ProvChain: A Blockchain-based Data Provenance Architecture in Cloud Environment论文翻译+一点点理解

Abstract

Cloud data provenance is metadata that records the history of the creation and operations performed on a cloud data object.
云数据源是一种对于云端数据对象记录创作和操作历史记录的元数据。
Secure data provenance is crucial for data accountability, forensics and privacy. 安全的数据来源对于数据责任、取证和隐私至关重要。（forensics辩论练习，辩论术）
In this paper, we propose a decentralized and trusted cloud data provenance architecture using blockchain technology.
本文提出了一种基于区块链技术的去中心化的可信云数据源结构。
Blockchain-based data provenance can provide tamper-proof records, enable the transparency of data accountability in the cloud, and help to enhance the privacy and availability of the provenance data.
基于区块链的数据溯源可以提供防篡改记录，实现云端数据责任的透明度，并有助于增强来源数据的隐私性和可用性。
（tamper-proof防干扰）
We make use of the cloud storage scenario and choose the cloud file as a data unit to detect user operations for collecting provenance data.
我们运用云存储场景，选择云文件作为数据单元用于检测用户收集来源数据的操作。
We design and implement ProvChain, an architecture to collect and verify cloud data provenance, by embedding the provenance data into blockchain transactions.
在此设计了一个provchain链，一个通过将源数据嵌入区块链交易用于收集和验证云端数据源。
ProvChain operates mainly in three phases: (1) provenance
data collection, (2) provenance data storage, and (3) provenance data validation.
有三个阶段：1）收集源数据2）存储源数据3）验证源数据
Results from performance evaluation demonstrate that ProvChain provides security features including tamper-proof provenance, user privacy and reliability with low overhead for the cloud storage applications.
性能评估结果表明，ProvChain为云存储应用程序提供了安全功能，包括防篡改来源、用户隐私和可靠性，开销较低。(overhead 也就是开销的意思）
Keywords-Data provenance, Blockchain, Cloud Computing, Privacy, Reliability, Blockchain Cloud.

I. INTRODUCTION

Cloud computing is widely adopted by commercial and military environment to support data storage, on demand computing and dynamic provisioning. Cloud computing environments are distributed and heterogeneous with a diversity of software and hardware components which are provided by different vendors, possibly introducing risks of vulnerabilities and incompatibility. The security assurance of intra-cloud and inter-cloud data management and transfer arises as a key issue. Cloud auditing can only be effective if all operations on the data can be tracked reliably. Provenance is a process that determines the history of a data product, starting from its original sources [1]. Assured provenance data can help detect access violations within the cloud computing infrastructure. However, developing assured data provenance remains a critical issue for cloud storage applications. Besides, provenance data may contain sensitive information about the original data and the data owners. Hence, there is a need to secure not only the cloud data but also ensure integrity and trustworthiness of provenance data. State-of-the-art cloud based provenance services are vulnerable to accidental corruption or malicious forgery of provenance data[2] .
Blockchain technology has attracted interest due to a shared, distributed and fault-tolerant database that every participant in the network can share the ability to nullify adversaries by harnessing the computational capabilities of the honest nodes and information exchanged is resilient to manipulation. Blockchain network is a distributed public ledger where any single transaction is witnessed and verified by network nodes. Blockchain’s decentralized architecture can be leveraged to develop an assured data provenance capability for cloud computing environment. In decentralized architecture, every node participates in the network for providing services, thereby providing better efficiency. Availability is also ensured because of blockchain’s distributed characteristics. Since a centralized authority is frequently used in cloud services, there is a need to safeguard the personal data while maintaining privacy. With blockchain based cloud data provenance service, all data operations are transparently and permanently recorded. Thus, the trust between users and cloud service providers can easily be established. Furthermore, maintaining provenance can assist in improving the trust of cloud users toward cyber-threat information sharing [3] [4] to enable proactive cyber defense at a reduced security investment [5] [6].
云计算在商业和军事环境中被广泛采用，用以支持数据存储、按需计算和动态供应。云计算环境是分布式和异构的，具有不同供应商提供的各种软件和硬件组件，可能会带来漏洞和不兼容的风险。云内和云间数据管理和传输的安全保障是一个关键问题。只有对数据上的所有操作都能可靠地跟踪，云审计才能有效。来源是一个确定数据产品历史的过程，从其原始来源开始[1]。保证出处数据可以帮助检测云计算基础设施中的访问冲突。然而，开发可靠的数据来源仍然是云存储应用程序的一个关键问题。此外，物源数据可能包含原始数据和数据所有者的敏感信息。
因此，不仅需要保护云数据，还需要确保来源数据的完整性和可靠性。最先进的基于云的出处服务容易受到意外损坏或恶意伪造出处数据的攻击[2]。
区块链技术吸引了人们的兴趣，因为共享、分布式和容错的数据库，网络中的每个参与者都可以通过利用诚实节点的计算能力来共享消除对手的能力，并且交换的信息对操纵具有弹性。区块链网络是一个分布式的公共账本，其中任何一个交易都是由网络节点见证和验证的。区块链的分散架构可用于开发云计算环境的可靠数据来源能力。在分散体系结构中，每个节点都参与网络提供服务，从而提供更好的效率。由于区块链的分布式特性，可用性也得到了保证。由于云服务中经常使用集中式授权，因此需要在维护隐私的同时保护个人数据。使用基于区块链的云数据来源服务，所有数据操作都是透明和永久记录的。因此，用户和云服务提供商之间的信任可以很容易地建立起来。此外，维护来源有助于提高云用户对网络威胁信息共享的信任[3][4]，以减少安全投资实现主动网络防御[5][6]

In this paper, we present ProvChain, a blockchain based data provenance architecture to provide assurance of data operations in a cloud storage application, while enhancing privacy and availability at the same time. ProvChain records the operation history as provenance data which will be hashed into Merkle tree nodes [7]. A list of hashes of provenance data will constitute a Merkle tree and the tree root node will be anchored to a blockchain transaction. A list of blockchain transactions will be used to form a block
and the block needs to be confirmed by a set of nodes in order to be included in the blockchain. An attempt to modify a provenance data record will require an adversary to locate the transaction and the block. Blockchain’s underlying cryptographic theory will allow to modify a block record only if the adversary can present a longer chain of blocks than the rest of miners’ blockchain, which is quite difficult to achieve. By leveraging the global-scale computing power of blockchain network, the blockchain based data provenance can provide integrity and trustworthiness. In our architecture, we keep the hashed identity of users in order to protect their privacy from rest of the nodes in blockchain network. The rest of the paper is organized as follows. Section II
provides an overview of the state-of-the-art data provenance efforts and blockchain technology. Section III describes the design of ProvChain, our blockchain based data provenance architecture. The detailed implementation is given in Section IV. Performance evaluation of ProvChain is presented in Section V. Finally, we conclude in Section VI.
在本文中，我们提出了一种基于区块链的数据溯源体系结构ProvChain，旨在提高隐私性和可用性的同时，为云存储应用程序中的数据操作提供保证。ProvChain将操作的历史记录为来源数据，并将其散列到Merkle树节点中[7]。溯源数据的散列列表将构成一个Merkle树，树根节点将锚定到一个区块链交易。区块链交易列表将用于形成一个区块。为了将区块链包含在区块链中，需要通过一组节点来确认区块。修改出处数据记录的尝试将需要对手定位事务和块。区块链的基础加密理论将允许修改一个区块记录，前提是对手可以呈现一个比其他矿工区块链更长的区块链，这是很难实现的。利用区块链网络的全球规模计算能力，基于区块链的数据溯源能够提供完整性和可靠性。在我们的体系结构中，我们保留用户的散列身份，以保护他们的隐私不受区块链网络中其他节点的影响。论文的其余部分组织如下。第二节概述了最先进的数据来源工作和区块链技术。第三节描述了我们基于区块链的数据溯源架构ProvChain的设计。第四节给出了详细的实施方案。第五节给出了验证链的性能评估。最后，我们在第六节得出结论。

II. BACKGROUND AND RELATED WORK

A. Data provenance
Data provenance is very critical for cloud computing system administrators to debug break-ins to the system or network. Cloud computing environments are typically characterized by data transfers between diverse system and network components. These data exchanges could take place within a data center or across federated data centers. The data does not usually follow the same path due to multiples copies of the data and diversity of paths taken to ensure resilience. This design adds degree of difficulty for administrators
to accurately identify the origin of attack, what software and/or hardware components caused the attack, and the impacts of the attack. Security violations needed to be identified at a fine granularity and provenance can assist. Current state-of-the art provenance systems in the cloud support the above tasks through logging and auditing technologies. These technologies are not effective in cloud computing systems, which are complex in nature, due to several layers of interoperating software and hardware
components spread across geographical and organizational boundaries. To identify the origin, cause and impact of security
violations in cloud infrastructures will require collection of forensics and logs from the diverse and disparate sources
which is an insurmountable task. At the same time, logs only provide a sequential history of actions related to every application. The provenance data provides the history of the origins of all changes to a data object, list of components that have either forwarded or processed the object and users who have viewed and/or modified the object and has enhanced requirements for assurance.
数据溯源对于云计算系统管理员调试系统或网络的入侵非常关键。云计算环境通常以不同系统和网络组件之间的数据传输为特征。这些数据交换可以在数据中心内或跨联邦数据中心进行。由于数据的多个副本和为确保恢复能力而采取的路径的多样性，数据通常不会遵循相同的路径。这种设计增加了管理员准确识别攻击来源、导致攻击的软件和/或硬件组件以及攻击的影响的难度。需要以精细的粒度来识别安全违规行为，并且可以提供帮助。当前最先进的云端来源系统通过日志和审计技术支持上述任务。这些技术在本质上复杂的云计算系统中并不有效，因为跨地理和组织边界的多个互操作软件和硬件组件层。要确定云基础设施中安全违