Publications

KAIROS: Practical Intrusion Detection and Investigation using Whole-system Provenance
Provenance graphs are structured audit logs that describe the history of a system’s execution. Recent studies have explored a …
Z Cheng, Q Lv, J Liang, Y Wang, D Sun, T Pasquier, X Han
PDF Cite
KAIROS: Practical Intrusion Detection and Investigation using Whole-system Provenance
Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance (Supplementary Material)
This document is a companion contain materials supplementary to our paper published in the 43rd IEEE Symposium on Security and Privacy …
Z Cheng, Q Lv, J Liang, Y Wang, D Sun, T Pasquier, X Han
PDF Cite
Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance (Supplementary Material)
Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing
For safety reasons, unprivileged users today have only limited ways to customize the kernel through the extended Berkeley Packet Filter …
SY Lim, X Han, T Pasquier
PDF Cite DOI
Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing
A large-scale study on research code quality and execution
This article presents a study on the quality and execution of research code from publicly-available replication datasets at the Harvard …
A Trisovic, M K Lau, T Pasquier, M Crosas
PDF Cite DOI
A large-scale study on research code quality and execution
Secure Namespaced Kernel Audit for Containers
Despite the wide usage of container-based cloud computing, container auditing for security analysis relies mostly on built-in host …
SY Lim, B Stelea, X Han, T Pasquier
PDF Cite
Secure Namespaced Kernel Audit for Containers
SIGL: Securing Software Installations Through Deep Graph Learning
Many users implicitly assume that software can only be exploited after it is installed. However, recent supply-chain attacks …
X Han, X Yu, T Pasquier, D Li, J Rhee, J Mickens, M Seltzer, C Haifeng
PDF Cite
SIGL: Securing Software Installations Through Deep Graph Learning
Accelerating the Configuration Tuning of Big Data Analytics with Similarity-aware Multitask Bayesian Optimization
One of the key challenges for data analytics deployment is configuration tuning. The existing approaches for configuration tuning are …
A Fekry, L Carata, T Pasquier, A Rice
PDF Cite Slides
Accelerating the Configuration Tuning of Big Data Analytics with Similarity-aware Multitask Bayesian Optimization
Xanthus: Push-button Orchestration of Host Provenance Data Collection
Host-based anomaly detectors generate alarms by inspecting audit logs for suspicious behavior. Unfortunately, evaluating these anomaly …
X Han, J Mickens, A Gehani, M Seltzer, T Pasquier
PDF Cite
Xanthus: Push-button Orchestration of Host Provenance Data Collection
To Tune or Not to Tune? In Search of Optimal Configurations for Data Analytics
This experimental study presents a number of issues that pose a challenge for practical configuration tuning and its deployment in data …
A Fekry, L Carata, T Pasquier, A Rice, A Hopper
PDF Cite
To Tune or Not to Tune? In Search of Optimal Configurations for Data Analytics
UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats
Advanced Persistent Threats (APTs) are difficult to detect due to their low-and-slow attack patterns and frequent use of zero-day …
X Han, T Pasquier, A Bates, J Mickens, M Seltzer
PDF Cite
UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats
Rclean: A Tool for Writing Cleaner, More Transparent Code
The growth of programming in the sciences has been explosive in the last decade. This has facilitated the rapid advancement of science …
M K Lau, T Pasquier, M Seltzer
PDF Cite DOI
Rclean: A Tool for Writing Cleaner, More Transparent Code
Facilitating plausible deniability for cloud providers regarding tenants' activities using trusted execution
A cloud provider that can technically determine tenants’ operations may be compelled to disclose such activities by law …
D O'Keeffe, A Vranaki, T Pasquier, D Eyers
PDF Cite
Demonstrating the Practicality of Unikernels to Build a Serverless Platform at the Edge
The rise of IoT has led to large volumes of personal data being produced at the network’s edge. Most IoT applications process data in …
C Mistry, B Stelea, V Kumar, T Pasquier
PDF Cite Code DOI
ProvMark: A Provenance Expressiveness Benchmarking System
System level provenance is of widespread interest for applications such as security enforcement and information protection. However, …
S C Chan, J Cheney, P Bhatotia, A Gehani, H Irshad, T Pasquier, L Carata, M Seltzer
PDF Cite
ProvMark: A Provenance Expressiveness Benchmarking System
From Here to Provtopia
Valuable, sensitive, and regulated data flow freely through distributed governing the collection, use, and management of such data? We …
T Pasquier, D Eyers, M Seltzer
PDF Cite
Towards Seamless Configuration Tuning of Big Data Analytics
The execution of distributed data processing workloads (such as those running on top of Hadoop or Spark) in cloud environments presents …
A Fekry, L Carata, T Pasquier, Andrew Rice, Andy Hopper
PDF Cite DOI
Viewpoint | Personal Data and the Internet of Things: It is time to care about digital provenance
The Internet of Things promises a connected environment reacting to and addressing our every need, but based on the assumption that all …
T Pasquier, D Eyers, J Bacon
PDF Cite DOI
Runtime Analysis of Whole-System Provenance
Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance …
T Pasquier, X Han, T Moyer, A Bates, O Hermant, D Eyers, J Bacon, M Seltzer
PDF Cite Code DOI
Runtime Analysis of Whole-System Provenance
Provenance-based Intrusion Detection: Opportunities and Challenges
Intrusion detection is an arms race; attackers evade intrusion detection systems by developing new attack vectors to sidestep known …
X Han, T Pasquier, M Seltzer
PDF Cite
Sharing and Preserving Computational Analyses for Posterity with encapsulator
Open data and open-source software may be part of the solution to science’s “reproducibility crisis”, but they are insufficient to …
T Pasquier, M K Lau, X Han, E Fong, B Lerner, E Boose, M Crosas, A Ellison, M Seltzer
PDF Cite Code DOI
Data provenance to audit compliance with privacy policy in the Internet of Things
Managing privacy in the IoT presents a significant challenge. We make the case that information obtained by auditing the flows of data …
T Pasquier, J Singh, J Powles, D Eyers, M Seltzer, J Bacon
PDF Cite DOI
Practical Whole-System Provenance Capture
Data provenance describes how data came to be in its present form. It includes data sources and the transformations that have been …
T Pasquier, X Han, M Goldstein, T Moyer, D Eyers, M Seltzer, J Bacon
PDF Cite Code DOI
Practical Whole-System Provenance Capture
If these data could talk
In the last few decades, data-driven methods have come to dominate many fields of scientific inquiry. Open data and open-source …
T Pasquier, M K Lau, A Trisovic, E Boose, B Couturier, M Crosas, A Ellisson, V Gibson, C Jones, M Seltzer
PDF Cite DOI
If these data could talk
FRAPpuccino: Fault-detection through Runtime Analysis of Provenance
We present FRAPpuccino (or FRAP), a provenance-based fault detection mechanism for Platform as a Service (PaaS) users, who run many …
X Han, T Pasquier, T Ranjan, M Goldstein, M Seltzer
PDF Cite
FRAPpuccino: Fault-detection through Runtime Analysis of Provenance
PHP2Uni: Building Unikernels using Scripting Language Transpilation
Unikernels are a rapidly emerging technology in the world of cloud computing. Unikernels build on research on library operating systems …
T Pasquier, D Eyers, J Bacon
PDF Cite DOI
Big Ideas paper: Policy-driven middleware for a legally-compliant Internet of Things
Internet of Things (IoT) applications, systems and services are subject to law. We argue that for the IoT to develop lawfully, there …
J Singh, T Pasquier, J Bacon, J Powles, R Diaconu, D Eyers
PDF Cite DOI
Data-Centric Access Control for Cloud Computing
The usual approach to security for cloud-hosted applications is strong separation. However, it is often the case that the same data is …
T Pasquier, J Bacon, J Singh, D Eyers
PDF Cite DOI
Twenty security considerations for cloud-supported Internet of Things
To realize the broad vision of pervasive computing, underpinned by the “Internet of Things” (IoT), it is essential to break down …
J Singh, T Pasquier, J Bacon, H Ko, D Eyers
PDF Cite DOI
Information Flow Audit for Transparency and Compliance in the Handling of Personal Data
The adoption of cloud computing is increasing and its use is becoming widespread in many sectors. As the proportion of services …
T Pasquier, D Eyers
PDF Cite DOI
Information Flow Audit for PaaS clouds
With the rapid increase in uptake of cloud services, issues of data management are becoming increasingly prominent. There is a clear, …
T Pasquier, J Singh, J Bacon, D Eyers
PDF Cite DOI
Clouds of Things Need Information Flow Control with Hardware Roots of Trust
There is a clear, outstanding need for new security mechanisms that allow data to be managed and controlled within the cloud-enabled …
T Pasquier, J Singh, J Bacon
PDF Cite DOI
CamFlow: Managed Data-Sharing for Cloud Services
A model of cloud services is emerging whereby a few trusted providers manage the underlying hardware and communications whereas many …
T Pasquier, J Singh, D Eyers, J Bacon
PDF Cite DOI
Data Flow Management and Compliance in Cloud Computing
As cloud computing becomes an increasingly dominant means of providing computing resources, the legal and regulatory issues associated …
J Singh, J Powles, T Pasquier, J Bacon
PDF Cite DOI
Managing Big Data with Information Flow Control
Concern about data leakage is holding back more widespread adoption of cloud computing by companies and public institutions alike. To …
T Pasquier, J Singh, J Bacon, O Hermant
PDF Cite DOI
Securing Tags to Control Information Flows within the Internet of Things
To realise the full potential of the Internet of Things (loT), loT architectures are moving towards open and dynamic interoperability, …
J Singh, T Pasquier, J Bacon
PDF Cite DOI
Integrating Middleware with Information Flow Control
Security is an ongoing challenge in cloud computing. Currently, cloud consumers have few mechanisms for managing their data within the …
T Pasquier, J Singh, J Bacon, D Eyers
PDF Cite DOI
Information Flow Control for Strong Protection with Flexible Sharing in PaaS
The need to share data across applications is becoming increasingly evident. Current cloud isolation mechanisms focus solely on …
T Pasquier, J Singh, J Bacon
PDF Cite DOI
Expressing and Enforcing Location Requirements in the Cloud using Information Flow Control
The adoption of cloud computing is increasing and its use is becoming widespread in many sectors. As cloud service provision increases, …
T Pasquier, J Powles
PDF Cite DOI
FlowK: Information Flow Control for the Cloud
Security concerns are widely seen as an obstacle to the adoption of cloud computing solutions and although a wealth of law and …
T Pasquier, J Bacon, D Eyers
PDF Cite DOI
Regional clouds: technical considerations
The emergence and rapid uptake of cloud computing services raise a number of legal challenges. Recently, there have been calls for …
J Singh, J Bacon, J Crowcroft, A Madhavapeddy, T Pasquier, W Kuan Hon, C Millard
PDF Cite
FlowR: Aspect Oriented Programming for Information Flow Control in Ruby
This paper reports on our experience with providing Information Flow Control (IFC) as a library. Our aim was to support the use of an …
T Pasquier, J Bacon, B Shand
PDF Cite DOI
Information Flow Control for Secure Cloud Computing
Security concerns are widely seen as an obstacle to the adoption of cloud computing solutions. Information Flow Control (IFC) is a well …
J Bacon, D Eyers, T Pasquier, J Singh, I Papagiannis, P Pietzuch
PDF Cite DOI