Operators of distributed systems often find themselves needing to answer a diagnostic or forensic question. Some part of the system is found to be in an unexpected state; for example, a suspicious routing table entry is discovered, or a proxy cache is found to contain an unusually large number of advertisements. The operators must determine the causes of this state before they can decide on an appropriate response. On the one hand, there may be an innocent explanation: the routing table entry could be the result of a miscon­figuration, and the cache entries could have appeared due to a workload change. On the other hand, the unexpected state may be the symptom of an ongoing attack: the routing table entry could be the result of route hijacking, and the cache entries could be a side-effect of a malware infection. In this situation, it would be helpful to be able to ask the system to "explain" its own state, e.g., by describing a chain of events that link the state to its root causes, such as external inputs.

As long as the system is working correctly, emerging network provenance techniques can construct such explanations. However, if some of the nodes are faulty or have been compromised by an adversary, the situation is complicated by the fact that the adversary can cause the nodes under his control to lie, suppress information, tamper with existing data, or report nonexistent events. This can cause the provenance system to turn from an advantage into a liability: its answers may cause operators to stop investigating an ongoing attack because everything looks fine.

The goal of this project is to provide secure network provenance, that is, the ability to correctly explain system states even when (and especially when) the system is faulty or under attack. Towards this goal, we are substantially extending and generalizing the concept of network provenance by adding capabilities needed in a forensic setting, we are developing techniques for securely storing prove­nance without trusted components, and we are designing methods for efficiently querying secure provenance. We are evaluating our techniques in the context of concrete applications, such as Hadoop MapReduce or BGP interdomain routing.

• Distributed Time-Aware Provenance
  Wenchao Zhou, Suyog Mapara, Yiqing Ren, Yang Li, Andreas Haeberlen, Zachary Ives, Boon Thau Loo, and Micah Sherr
  To appear at: 39th International Conference on Very Large Data Bases (VLDB '13), Riva del Garda, Italy, August 2013.
  [PDF] [BibTex]
  
  
• Private and Verifiable Interdomain Routing Decisions
  Mingchen Zhao, Wenchao Zhou, Alexander J. T. Gurney, Andreas Haeberlen, Micah Sherr, and Boon Thau Loo
  SIGCOMM 2012, Helsinki, Finland, August 2012
  [PDF] [BibTex] [Technical report]
  
  
• Privacy-Aware Message Exchanges for Geographically Routed Human Movement
  Adam J. Aviv, Micah Sherr, Matt Blaze, and Jonathan M. Smith
  To appear at: 17th European Symposium on Research in Computer Security (ESORICS), Pisa, Italy, September 2012
  [BibTex]
  
  
• $100,000 Prize Jackpot. Call Now! Identifying the Pertinent Features of SMS Spam
  Henry Tan, Nazli Goharian, and Micah Sherr
  Poster, to be presented at: ACM Conference on Research and Development in Information Retrieval (SIGIR), Portland, OR, August 2012
  [BibTex]
  
  
• Querying Provenance for Ranking and Recommending
  Zachary G. Ives, Andreas Haeberlen, Tao Feng, and Wolfgang Gatterbauer
  4th USENIX Workshop on the Theory and Practice of Provenance (TaPP'12), Boston, MA, June 2012
  [PDF] [BibTex]
  
  
• Accountable Wiretapping -or- I Know They Can Hear You Now
  Adam Bates, Kevin Butler, Micah Sherr, Clay Shields, Patrick Traynor, and Dan Wallach
  19th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2012
  [PDF] [BibTex]
  
  
• Exploring the Potential Benefits of Expanded Rate Limiting in Tor: Slow and Steady Wins the Race With Tortoise
  Brad Moore, Chris Wacek, and Micah Sherr
  Annual Computer Security Applications Conference (ACSAC), Orlando, FL, December 2011
  [PDF] [BibTex]
  
  
• Having your Cake and Eating it too: Routing Security with Privacy Protections
  Alexander J. T. Gurney, Andreas Haeberlen, Wenchao Zhou, Micah Sherr, and Boon Thau Loo
  10th ACM Workshop on Hot Topics in Networks (HotNets-X), Cambridge, MA, November 2011.
  [PDF] [BibTex]
  
  
• Secure Network Provenance
  Wenchao Zhou, Qiong Fei, Arjun Narayan, Andreas Haeberlen, Boon Thau Loo, and Micah Sherr
  23rd ACM Symposium on Operating Systems Principles (SOSP '11), Cascais, Portugal, October 2011.
  [PDF] [BibTex] [Technical report]
  
  
• TAP: Time-aware Provenance for Distributed Systems
  Wenchao Zhou, Ling Ding, Andreas Haeberlen, Zachary Ives, and Boon Thau Loo
  3rd USENIX Workshop on the Theory and Practice of Provenance (TaPP '11), Heraklion, Greece, June 2011.
  [PDF] [BibTex]
  
  
• NetTrails: A Declarative Platform for Maintaining and Querying Provenance in Distributed Systems
  Wenchao Zhou, Qiong Fei, Shengzhi Sun, Tao Tao, Andreas Haeberlen, Zachary Ives, Boon Thau Loo, and Micah Sherr
  Demo. ACM SIGMOD International Conference on Management of Data (SIGMOD '11 demo), Athens, Greece, June 2011.
  [PDF] [BibTex]
  
  
• Tracking Adversarial Behavior in Distributed Systems with Secure Network Provenance
  Wenchao Zhou, Andreas Haeberlen, Boon Thau Loo, and Micah Sherr.
  Technical Report MS-CIS-10-28, University of Pennsylvania, August 2010.
  [PDF] [BibTex]
  
  

Faculty:
Andreas Haeberlen
Boon Thau Loo
Micah Sherr
Zachary G. Ives

Students and postdocs:
Wenchao Zhou
Mingchen Zhao
Arjun Narayan
Alexander Gurney
W. Brad Moore
Qiong Fei

Alumni:
Wenchao Zhou (now faculty at Georgetown)

This work is funded by the National Science Foundation under the Trustworthy Computing program (grant number CNS-1065130).