μProv: Towards Generating a Robust, Scalable and Dynamic Provenance Graph for Attack Investigation over Distributed Microservice Architecture
Published in COMSNETS 2025, 2025
Authors: Utkalika Satapathy, Harsh Borse, Sandip Chakraborty
Overview
Investigating attacks using Provenance graph over Distributed Microservice architecture
μProv - An application-agnostic framework to capture fine-grained system interactions across microservices leveraging eBPF and constructs dynamic runtime provenance graphs representing the causal relationships between system subjects and objects.
Key Features
Custom eBPF-based logging solution: μProv consists of a low-overhead logging solution based on the extended Berkeley Packet Filters (eBPF) designed explicitly for distributed microservice environments.
Extracting dynamic provenance graphs: μProv leverages provenance graphs constructed from low-level system events to detect vulnerabilities while effectively illustrating the causal relationships between processes, file accesses, and network activities, providing a holistic view of system behavior.
Vulnerability integration in microservices and dataset generation: We integrate real-world attack scenarios with known vulnerabilities into our system to evaluate its effectiveness. We have developed “PicShare”, a PoC microservice web application that enables users to upload, view, and receive picture recommendations.
Contributors
- Utkalika Satapathy - IIT Kharagpur, India
- Sandip Chakraborty - IIT Kharagpur, India