μProv: Towards Generating a Robust, Scalable and Dynamic Provenance Graph for Attack Investigation over Distributed Microservice Architecture

Published in COMSNETS 2025, 2025

Authors: Utkalika Satapathy, Harsh Borse, Sandip Chakraborty

Overview

Investigating attacks using Provenance graph over Distributed Microservice architecture

μProv - An application-agnostic framework to capture fine-grained system interactions across microservices leveraging eBPF and constructs dynamic runtime provenance graphs representing the causal relationships between system subjects and objects.

Key Features

  • Custom eBPF-based logging solution: μProv consists of a low-overhead logging solution based on the extended Berkeley Packet Filters (eBPF) designed explicitly for distributed microservice environments.

  • Extracting dynamic provenance graphs: μProv leverages provenance graphs constructed from low-level system events to detect vulnerabilities while effectively illustrating the causal relationships between processes, file accesses, and network activities, providing a holistic view of system behavior.

  • Vulnerability integration in microservices and dataset generation: We integrate real-world attack scenarios with known vulnerabilities into our system to evaluate its effectiveness. We have developed “PicShare”, a PoC microservice web application that enables users to upload, view, and receive picture recommendations.

Contributors

  • Utkalika Satapathy - IIT Kharagpur, India
  • Sandip Chakraborty - IIT Kharagpur, India

Download Paper

Source Code