TY - GEN
T1 - Hi-Fi
T2 - 28th Annual Computer Security Applications Conference, ACSAC 2012
AU - Pohly, Devin J.
AU - McLaughlin, Stephen
AU - McDaniel, Patrick
AU - Butler, Kevin
N1 - Copyright:
Copyright 2013 Elsevier B.V., All rights reserved.
PY - 2012
Y1 - 2012
N2 - Data provenance - a record of the origin and evolution of data in a system - is a useful tool for forensic analysis. However, existing provenance collection mechanisms fail to achieve sufficient breadth or fidelity to provide a holistic view of a system's operation over time. We present Hi-Fi, a kernel-level provenance system which leverages the Linux Security Modules framework to collect highfidelity whole-system provenance. We demonstrate that Hi-Fi is able to record a variety of malicious behavior within a compromised system. In addition, our benchmarks show the collection overhead from Hi-Fi to be less than 1% for most system calls and 3% in a representative workload, while simultaneously generating a system measurement that fully reflects system evolution. In this way, we show that we can collect broad, high-fidelity provenance data which is capable of supporting detailed forensic analysis.
AB - Data provenance - a record of the origin and evolution of data in a system - is a useful tool for forensic analysis. However, existing provenance collection mechanisms fail to achieve sufficient breadth or fidelity to provide a holistic view of a system's operation over time. We present Hi-Fi, a kernel-level provenance system which leverages the Linux Security Modules framework to collect highfidelity whole-system provenance. We demonstrate that Hi-Fi is able to record a variety of malicious behavior within a compromised system. In addition, our benchmarks show the collection overhead from Hi-Fi to be less than 1% for most system calls and 3% in a representative workload, while simultaneously generating a system measurement that fully reflects system evolution. In this way, we show that we can collect broad, high-fidelity provenance data which is capable of supporting detailed forensic analysis.
UR - http://www.scopus.com/inward/record.url?scp=84872101443&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84872101443&partnerID=8YFLogxK
U2 - 10.1145/2420950.2420989
DO - 10.1145/2420950.2420989
M3 - Conference contribution
AN - SCOPUS:84872101443
SN - 9781450313124
T3 - ACM International Conference Proceeding Series
SP - 259
EP - 268
BT - Proceedings - 28th Annual Computer Security Applications Conference, ACSAC 2012
Y2 - 3 December 2012 through 7 December 2012
ER -