Integrity Checking and Abnormality Detection of Provenance Records


Sheung Chi Chan, University of Edinburgh; Ashish Gehani and Hassaan Irshad, SRI International; James Cheney, University of Edinburgh and The Alan Turing Institute


Data provenance is a kind of meta-data recording inputs, entities and processes. It provides historical records and origin information of the data. Because of the rich information provided, provenance is increasingly being used as a foundation for security analysis and forensic auditing. For example, system-level provenance can help us trace activities at the level of libraries or system calls, which offers great potential for detecting subtle malicious activities that can otherwise go undetected. However, most of these security related applications of provenance data require completeness and correctness of the provenance collection process. This cannot be guaranteed in some cases because some provenance recording modules collect information from some unreliable sources. We present work in progress on provenance graph integrity checking and abnormal component detection using ProvMark, the provenance expressiveness benchmarking tool. We also discuss possible applications of the ProvMark tool in aid of the quality checking of provenance data.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {255012,
author = {Sheung Chi Chan and Ashish Gehani and Hassaan Irshad and James Cheney},
title = {Integrity Checking and Abnormality Detection of Provenance Records},
booktitle = {12th International Workshop on Theory and Practice of Provenance (TaPP 2020)},
year = {2020},
url = {},
publisher = {{USENIX} Association},
month = jun,