This work addresses the vulnerability of causal analysis in untrusted cloud environments, where endpoint audit results are susceptible to tampering, hindering accurate attack attribution. To this end, the authors propose vCause, the first system that introduces a verifiable mechanism for causal analysis by integrating graph accumulators with verifiable provenance graphs. This approach enables integrity verification of nodes of interest and their causally related components, overcoming the limitations of traditional logging schemes while maintaining both security and efficiency. Experimental evaluation demonstrates that vCause incurs minimal computational overhead—less than 1% at the client and only 3.36% in the cloud—while effectively supporting verifiable causal analysis.

In cloud-based endpoint auditing, security administrators often rely on the cloud to perform causality analysis over log-derived versioned provenance graphs to investigate suspicious attack behaviors. However, the cloud may be distrusted or compromised by attackers, potentially manipulating the final causality analysis results. Consequently, administrators may not accurately understand attack behaviors and fail to implement effective countermeasures. This risk underscores the need for a defense scheme to ensure the integrity of causality analysis. While existing tamper-evident logging schemes and trusted execution environments show promise for this task, they are not specifically designed to support causality analysis and thus face inherent security and efficiency limitations. This paper presents vCause, an efficient and verifiable causality analysis system for cloud-based endpoint auditing. vCause integrates two authenticated data structures: a graph accumulator and a verifiable provenance graph. The data structures enable validation of two critical steps in causality analysis: (i) querying a point-of-interest node on a versioned provenance graph, and (ii) identifying its causally related components. Formal security analysis and experimental evaluation show that vCause can achieve secure and verifiable causality analysis with only <1% computational overhead on endpoints and 3.36% on the cloud.