Operators of distributed systems often find themselves needing to answer a diagnostic or forensic question. Some part of the system is found to be in an unexpected state; for example, a suspicious routing table entry is discovered, or a proxy cache is found to contain an unusually large number of advertisements. The operators must determine the causes of this state before they can decide on an appropriate response. On the one hand, there may be an innocent explanation: the routing table entry could be the result of a miscon­figuration, and the cache entries could have appeared due to a workload change. On the other hand, the unexpected state may be the symptom of an ongoing attack: the routing table entry could be the result of route hijacking, and the cache entries could be a side-effect of a malware infection. In this situation, it would be helpful to be able to ask the system to "explain" its own state, e.g., by describing a chain of events that link the state to its root causes, such as external inputs.

As long as the system is working correctly, emerging network provenance techniques can construct such explanations. However, if some of the nodes are faulty or have been compromised by an adversary, the situation is complicated by the fact that the adversary can cause the nodes under his control to lie, suppress information, tamper with existing data, or report nonexistent events. This can cause the provenance system to turn from an advantage into a liability: its answers may cause operators to stop investigating an ongoing attack because everything looks fine.

The goal of this project is to provide secure network provenance, that is, the ability to correctly explain system states even when (and especially when) the system is faulty or under attack. Towards this goal, we are substantially extending and generalizing the concept of network provenance by adding capabilities needed in a forensic setting, we are developing techniques for securely storing prove­nance without trusted components, and we are designing methods for efficiently querying secure provenance. We are evaluating our techniques in the context of concrete applications, such as Hadoop MapReduce or BGP interdomain routing.

• Private and Verifiable Interdomain Routing Decisions
  Mingchen Zhao, Wenchao Zhou, Alexander J. T. Gurney, Andreas Haeberlen, Micah Sherr, and Boon Thau Loo
  To appear at: SIGCOMM 2012, Helsinki, Finland, August 2012
  [BibTex]
  
  
• Having your Cake and Eating it too: Routing Security with Privacy Protections
  Alexander J. T. Gurney, Andreas Haeberlen, Wenchao Zhou, Micah Sherr, and Boon Thau Loo
  10th ACM Workshop on Hot Topics in Networks (HotNets-X), Cambridge, MA, November 2011.
  [PDF] [BibTex]
  
  
• Secure Network Provenance
  Wenchao Zhou, Qiong Fei, Arjun Narayan, Andreas Haeberlen, Boon Thau Loo, and Micah Sherr
  23rd ACM Symposium on Operating Systems Principles (SOSP '11), Cascais, Portugal, October 2011.
  [PDF] [BibTex] [Technical report]
  
  
• TAP: Time-aware Provenance for Distributed Systems
  Wenchao Zhou, Ling Ding, Andreas Haeberlen, Zachary Ives, and Boon Thau Loo
  3rd USENIX Workshop on the Theory and Practice of Provenance (TaPP '11), Heraklion, Greece, June 2011.
  [PDF] [BibTex]
  
  
• NetTrails: A Declarative Platform for Maintaining and Querying Provenance in Distributed Systems
  Wenchao Zhou, Qiong Fei, Shengzhi Sun, Tao Tao, Andreas Haeberlen, Zachary Ives, Boon Thau Loo, and Micah Sherr
  Demo. ACM SIGMOD International Conference on Management of Data (SIGMOD '11 demo), Athens, Greece, June 2011.
  [PDF] [BibTex]
  
  
• Tracking Adversarial Behavior in Distributed Systems with Secure Network Provenance
  Wenchao Zhou, Andreas Haeberlen, Boon Thau Loo, and Micah Sherr.
  Technical Report MS-CIS-10-28, University of Pennsylvania, August 2010.
  [PDF] [BibTex]
  
  

Faculty:
Andreas Haeberlen
Boon Thau Loo
Micah Sherr
Zachary G. Ives

Students and postdocs:
Wenchao Zhou
Arjun Narayan
Qiong Fei
Alexander Gurney

This work is funded by the National Science Foundation under the Trustworthy Computing program (grant number CNS-1065130).