Expressiveness Benchmarking for System-Level Provenance


Sheung Chi Chan, University of Edinburgh; Ashish Gehani, SRI International; James Cheney, University of Edinburgh; Ripduman Sohan, University of Cambridge; Hassaan Irshad, SRI International


Provenance is increasingly being used as a foundation for security analysis and forensics. System-level provenance can help us trace activities at the level of libraries or system calls, which offers great potential for detecting subtle malicious activities that can otherwise go undetected. However, analysing the raw provenance trace is challenging, due to scale and to differences in data representation among system-level provenance recorders: for example, common queries to identify malicious patterns need to be formulated in different ways on different systems. As a first step toward understanding the similarities and differences among approaches, this paper proposes an expressiveness benchmark consisting of tests intended to capture the provenance of individual system calls. We present work in progress on the benchmark examples for Linux and discuss how they are handled by two different provenance collection tools, SPADE and OPUS.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {204247,
author = {Sheung Chi Chan and Ashish Gehani and James Cheney and Ripduman Sohan and Hassaan Irshad},
title = {Expressiveness Benchmarking for {System-Level} Provenance},
booktitle = {9th USENIX Workshop on the Theory and Practice of Provenance (TaPP 2017)},
year = {2017},
address = {Seattle, WA},
url = {},
publisher = {USENIX Association},
month = jun