Transparent web service auditing via network provenance functions

Adam Bates; Wajih Ul Hassan; Kevin Butler; Alin Dobra; Bradley Reaves; Patrick Cable; Thomas Moyer; Nabil Schear

doi:10.1145/3038912.3052640

Transparent web service auditing via network provenance functions

Adam Bates, Wajih Ul Hassan, Kevin Butler, Alin Dobra, Bradley Reaves, Patrick Cable, Thomas Moyer, Nabil Schear

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Detecting and explaining the nature of attacks in distributed web services is often difficult – determining the nature of suspicious activity requires following the trail of an attacker through a chain of heterogeneous software components including load balancers, proxies, worker nodes, and storage services. Unfortunately, existing forensic solutions cannot provide the necessary context to link events across complex workflows, particularly in instances where application layer semantics (e.g., SQL queries, RPCs) are needed to understand the attack. In this work, we present a transparent provenance-based approach for auditing web services through the introduction of Network Provenance Functions (NPFs). NPFs are a distributed architecture for capturing detailed data provenance for web service components, leveraging the key insight that mediation of an application’s protocols can be used to infer its activities without requiring invasive instrumentation or developer cooperation. We design and implement NPF with consideration for the complexity of modern cloud-based web services, and evaluate our architecture against a variety of applications including DVDStore, RUBiS, and WikiBench to show that our system imposes as little as 9.3% average end-to-end overhead on connections for realistic workloads. Finally, we consider several scenarios in which our system can be used to concisely explain attacks. NPF thus enables the hassle-free deployment of semantically rich provenance-based auditing for complex applications workflows in the Cloud.

Original language	English (US)
Title of host publication	26th International World Wide Web Conference, WWW 2017
Publisher	International World Wide Web Conferences Steering Committee
Pages	887-895
Number of pages	9
ISBN (Print)	9781450349130
DOIs	https://doi.org/10.1145/3038912.3052640
State	Published - 2017
Event	26th International World Wide Web Conference, WWW 2017 - Perth, Australia Duration: Apr 3 2017 → Apr 7 2017

Publication series

Name	26th International World Wide Web Conference, WWW 2017

Other

Other	26th International World Wide Web Conference, WWW 2017
Country/Territory	Australia
City	Perth
Period	4/3/17 → 4/7/17

Keywords

Audit
Data provenance
Security

ASJC Scopus subject areas

Software
Computer Networks and Communications

Online availability

10.1145/3038912.3052640

Library availability

Discover UIUC Full Text

Cite this

Bates, A., Ul Hassan, W., Butler, K., Dobra, A., Reaves, B., Cable, P., Moyer, T., & Schear, N. (2017). Transparent web service auditing via network provenance functions. In 26th International World Wide Web Conference, WWW 2017 (pp. 887-895). Article 3052640 (26th International World Wide Web Conference, WWW 2017). International World Wide Web Conferences Steering Committee. https://doi.org/10.1145/3038912.3052640

Transparent web service auditing via network provenance functions. / Bates, Adam; Ul Hassan, Wajih; Butler, Kevin et al.
26th International World Wide Web Conference, WWW 2017. International World Wide Web Conferences Steering Committee, 2017. p. 887-895 3052640 (26th International World Wide Web Conference, WWW 2017).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Bates, A, Ul Hassan, W, Butler, K, Dobra, A, Reaves, B, Cable, P, Moyer, T & Schear, N 2017, Transparent web service auditing via network provenance functions. in 26th International World Wide Web Conference, WWW 2017., 3052640, 26th International World Wide Web Conference, WWW 2017, International World Wide Web Conferences Steering Committee, pp. 887-895, 26th International World Wide Web Conference, WWW 2017, Perth, Australia, 4/3/17. https://doi.org/10.1145/3038912.3052640

@inproceedings{aa96005821f846ed8f461f6002345bcf,

title = "Transparent web service auditing via network provenance functions",

abstract = "Detecting and explaining the nature of attacks in distributed web services is often difficult – determining the nature of suspicious activity requires following the trail of an attacker through a chain of heterogeneous software components including load balancers, proxies, worker nodes, and storage services. Unfortunately, existing forensic solutions cannot provide the necessary context to link events across complex workflows, particularly in instances where application layer semantics (e.g., SQL queries, RPCs) are needed to understand the attack. In this work, we present a transparent provenance-based approach for auditing web services through the introduction of Network Provenance Functions (NPFs). NPFs are a distributed architecture for capturing detailed data provenance for web service components, leveraging the key insight that mediation of an application{\textquoteright}s protocols can be used to infer its activities without requiring invasive instrumentation or developer cooperation. We design and implement NPF with consideration for the complexity of modern cloud-based web services, and evaluate our architecture against a variety of applications including DVDStore, RUBiS, and WikiBench to show that our system imposes as little as 9.3% average end-to-end overhead on connections for realistic workloads. Finally, we consider several scenarios in which our system can be used to concisely explain attacks. NPF thus enables the hassle-free deployment of semantically rich provenance-based auditing for complex applications workflows in the Cloud.",

keywords = "Audit, Data provenance, Security",

author = "Adam Bates and {Ul Hassan}, Wajih and Kevin Butler and Alin Dobra and Bradley Reaves and Patrick Cable and Thomas Moyer and Nabil Schear",

note = "An increasing fraction of web and computing services run on cloud service platforms such as Amazon AWS, Google GCE, or ⇤The Lincoln Laboratory portion of this work was sponsored by the Assistant Secretary of Defense for Research & Engineering under Air Force Contract #FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the author and are not necessarily endorsed by the United States Government. We would like to Mugdha Kumar for her assistance with the extension of Linux Provenance Modules. This work is supported in part by the US National Science Foundation under grant numbers CNS-1540216, and CNS-1540217.; 26th International World Wide Web Conference, WWW 2017 ; Conference date: 03-04-2017 Through 07-04-2017",

year = "2017",

doi = "10.1145/3038912.3052640",

language = "English (US)",

isbn = "9781450349130",

series = "26th International World Wide Web Conference, WWW 2017",

publisher = "International World Wide Web Conferences Steering Committee",

pages = "887--895",

booktitle = "26th International World Wide Web Conference, WWW 2017",

}

TY - GEN

T1 - Transparent web service auditing via network provenance functions

AU - Bates, Adam

AU - Ul Hassan, Wajih

AU - Butler, Kevin

AU - Dobra, Alin

AU - Reaves, Bradley

AU - Cable, Patrick

AU - Moyer, Thomas

AU - Schear, Nabil

N1 - An increasing fraction of web and computing services run on cloud service platforms such as Amazon AWS, Google GCE, or ⇤The Lincoln Laboratory portion of this work was sponsored by the Assistant Secretary of Defense for Research & Engineering under Air Force Contract #FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the author and are not necessarily endorsed by the United States Government. We would like to Mugdha Kumar for her assistance with the extension of Linux Provenance Modules. This work is supported in part by the US National Science Foundation under grant numbers CNS-1540216, and CNS-1540217.

PY - 2017

Y1 - 2017

N2 - Detecting and explaining the nature of attacks in distributed web services is often difficult – determining the nature of suspicious activity requires following the trail of an attacker through a chain of heterogeneous software components including load balancers, proxies, worker nodes, and storage services. Unfortunately, existing forensic solutions cannot provide the necessary context to link events across complex workflows, particularly in instances where application layer semantics (e.g., SQL queries, RPCs) are needed to understand the attack. In this work, we present a transparent provenance-based approach for auditing web services through the introduction of Network Provenance Functions (NPFs). NPFs are a distributed architecture for capturing detailed data provenance for web service components, leveraging the key insight that mediation of an application’s protocols can be used to infer its activities without requiring invasive instrumentation or developer cooperation. We design and implement NPF with consideration for the complexity of modern cloud-based web services, and evaluate our architecture against a variety of applications including DVDStore, RUBiS, and WikiBench to show that our system imposes as little as 9.3% average end-to-end overhead on connections for realistic workloads. Finally, we consider several scenarios in which our system can be used to concisely explain attacks. NPF thus enables the hassle-free deployment of semantically rich provenance-based auditing for complex applications workflows in the Cloud.

AB - Detecting and explaining the nature of attacks in distributed web services is often difficult – determining the nature of suspicious activity requires following the trail of an attacker through a chain of heterogeneous software components including load balancers, proxies, worker nodes, and storage services. Unfortunately, existing forensic solutions cannot provide the necessary context to link events across complex workflows, particularly in instances where application layer semantics (e.g., SQL queries, RPCs) are needed to understand the attack. In this work, we present a transparent provenance-based approach for auditing web services through the introduction of Network Provenance Functions (NPFs). NPFs are a distributed architecture for capturing detailed data provenance for web service components, leveraging the key insight that mediation of an application’s protocols can be used to infer its activities without requiring invasive instrumentation or developer cooperation. We design and implement NPF with consideration for the complexity of modern cloud-based web services, and evaluate our architecture against a variety of applications including DVDStore, RUBiS, and WikiBench to show that our system imposes as little as 9.3% average end-to-end overhead on connections for realistic workloads. Finally, we consider several scenarios in which our system can be used to concisely explain attacks. NPF thus enables the hassle-free deployment of semantically rich provenance-based auditing for complex applications workflows in the Cloud.

KW - Audit

KW - Data provenance

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=85051565623&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85051565623&partnerID=8YFLogxK

U2 - 10.1145/3038912.3052640

DO - 10.1145/3038912.3052640

M3 - Conference contribution

AN - SCOPUS:85051565623

SN - 9781450349130

T3 - 26th International World Wide Web Conference, WWW 2017

SP - 887

EP - 895

BT - 26th International World Wide Web Conference, WWW 2017

PB - International World Wide Web Conferences Steering Committee

T2 - 26th International World Wide Web Conference, WWW 2017

Y2 - 3 April 2017 through 7 April 2017

ER -

Transparent web service auditing via network provenance functions

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this