Provenance-Aware Declarative Secure Networks

In recent years, network accountability and forensic analysis have become increasingly important, as a means of performing network diagnostics, identifying malicious nodes, enforcing trust management policies, and imposing diverse billing over the Internet. This has lead to a series of work to provide better network support for accountability, and efficient mechanisms to trace packets and information flows through the Internet. In this paper, we make the following contributions. First, we show that network accountability and forensic analysis can be posed generally as data provenance computations and queries over distributed streams. In particular, one can utilize provenance-aware declarative networks with appropriate security extensions to provide a flexible declarative framework for specifying, analyzing and auditing networks. Second, we propose a taxonomy of data provenance along multiple axes, and show that they map naturally to different use cases in networks. Third, we suggest techniques to efficiently compute and store network provenance, and provide an initial performance evaluation on the P2 declarative networking system with modifications to support provenance and authenticated communication.

[1]  Ion Stoica,et al.  Declarative networking: language, execution and optimization , 2006, SIGMOD Conference.

[2]  Ion Stoica,et al.  Implementing declarative overlays , 2005, SOSP '05.

[3]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[4]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[5]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[6]  Anja Feldmann,et al.  Building a time machine for efficient recording and retrieval of high-volume network traffic , 2005, IMC '05.

[7]  Ion Stoica,et al.  Declarative routing: extensible routing with declarative queries , 2005, SIGCOMM '05.

[8]  Scott Shenker,et al.  Providing Packet Obituaries , 2004 .

[9]  Sanjeev Khanna,et al.  Why and Where: A Characterization of Data Provenance , 2001, ICDT.

[10]  Jeffrey D. Ullman,et al.  A Survey of Research in Deductive Database Systems , 1995 .

[11]  Bobby Bhattacharjee,et al.  Accountability as a Service , 2007, SRUTI.

[12]  John C.-I. Chuang,et al.  Network monitors and contracting systems: competition and innovation , 2006, SIGCOMM.

[13]  Vyas Sekar,et al.  Forensic Analysis for Epidemic Attacks in Federated Networks , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[14]  Val Tannen,et al.  Provenance semirings , 2007, PODS.

[15]  Nasir D. Memon,et al.  ForNet: A Distributed Forensics Network , 2003, MMM-ACNS.

[16]  Larry L. Peterson,et al.  PlanetFlow: maintaining accountability for network services , 2006, OPSR.

[17]  Zachary G. Ives,et al.  ORCHESTRA: Rapid, Collaborative Sharing of Dynamic Data , 2005, CIDR.

[18]  Steven McCanne,et al.  A model, analysis, and protocol framework for soft state-based communication , 1999, SIGCOMM '99.