Paper Info
Title
RecProv: Towards Provenance-Aware User Space Record and Replay.
Abstract
Deterministic record and replay systems have widely been used in software debugging, failure diagnosis, and intrusion detection. In order to detect the Advanced Persistent Threat APT, online execution needs to be recorded with acceptable runtime overhead; then, investigators can analyze the replayed execution with heavy dynamic instrumentation. While most record and replay systems rely on kernel module or OS virtualization, those running at user space are favoured for being lighter weight and more portable without any of the changes needed for OS/Kernel virtualization. On the other hand, higher level provenance data at a higher level provides dynamic analysis with system causalities and hugely increases its efficiency. Considering both benefits, we propose a provenance-aware user space record and replay system, called RecProv. RecProv is designed to provide high provenance fidelity; specifically, with versioning files from the recorded trace logs and integrity protection to provenance data through real-time trace isolation. The collected provenance provides the high-level system dependency that helps pinpoint suspicious activities where further analysis can be applied. We show that RecProv is able to output accurate provenance in both visualized graph and W3C standardized PROV-JSON formats.
Year
DOI
Venue
2016
10.1007/978-3-319-40593-3_1
IPAW
Keywords
Field
DocType
Provenance capturing, Record and replay, User space, PROV
Virtualization,Kernel (linear algebra),Advanced persistent threat,Fidelity,Computer science,User space,Replay system,Intrusion detection system,Operating system,Database,Software versioning
Conference
Volume
ISSN
Citations 
9672
0302-9743
3
PageRank 
References 
Authors
0.38
21
3
Name
Order
Citations
PageRank
Yang Ji112727.38
Sangho Lee214417.97
Wenke Lee39351628.83