August 2018 – Present

Lecturer/Assistant Professor

University of Bristol

Member of the Cyber Security Group.
December 2017 – August 2018

Research Associate

University of Cambridge

Member of the Digital Technology Group and Fellow at St Edmund’s College.
July 2016 – November 2017

Postdoctoral Fellow

Harvard University

January 2013 – June 2016

Research Assistant

University of Cambridge

September 2008 – August 2011

Software Engineer


R&D Team member.
September 2006 – August 2008

Electronic Engineer


R&D Team member.

Selected Publications

Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses.

We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications. We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security.
In CCS ‘18, 2018

Data provenance describes how data came to be in its present form. It includes data sources and the transformations that have been applied to them. Data provenance has many uses, from forensics and security to aiding the reproducibility of scientific experiments. We present CamFlow, a whole-system provenance capture mechanism that integrates easily into a PaaS offering. While there have been several prior whole-system provenance systems that captured a comprehensive, systemic and ubiquitous record of a system’s behavior, none have been widely adopted. They either A) impose too much overhead, B) are designed for long-outdated kernel releases and are hard to port to current systems, C) generate too much data, or D) are designed for a single system. CamFlow addresses these shortcoming by: 1) leveraging the latest kernel design advances to achieve efficiency; 2) using a self-contained, easily maintainable implementation relying on a Linux Security Module, NetFilter, and other existing kernel facilities; 3) providing a mechanism to tailor the captured provenance data to the needs of the application; and 4) making it easy to integrate provenance across distributed systems. The provenance we capture is streamed and consumed by tenant-built auditor applications. We illustrate the usability of our implementation by describing three such applications: demonstrating compliance with data regulations; performing fault/intrusion detection; and implementing data loss prevention. We also show how CamFlow can be leveraged to capture meaningful provenance without modifying existing applications.
In SoCC ‘17, 2017

In the last few decades, data-driven methods have come to dominate many fields of scientific inquiry. Open data and open-source software have enabled the rapid implementation of novel methods to manage and analyze the growing flood of data. However, it has become apparent that many scientific fields exhibit distressingly low rates of reproducibility. Although there are many dimensions to this issue, we believe that there is a lack of formalism used when describing end-to-end published results, from the data source to the analysis to the final published results. Even when authors do their best to make their research and data accessible, this lack of formalism reduces the clarity and efficiency of reporting, which contributes to issues of reproducibility. Data provenance aids both reproducibility through systematic and formal records of the relationships among data sources, processes, datasets, publications and researchers.
In SciData, 2017

We present FRAPpuccino (or FRAP), a provenance-based fault detection mechanism for Platform as a Service (PaaS) users, who run many instances of an application on a large cluster of machines. FRAP models, records, and analyzes the behavior of an application and its impact on the system as a directed acyclic provenance graph. It assumes that most instances behave normally and uses their behavior to construct a model of legitimate behavior. Given a model of legitimate behavior, FRAP uses a dynamic sliding window algorithm to compare a new instance’s execution to that of the model. Any instance that does not conform to the model is identified as an anomaly. We present the FRAP prototype and experimental results showing that it can accurately detect application anomalies.
In HotCloud, 2017

Recent Publications

More Publications

. Runtime Analysis of Whole-System Provenance. In CCS ‘18, 2018.

PDF Code Project DOI

. Provenance-based Intrusion Detection: Opportunities and Challenges. In Workshop on the Theory and Practice of Provenance, 2018.

PDF Project

. Sharing and Preserving Computational Analyses for Posterity with encapsulator. In Computing in Science & Engineering, 2018.

PDF Code Project DOI

. Data provenance to audit compliance with privacy policy in the Internet of Things. In Personal and Ubiquitous Computing, 2018.

PDF Project DOI

. Practical Whole-System Provenance Capture. In SoCC ‘17, 2017.

PDF Code Project DOI

. If these data could talk. In SciData, 2017.

PDF Project DOI

. FRAPpuccino: Fault-detection through Runtime Analysis of Provenance. In HotCloud, 2017.

PDF Project

. PHP2Uni: Building Unikernels using Scripting Language Transpilation. In IC2E, 2017.


. Big Ideas paper:Policy-driven middleware for a legally-compliant Internet of Things. In Middleware, 2016.

PDF Project DOI

. Data-Centric Access Control for Cloud Computing. In SACMAT, 2016.

PDF Project DOI

Recent & Upcoming Talks

More Talks

Building a provenance-based intrusion detection system
Jan 22, 2019 15:00
Towards a provenance-based intrusion detection system
Dec 5, 2018 12:30
Runtime Analysis of Whole-System Provenance
Oct 18, 2018 11:30
Provenance-based Intrusion Detection: Opportunities and Challenges
Jul 11, 2018 12:00
Building a provenance capture mechanism
Jun 6, 2018 15:00


A practical implementation of Linux Provenance Capture.

Capture and analyze provenance to improve data science.

The Microsoft Cloud Computing Research Centre (MCCRC) is a virtual research centre in which technology lawyers and computer scientists collaborate to conduct cutting-edge research on challenges in cloud computing at the intersection of technology and regulation.

End-to-end application security in the cloud explores the use of Information Flow Control to achieve greater security in cloud computing.


I am the Unit Director for the following courses at the University of Bristol:

  • COMSM1500: Systems Security


  • thomas.pasquier@bristol.ac.uk
  • Office 3.26, Department of Computer Science, Merchant Venturers Building, 75 Woodland Road, Bristol BS8 1UB, UK
  • email for appointment