Operators of networks and distributed systems often find themselves needing to answer a diagnostic or forensic question -- some part of the system is found to be in an unexpected state, and the operators must decide whether the state is legitimate or a symptom of a clandestine attack. In such cases, it would be useful to ask the system for an 'explanation' of the observed state. In the absence of attacks, emerging network provenance techniques can construct such explanations by constructing a chain of events that links the observed state to its root causes. However, an attacker can cause the nodes under his control to forge or suppress information and thus produce a plausible (but incorrect) explanation. As a result, the operators may fail to notice the attack.
This research develops secure network provenance techniques that can provide useful explanations even when the system is under attack by a powerful adversary. The project (i) substantially extends and generalizes the concept of network provenance by adding capabilities needed in a forensic setting; (ii) develops techniques for securely storing provenance without any trusted components; (iii) designs methods for efficiently querying secure provenance; (iv) introduces methods for protecting the confidentiality of provenance; and (v) evaluates these techniques in the context of concrete applications.
The project's theme of provenance and forensics is integrated with Penn's new undergraduate program in Market and Social Systems Engineering. It will provide forensics support for a wide variety of distributed applications, including emerging cloud applications upon which critical infrastructure may soon be based.