Hi-Fi: Collecting high-fidelity whole-system provenance

Devin J. Pohly, Stephen McLaughlin, Patrick McDaniel, Kevin Butler

Research output: Chapter in Book/Report/Conference proceedingConference contribution

125 Scopus citations


Data provenance - a record of the origin and evolution of data in a system - is a useful tool for forensic analysis. However, existing provenance collection mechanisms fail to achieve sufficient breadth or fidelity to provide a holistic view of a system's operation over time. We present Hi-Fi, a kernel-level provenance system which leverages the Linux Security Modules framework to collect highfidelity whole-system provenance. We demonstrate that Hi-Fi is able to record a variety of malicious behavior within a compromised system. In addition, our benchmarks show the collection overhead from Hi-Fi to be less than 1% for most system calls and 3% in a representative workload, while simultaneously generating a system measurement that fully reflects system evolution. In this way, we show that we can collect broad, high-fidelity provenance data which is capable of supporting detailed forensic analysis.

Original languageEnglish (US)
Title of host publicationProceedings - 28th Annual Computer Security Applications Conference, ACSAC 2012
Number of pages10
StatePublished - 2012
Event28th Annual Computer Security Applications Conference, ACSAC 2012 - Orlando, FL, United States
Duration: Dec 3 2012Dec 7 2012

Publication series

NameACM International Conference Proceeding Series


Other28th Annual Computer Security Applications Conference, ACSAC 2012
Country/TerritoryUnited States
CityOrlando, FL

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications


Dive into the research topics of 'Hi-Fi: Collecting high-fidelity whole-system provenance'. Together they form a unique fingerprint.

Cite this