The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Practical Automatic Determination of Causal Relationships in Software Execution Traces


Download PDF Document


Sundararaman Jeyaraman

Tech report number

CERIAS TR 2011-24

Entry type



From the system investigator who needs to analyze an intrusion (“how did the intruder break in?”), to the forensic expert who needs to investigate digital crimes (“did the suspect commit the crime?”), security experts frequently have to answer questions about the cause-effect relationships between the various events that occur in a computer system. The implications of using causality determination techniques with a low accuracy vary from slowing down incident response to undermining the evidence unearthed by forensic experts. This dissertation presents research done in two areas: (1) We present an empirical study evaluating the accuracy and performance overhead of existing causality determination techniques. Our study shows that existing causality determination techniques are either accurate or efficient, but seldom both. (2) We propose a novel approach to causality determination based on coarse-grained observation of control-flow of program execution. Our evaluation shows that our approach is both practical in terms of low runtime overhead and accurate in terms of low false positives and false negatives.




2011 – 12 – 1

Key alpha


Publication Date


BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.