Abstract

With the unprecedented need for remote working and virtual retail, there has been a worldwide surge in the adoption of cloud and edge computing. On the other hand, the significant reliance on virtual services has rendered the underlying virtualized environments supporting those services an attractive target for cyber criminals. There exist provenance-based solutions for identifying the root causes of security incidents and threat prevention by tracing the relationships between events at lower abstraction levels (e.g., system calls of an operating system). However, the sheer scale of virtualized environments means that such solutions would generate impractically large and complex provenance graphs for human analysts to interpret, especially in the context of virtualized environments with tens of thousands of users and inter-connected resources. Moreover, most intended user actions (e.g., creating a virtual function) generate a large number of events at lower abstraction levels, while it is typically challenging to associate those triggered operations to the intended actions of users, which further hinders understanding the provenance graphs. Finally, most works rely on human analysts to interpret provenance graphs into human-readable forensic reports. Therefore, the main focus of this thesis is to facilitate the investigation and prevention of security incidents through practical provenance-based solutions in virtualized environments such as clouds and network functions virtualization (NFV). First, we propose a cloud management-level provenance model to facilitate forensic investigations by capturing the dependencies between cloud management operations, instead of low-level system calls. Based on this model, we design a framework to construct management-level provenance graphs and prune operations that are irrelevant to detected security incidents. Second, we propose an approach preventing security incidents in clouds based on the management-level provenance graph. Third, we propose the first multi-level provenance system for NFV built for capturing the relationship between management operations across different levels of the NFV stack, and increasing the interpretability of the logged information by leveraging the inherent cross-level dependencies. Fourth, we propose a solution to bridge the gap between human understanding of natural languages and data provenance by automatically generating forensic reports explaining the root cause of security incidents based on the provenance graphs.