Can Data Provenance Put an End to the Data Breach?

Abstract

In a provenance-aware system, mechanisms gather and report metadata that describes the history of each data object being processed, allowing us to understand how objects came to exist in their present state. Excitingly, we can also use provenance to trace the actions of system intruders, enabling smarter and faster incident response. In this talk, I will describe our efforts to manage and analyze attack provenance in today’s massive distributed environments. First, I will explain how grammar induction techniques can be applied to provenance graphs in order to eliminate redundancy in distributed logs and correlate events across a network. Next, I will share our recent results on combatting the problem of intrusion detection “alert fatigue” through a provenance-based triage technique. I will conclude by discussing some of the opportunities and challenges that are guiding our continued work in this space. By addressing key security and performance issues, this work is paving the way for the further proliferation of secure provenance capabilities.