{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T14:19:49Z","timestamp":1773843589953,"version":"3.50.1"},"reference-count":82,"publisher":"SAGE Publications","issue":"4","license":[{"start":{"date-parts":[[2021,4,27]],"date-time":"2021-04-27T00:00:00Z","timestamp":1619481600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2021,6,18]]},"abstract":"<jats:p> Data provenance collects comprehensive information about the events and operations in a computer system at both application and kernel levels. It provides a detailed and accurate history of transactions that help delineate the data flow scenario across the whole system. Data provenance helps achieve system resilience by uncovering several malicious attack traces after a system compromise that are leveraged by the analyzer to understand the attack behavior and discover the level of damage. Existing literature demonstrates a number of research efforts on information capture, management, and analysis of data provenance. In recent years, provenance in IoT devices attracts several research efforts because of the proliferation of commodity IoT devices. In this survey paper, we present a comparative study of the state-of-the-art approaches to provenance by classifying them based on frameworks, deployed techniques, and subjects of interest. We also discuss the emergence and scope of data provenance in IoT network. Finally, we present the urgency in several directions that data provenance needs to pursue, including data management and analysis. <\/jats:p>","DOI":"10.3233\/jcs-200108","type":"journal-article","created":{"date-parts":[[2021,4,27]],"date-time":"2021-04-27T19:57:48Z","timestamp":1619553468000},"page":"423-446","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":11,"title":["A comprehensive survey on data provenance: State-of-the-art approaches and their deployments for IoT security enforcement"],"prefix":"10.1177","volume":"29","author":[{"given":"Md Morshed","family":"Alam","sequence":"first","affiliation":[{"name":"Department of Software and Information Systems, University of North Carolina at Charlotte, NC, USA. E-mails:\u00a0,\u00a0"}]},{"given":"Weichao","family":"Wang","sequence":"additional","affiliation":[{"name":"Department of Software and Information Systems, University of North Carolina at Charlotte, NC, USA. E-mails:\u00a0,\u00a0"}]}],"member":"179","published-online":{"date-parts":[[2021,4,27]]},"reference":[{"key":"ref001","unstructured":"A Framework for Harmonizing Forensic Science Practices and Digital\/Multimedia Evidence, The Organization of Scientific Area Committees for Forensic, Accessed 2020-11-17."},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"H.\u00a0Akhundov, E.\u00a0Sluis, S.\u00a0Hamdioui and M.\u00a0Taouil, Public-Key Based Authentication Architecture for IoT Devices Using PUF, 2019, pp.\u00a0353\u2013371.","DOI":"10.5121\/csit.2019.91328"},{"key":"ref003","doi-asserted-by":"publisher","DOI":"10.1109\/SmartWorld.2018.00175"},{"key":"ref004","unstructured":"E.\u00a0Aliaj, I.D.O.\u00a0Nunes and G.\u00a0Tsudik, GAROTA: Generalized Active Root-Of-Trust Architecture, 2021."},{"key":"ref005","unstructured":"G.\u00a0Alonso, D.\u00a0Agrawal, A.\u00a0Abbadi and C.\u00a0Mohan, Functionality and Limitations of Current Workflow Management Systems, 1997, unpublished."},{"key":"ref006","doi-asserted-by":"publisher","DOI":"10.1109\/ICC.2019.8761945"},{"key":"ref007","unstructured":"J.P.\u00a0Anderson, Computer Security Technology Planning Study, Technical Report, ESD-TR-73-51, U.S. Air Force Electronic Systems Division, 1972. https:\/\/csrc.nist.gov\/csrc\/media\/publications\/conference-paper\/1998\/10\/08\/proceedings-of-the-21st-nissc-1998\/documents\/early-cs-papers\/ande72a.pdf."},{"key":"ref008","unstructured":"L.\u00a0Babun, A.K.\u00a0Sikder, A.\u00a0Acar and A.S.\u00a0Uluagac, IoTDots: A Digital Forensics Framework for Smart Environments, 2018, CoRR, abs\/1809.00745. http:\/\/arxiv.org\/abs\/1809.00745."},{"key":"ref009","unstructured":"A.\u00a0Bates, D.J.\u00a0Tian, K.R.B.\u00a0Butler and T.\u00a0Moyer, Trustworthy whole-system provenance for the Linux kernel, in: 24th USENIX Security Symposium (USENIX Security 15), USENIX Association, Washington, DC, 2015, pp.\u00a0319\u2013334, ISBN 978-1-931971-232, https:\/\/www.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/bates."},{"key":"ref010","unstructured":"A.M.\u00a0Bates, K.R.B.\u00a0Butler, A.\u00a0Dobra, B.\u00a0Reaves, P.T.\u00a0Cable, T.\u00a0Moyer and N.\u00a0Schear, Retrofitting Applications with Provenance-Based Security Monitoring, 2016, CoRR, abs\/1609.00266. http:\/\/arxiv.org\/abs\/1609.00266."},{"key":"ref011","unstructured":"K.\u00a0Belhajjame, R.\u00a0B\u2019Far, J.\u00a0Cheney, S.\u00a0Coppens, S.\u00a0Cresswell, Y.\u00a0Gil, P.\u00a0Groth, G.\u00a0Klyne, T.\u00a0Lebo, J.\u00a0McCusker, S.\u00a0Miles, J.\u00a0Myers, S.\u00a0Sahoo and C.\u00a0Tilmes, Prov-DM: The Provenance Data Model, 2013. Accessed: 2018-04-30."},{"key":"ref012","unstructured":"K.\u00a0Belhajjame, J.\u00a0Cheney, D.\u00a0Corsar, D.\u00a0Garijo, S.\u00a0Soiland-Reyes, S.\u00a0Zednik and J.\u00a0Zhao, PROV-O: The PROV Ontology, 2013. Accessed: 2019-06-12."},{"key":"ref013","unstructured":"A.H.\u00a0Bell-Thomas, Trusted Reference Monitors for Linux using Intel SGX Enclaves, 2020, p.\u00a081."},{"key":"ref014","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354254"},{"key":"ref015","doi-asserted-by":"publisher","DOI":"10.1145\/1057977.1057978"},{"key":"ref016","doi-asserted-by":"publisher","DOI":"10.1007\/11890850_18"},{"key":"ref017","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-44503-X_20"},{"key":"ref018","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2017.08.002"},{"key":"ref019","doi-asserted-by":"publisher","DOI":"10.1145\/3333501"},{"key":"ref020","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23326"},{"key":"ref021","unstructured":"Z.Y.\u00a0Celik, P.\u00a0McDaniel and G.\u00a0Tan, Soteria: Automated IoT Safety and Security Analysis, in: USENIX Annual Technical Conference, 2018."},{"key":"ref022","doi-asserted-by":"publisher","DOI":"10.1049\/iet-sen.2018.5291"},{"key":"ref023","unstructured":"N.\u00a0Dejon, C.\u00a0Gaber and G.\u00a0Grimaud, Perspectives on security kernels for IoT, in: RESSI (Rendez-Vous de la Recherche et de l\u2019Enseignement de la S\u00e9curit\u00e9 des Syst\u00e8mes d\u2019Information), 2020."},{"key":"ref024","unstructured":"M.\u00a0Desnoyers, Using the Linux Kernel Tracepoints, Accessed: 2019-01-21."},{"key":"ref025","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586141"},{"key":"ref026","doi-asserted-by":"publisher","DOI":"10.5121\/ijwmn.2019.11304"},{"key":"ref027","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.44"},{"key":"ref028","doi-asserted-by":"crossref","unstructured":"A.\u00a0Gehani and D.\u00a0Tariq, SPADE: Support for provenance auditing in distributed environments, in: Proceedings of the 13th International Middleware Conference, Middleware \u201912, Springer-Verlag New York, Inc., New York, NY, USA, 2012, pp.\u00a0101\u2013120, ISBN 978-3-642-35169-3, http:\/\/dl.acm.org\/citation.cfm?id=2442626.2442634.","DOI":"10.1007\/978-3-642-35170-9_6"},{"key":"ref029","unstructured":"GNU Bison, Accessed: 2019-04-11."},{"key":"ref030","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCSW.2005.62"},{"key":"ref031","doi-asserted-by":"crossref","unstructured":"H.\u00a0Hamadeh and A.\u00a0Tyagi, Privacy preserving data provenance model based on PUF for secure Internet of Things, in: 2019 IEEE International Symposium on Smart Electronic Systems (iSES) (Formerly iNiS), 2019, pp.\u00a0189\u2013194.","DOI":"10.1109\/iSES47678.2019.00050"},{"key":"ref032","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00041"},{"key":"ref033","doi-asserted-by":"crossref","unstructured":"W.U.\u00a0Hassan, M.\u00a0Lemay, N.\u00a0Aguse, A.\u00a0Bates and T.\u00a0Moyer, Towards scalable cluster auditing through grammatical inference over provenance graphs, in: Network and Distributed System Security Symposium (NDSS), 2018.","DOI":"10.14722\/ndss.2018.23141"},{"key":"ref034","doi-asserted-by":"publisher","DOI":"10.1007\/s00778-017-0486-1"},{"key":"ref035","doi-asserted-by":"publisher","DOI":"10.1145\/1266840.1266854"},{"key":"ref036","doi-asserted-by":"publisher","DOI":"10.1109\/32.588521"},{"key":"ref037","unstructured":"A.\u00a0Hutton, T.\u00a0Zanussi, K.\u00a0Yaghmour, R.W.\u00a0Wisniewski, R.\u00a0Moore and M.\u00a0Dagenais, relayfs: An efficient unified approach for transmitting data from kernel to user space, in: Proceedings of the Linux Symposium, Ottawa, Ontario, Canada, 2003, https:\/\/www.kernel.org\/doc\/ols\/2003\/ols2003-pages-494-506.pdf."},{"key":"ref038","unstructured":"T.D.\u00a0Huynh, M.O.\u00a0Jewell, A.S.\u00a0Keshavarz, D.T.\u00a0Michaelides, H.\u00a0Yang and L.\u00a0Moreau, The PROV-JSON Serialization, 2013. Accessed: 2019-01-05."},{"key":"ref039","doi-asserted-by":"crossref","unstructured":"IFTTT, Every thing works better together. Accessed: 2020-08-21.","DOI":"10.1038\/s41576-020-0238-8"},{"key":"ref040","unstructured":"Internet of Things, Privacy and Security in a Connected World, Federal Trade Commission, Accessed: 2020-11-17."},{"key":"ref041","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4419-5906-5_646"},{"key":"ref042","doi-asserted-by":"publisher","DOI":"10.1145\/3282278.3282281"},{"key":"ref043","doi-asserted-by":"crossref","unstructured":"U.\u00a0Javaid, M.N.\u00a0Aman and B.\u00a0Sikdar, Defining trust in IoT environments via distributed remote attestation using blockchain, in: International Symposium on Theory, Algorithmic Foundations, and Protocol Design for Mobile Networks and Mobile Computing, 2020, pp.\u00a0321\u2013326.","DOI":"10.1145\/3397166.3412801"},{"key":"ref044","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23051"},{"key":"ref045","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516731"},{"key":"ref046","unstructured":"K.H.\u00a0Lee, X.\u00a0Zhang and D.\u00a0Xu, High accuracy attack provenance via binary-based execution partition, in: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24\u201327, 2013, 2013. https:\/\/www.ndss-symposium.org\/ndss2013\/high-accuracy-attack-provenance-binary-based-execution-partition."},{"key":"ref047","unstructured":"S.\u00a0Ma, J.\u00a0Zhai, F.\u00a0Wang, K.H.\u00a0Lee, X.\u00a0Zhang and D.\u00a0Xu, MPI: Multiple perspective attack investigation with semantic aware execution partitioning, in: 26th USENIX Security Symposium (USENIX Security 17), USENIX Association, Vancouver, BC, 2017, pp.\u00a01111\u20131128, ISBN 978-1-931971-40-9, https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/ma."},{"key":"ref048","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23350"},{"key":"ref049","doi-asserted-by":"crossref","unstructured":"T.\u00a0Matsumoto, M.\u00a0Ikeda, M.\u00a0Nagata and Y.\u00a0Uemura, Secure Cryptographic Unit as Root-of-Trust for IoT Era, IEICE Transactions on Electronics Advpub 2021.","DOI":"10.1587\/transele.2020CDI0001"},{"key":"ref050","unstructured":"P.\u00a0McDaniel, K.\u00a0Butler, S.\u00a0McLaughlin, R.\u00a0Sion, E.\u00a0Zadok and M.\u00a0Winslett, Towards a secure and efficient system for end-to-end provenance, in: Proceedings of the 2Nd Conference on Theory and Practice of Provenance, TAPP\u201910, USENIX Association, Berkeley, CA, USA, 2010, p.\u00a02, http:\/\/dl.acm.org\/citation.cfm?id=1855795.1855797."},{"key":"ref051","unstructured":"S.\u00a0Miles, P.T.\u00a0Groth, M.D.O.\u00a0Branco and L.\u00a0Moreau, The requirements of recording and using provenance in e-Science experiments, 2005."},{"key":"ref052","doi-asserted-by":"crossref","unstructured":"M.S.\u00a0Mispan and B.\u00a0Halak, Physical unclonable function: A hardware fingerprinting solution, in: Authentication of Embedded Devices, B.\u00a0Halak, ed. Springer, Cham, 2021.","DOI":"10.1007\/978-3-030-60769-2_2"},{"key":"ref053","unstructured":"L.\u00a0Moreau, PROV-XML: The PROV XML Schema, 2013. Accessed: 2019-06-12."},{"key":"ref054","unstructured":"K.K.\u00a0Muniswamy-Reddy, U.\u00a0Braun, D.A.\u00a0Holland, P.\u00a0Macko, D.\u00a0Maclean, D.\u00a0Margo, M.\u00a0Seltzer and R.\u00a0Smogor, Layering in provenance systems, in: Proceedings of the 2009 Conference on USENIX Annual Technical Conference, USENIX\u201909, USENIX Association, Berkeley, CA, USA, 2009, p.\u00a010, http:\/\/dl.acm.org\/citation.cfm?id=1855807.1855817."},{"key":"ref055","unstructured":"K.K.\u00a0Muniswamy-Reddy, D.A.\u00a0Holland, U.\u00a0Braun and M.\u00a0Seltzer, Provenance-aware storage systems, in: Proceedings of the Annual Conference on USENIX \u201906 Annual Technical Conference, ATEC \u201906, USENIX Association, Berkeley, CA, USA, 2006, p.\u00a04, http:\/\/dl.acm.org\/citation.cfm?id=1267359.1267363."},{"key":"ref056","doi-asserted-by":"crossref","unstructured":"L.\u00a0Negka, G.\u00a0Gketsios, N.A.\u00a0Anagnostopoulos, G.\u00a0Spathoulas, A.\u00a0Kakarountas and S.\u00a0Katzenbeisser, Employing blockchain and physical unclonable functions for counterfeit IoT devices detection, in: Proceedings of the International Conference on Omni-Layer Intelligent Systems, 2019.","DOI":"10.1145\/3312614.3312650"},{"key":"ref057","unstructured":"Netfilter Architecture, Accessed: 2019-02-20."},{"key":"ref058","doi-asserted-by":"crossref","unstructured":"D.T.\u00a0Nguyen, C.\u00a0Song, Z.\u00a0Qian and S.V.\u00a0Krishnamurthy, IotSan: Fortifying the safety of IoT systems dang, in: Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies, 2018, pp.\u00a0387\u2013400. ISBN 9781939133144.","DOI":"10.1145\/3281411.3281440"},{"key":"ref059","doi-asserted-by":"publisher","DOI":"10.1145\/3127479.3129249"},{"key":"ref060","doi-asserted-by":"crossref","unstructured":"T.\u00a0Pasquier, X.\u00a0Han, T.\u00a0Moyer, A.\u00a0Bates, O.\u00a0Hermant, D.\u00a0Eyers, J.\u00a0Bacon and M.\u00a0Seltzer, Runtime Analysis of Whole-System Provenance, Computer and Communications Security (CCS) (2018), http:\/\/arxiv.org\/abs\/1808.06049.","DOI":"10.1145\/3243734.3243776"},{"key":"ref061","doi-asserted-by":"publisher","DOI":"10.1007\/s00779-017-1067-4"},{"key":"ref062","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991122"},{"key":"ref063","doi-asserted-by":"publisher","DOI":"10.1109\/MIC.2017.17"},{"key":"ref064","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420989"},{"key":"ref065","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.14"},{"key":"ref066","unstructured":"R.\u00a0Sailer, X.\u00a0Zhang, T.\u00a0Jaeger and L.\u00a0van Doorn, Design and implementation of a TCG-based integrity measurement architecture, in: SSYM\u201904: Proceedings of the 13th Conference on USENIX Security Symposium, Vol.\u00a013, USENIX Association, Berkeley, CA, USA, 2004, p.\u00a016, http:\/\/dl.acm.org\/citation.cfm?id=1251375.1251391."},{"key":"ref067","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Simmhan, B.\u00a0Plale and D.\u00a0Gannon, A Survey of Data Provenance Techniques, 2005.","DOI":"10.1145\/1084805.1084812"},{"key":"ref068","doi-asserted-by":"publisher","DOI":"10.1145\/1084805.1084812"},{"key":"ref069","unstructured":"R.\u00a0Spillane, R.\u00a0Sears, C.\u00a0Yalamanchili, S.\u00a0Gaikwad, M.\u00a0Chinni and E.\u00a0Zadok, Story book: An efficient extensible provenance framework, in: First Workshop on Theory and Practice of Provenance, TAPP\u201909, USENIX Association, Berkeley, CA, USA, 2009, pp.\u00a011:1\u201311:10, http:\/\/dl.acm.org\/citation.cfm?id=1525932.1525943."},{"key":"ref070","doi-asserted-by":"publisher","DOI":"10.1109\/MNET.2018.1700469"},{"key":"ref071","doi-asserted-by":"publisher","DOI":"10.1109\/MNET.2018.1700469"},{"key":"ref072","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243763"},{"key":"ref073","unstructured":"The LLVM Compiler Infrastructure, Accessed: 2019-04-25."},{"key":"ref074","doi-asserted-by":"publisher","DOI":"10.1109\/MCOM.2018.1701047"},{"key":"ref075","doi-asserted-by":"publisher","DOI":"10.1109\/BigData.2015.7364047"},{"key":"ref076","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23282"},{"key":"ref077","doi-asserted-by":"publisher","DOI":"10.1109\/FITS.2003.1264934"},{"key":"ref078","doi-asserted-by":"crossref","unstructured":"L.\u00a0Xu, L.\u00a0Chen, Z.\u00a0Gao, H.\u00a0Kim and T.S.W.\u00a0Shi, FPGA based blockchain system for industrial IoT, in: IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom), 2020.","DOI":"10.1109\/TrustCom50675.2020.00118"},{"key":"ref079","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978378"},{"key":"ref080","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2017.06.003"},{"key":"ref081","doi-asserted-by":"crossref","unstructured":"W.\u00a0Zhang, Y.\u00a0Meng, Y.\u00a0Liu, X.\u00a0Zhang, Y.\u00a0Zhang and H.\u00a0Zhu, HoMonit: Monitoring smart home apps from encrypted traffic, in: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018.","DOI":"10.1145\/3243734.3243820"},{"key":"ref082","unstructured":"X.\u00a0Zhang, A.\u00a0Edwards and T.\u00a0Jaeger, Using CQUAL for static analysis of authorization hook placement, in: Proceedings of the 11th USENIX Security Symposium, USENIX Association, Berkeley, CA, USA, 2002, pp.\u00a033\u201348, ISBN 1-931971-00-5, http:\/\/dl.acm.org\/citation.cfm?id=647253.720279."}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-200108","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-200108","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-200108","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,11]],"date-time":"2025-03-11T06:52:04Z","timestamp":1741675924000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-200108"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,4,27]]},"references-count":82,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2021,6,18]]}},"alternative-id":["10.3233\/JCS-200108"],"URL":"https:\/\/doi.org\/10.3233\/jcs-200108","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,4,27]]}}}