Expressiveness benchmarking for system-level provenance

Sheung chi Chan, Ashish Gehani, James Cheney, Ripduman Sohan, Hassaan Irshad

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

Provenance is increasingly being used as a foundation for security analysis and forensics. System-level provenance can help us trace activities at the level of libraries or system calls, which offers great potential for detecting subtle malicious activities that can otherwise go undetected. However, analysing the raw provenance trace is challenging, due to scale and to differences in data representation among system-level provenance recorders: for example, common queries to identify malicious patterns need to be formulated in different ways on different systems. As a first step toward understanding the similarities and differences among approaches, this paper proposes an expressiveness benchmark consisting of tests intended to capture the provenance of individual system calls. We present work in progress on the benchmark examples for Linux and discuss how they are handled by two different provenance collection tools, SPADE and OPUS.
Original languageEnglish
Title of host publication2017 Workshop on Theory and Practice of Provenance (TaPP 2017)
Number of pages6
Publication statusPublished - 23 Jun 2017
Event9th USENIX Workshop on the Theory and Practice of Provenance 2017 - Seattle, United States
Duration: 22 Jun 201723 Jun 2017


Conference9th USENIX Workshop on the Theory and Practice of Provenance 2017
Abbreviated titleTaPP 2017
Country/TerritoryUnited States
Internet address


Dive into the research topics of 'Expressiveness benchmarking for system-level provenance'. Together they form a unique fingerprint.

Cite this