Hi-Fi: Collecting high-fidelity whole-system provenance

Devin J. Pohly, Stephen McLaughlin, Patrick McDaniel, Kevin Butler

Research output: Chapter in Book/Report/Conference proceedingConference contribution

136 Scopus citations

Abstract

Data provenance - a record of the origin and evolution of data in a system - is a useful tool for forensic analysis. However, existing provenance collection mechanisms fail to achieve sufficient breadth or fidelity to provide a holistic view of a system's operation over time. We present Hi-Fi, a kernel-level provenance system which leverages the Linux Security Modules framework to collect highfidelity whole-system provenance. We demonstrate that Hi-Fi is able to record a variety of malicious behavior within a compromised system. In addition, our benchmarks show the collection overhead from Hi-Fi to be less than 1% for most system calls and 3% in a representative workload, while simultaneously generating a system measurement that fully reflects system evolution. In this way, we show that we can collect broad, high-fidelity provenance data which is capable of supporting detailed forensic analysis.

Original languageEnglish (US)
Title of host publicationProceedings - 28th Annual Computer Security Applications Conference, ACSAC 2012
Pages259-268
Number of pages10
DOIs
StatePublished - 2012
Event28th Annual Computer Security Applications Conference, ACSAC 2012 - Orlando, FL, United States
Duration: Dec 3 2012Dec 7 2012

Publication series

NameACM International Conference Proceeding Series

Other

Other28th Annual Computer Security Applications Conference, ACSAC 2012
Country/TerritoryUnited States
CityOrlando, FL
Period12/3/1212/7/12

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Hi-Fi: Collecting high-fidelity whole-system provenance'. Together they form a unique fingerprint.

Cite this