μProv: Towards Generating a Robust, Scalable and Dynamic Provenance Graph for Attack Investigation over Distributed Microservice Architecture

In recent years, detecting sophisticated attacks in distributed microservice environments has become increasingly challenging, mainly due to containerization, which adds another dimension of complexity for collecting the system logs and the lack of applications designed with known vulnerabilities for reproducibility and experimentation. This paper presents a framework called µProv for generating robust, scalable, and dynamic provenance graphs to aid in attack investigation over distributed microservice architectures. Our approach captures fine-grained, system-level interactions across microservices leveraging eBPF and constructs dynamic runtime provenance graphs representing the causal relationships between processes, files, and network activities. We integrate real-world attack scenarios with known vulnerabilities into our system to evaluate its effectiveness. Through extensive empirical analysis, we demonstrate that µProv offers improved accuracy, scalability, and granularity compared to traditional logging methods.