. In evaluation, we discover that, while the efficacy of our approach is domain dependent, storage costs can be reduced by as much as 89% in critical scenarios such as provenance tracking in cloud computing data centers. To the best of our knowledge, this is the first policy-based provenance monitor to appear in the literature.

Original languageEnglish (US)
Article number3062180
JournalACM Transactions on Internet Technology
Volume17
Issue number4
DOIs
StatePublished - Sep 1 2017

Fingerprint

Cloud computing
Metadata
Access control
Control systems
Costs
Trusted computing

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Cite this

Bates, Adam ; Tian, Dave Jing ; Hernandez, Grant ; Moyer, Thomas ; Butler, Kevin R.B. ; Jaeger, Trent Ray. / Taming the costs of trustworthy provenance through policy reduction. In: ACM Transactions on Internet Technology. 2017 ; Vol. 17, No. 4.
@article{b10b8431b5e34643a06a4f0ad5da77a1,
title = "Taming the costs of trustworthy provenance through policy reduction",
abstract = "Provenance is an increasingly important tool for understanding and even actively preventing system intrusion, but the excessive storage burden imposed by automatic provenance collection threatens to undermine its value in practice. This situation is made worse by the fact that the majority of this metadata is unlikely to be of interest to an administrator, instead describing system noise or other background activities that are not germane to the forensic investigation. To date, storing data provenance in perpetuity was a necessary concession in even the most advanced provenance tracking systems in order to ensure the completeness of the provenance record for future analyses. In this work, we overcome this obstacle by proposing a policybased approach to provenance filtering, leveraging the confinement properties provided by Mandatory Access Control (MAC) systems in order to identify and isolate subdomains of system activity for which to collect provenance. We introduce the notion of minimal completeness for provenance graphs, and design and implement a system that provides this property by exclusively collecting provenance for the trusted computing base of a target application. In evaluation, we discover that, while the efficacy of our approach is domain dependent, storage costs can be reduced by as much as 89{\%} in critical scenarios such as provenance tracking in cloud computing data centers. To the best of our knowledge, this is the first policy-based provenance monitor to appear in the literature.",
author = "Adam Bates and Tian, {Dave Jing} and Grant Hernandez and Thomas Moyer and Butler, {Kevin R.B.} and Jaeger, {Trent Ray}",
year = "2017",
month = "9",
day = "1",
doi = "10.1145/3062180",
language = "English (US)",
volume = "17",
journal = "ACM Transactions on Internet Technology",
issn = "1533-5399",
publisher = "Association for Computing Machinery (ACM)",
number = "4",

}

Taming the costs of trustworthy provenance through policy reduction. / Bates, Adam; Tian, Dave Jing; Hernandez, Grant; Moyer, Thomas; Butler, Kevin R.B.; Jaeger, Trent Ray.

In: ACM Transactions on Internet Technology, Vol. 17, No. 4, 3062180, 01.09.2017.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Taming the costs of trustworthy provenance through policy reduction

AU - Bates, Adam

AU - Tian, Dave Jing

AU - Hernandez, Grant

AU - Moyer, Thomas

AU - Butler, Kevin R.B.

AU - Jaeger, Trent Ray

PY - 2017/9/1

Y1 - 2017/9/1

N2 - Provenance is an increasingly important tool for understanding and even actively preventing system intrusion, but the excessive storage burden imposed by automatic provenance collection threatens to undermine its value in practice. This situation is made worse by the fact that the majority of this metadata is unlikely to be of interest to an administrator, instead describing system noise or other background activities that are not germane to the forensic investigation. To date, storing data provenance in perpetuity was a necessary concession in even the most advanced provenance tracking systems in order to ensure the completeness of the provenance record for future analyses. In this work, we overcome this obstacle by proposing a policybased approach to provenance filtering, leveraging the confinement properties provided by Mandatory Access Control (MAC) systems in order to identify and isolate subdomains of system activity for which to collect provenance. We introduce the notion of minimal completeness for provenance graphs, and design and implement a system that provides this property by exclusively collecting provenance for the trusted computing base of a target application. In evaluation, we discover that, while the efficacy of our approach is domain dependent, storage costs can be reduced by as much as 89% in critical scenarios such as provenance tracking in cloud computing data centers. To the best of our knowledge, this is the first policy-based provenance monitor to appear in the literature.

AB - Provenance is an increasingly important tool for understanding and even actively preventing system intrusion, but the excessive storage burden imposed by automatic provenance collection threatens to undermine its value in practice. This situation is made worse by the fact that the majority of this metadata is unlikely to be of interest to an administrator, instead describing system noise or other background activities that are not germane to the forensic investigation. To date, storing data provenance in perpetuity was a necessary concession in even the most advanced provenance tracking systems in order to ensure the completeness of the provenance record for future analyses. In this work, we overcome this obstacle by proposing a policybased approach to provenance filtering, leveraging the confinement properties provided by Mandatory Access Control (MAC) systems in order to identify and isolate subdomains of system activity for which to collect provenance. We introduce the notion of minimal completeness for provenance graphs, and design and implement a system that provides this property by exclusively collecting provenance for the trusted computing base of a target application. In evaluation, we discover that, while the efficacy of our approach is domain dependent, storage costs can be reduced by as much as 89% in critical scenarios such as provenance tracking in cloud computing data centers. To the best of our knowledge, this is the first policy-based provenance monitor to appear in the literature.

UR - http://www.scopus.com/inward/record.url?scp=85029504490&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85029504490&partnerID=8YFLogxK

U2 - 10.1145/3062180

DO - 10.1145/3062180

M3 - Article

AN - SCOPUS:85029504490

VL - 17

JO - ACM Transactions on Internet Technology

JF - ACM Transactions on Internet Technology

SN - 1533-5399

IS - 4

M1 - 3062180

ER -