Utkalika Satapathy

Utkalika Satapathy

Assistant Professor, Department of Computer Science, IIIT Bhubaneswar

μProv: Towards Generating a Robust, Scalable and Dynamic Provenance Graph for Attack Investigation over Distributed Microservice Architecture

conference 17th International Conference on COMmunication Systems and NETworks (COMSNETS), Chancery Pavilion Hotel, Residency Road, Bengaluru, India 2025

Utkalika Satpathy, Harsh Borse, Sandip Chakraborty

Paper Teaser Slides GitHub Lab Page DOI

Abstract

In recent years, detecting sophisticated attacks in distributed microservice environments has become increasingly challenging, mainly due to containerization, which adds another dimension of complexity for collecting the system logs and the lack of applications designed with known vulnerabilities for reproducibility and experimentation. This paper presents a framework called µProv for generating robust, scalable, and dynamic provenance graphs to aid in attack investigation over distributed microservice architectures. Our approach captures fine-grained, system-level interactions across microservices leveraging eBPF and constructs dynamic runtime provenance graphs representing the causal relationships between processes, files, and network activities. We integrate real-world attack scenarios with known vulnerabilities into our system to evaluate its effectiveness. Through extensive empirical analysis, we demonstrate that µProv offers improved accuracy, scalability, and granularity compared to traditional logging methods.

Contributors

Utkalika Satapathy Utkalika Satapathy IIIT Bhubaneswar
Harsh Borse Harsh Borse Data Science Researcher, AIOPS
Sandip Chakraborty Sandip Chakraborty Associate Professor, IIT Kharagpur

Overview

μProv - An application-agnostic framework to capture fine-grained system interactions across microservices leveraging eBPF and constructs dynamic runtime provenance graphs representing the causal relationships between system subjects and objects.

Key Contributions

  • Custom eBPF-based logging solution: μProv consists of a low-overhead logging solution based on the extended Berkeley Packet Filters (eBPF) designed explicitly for distributed microservice environments.
  • Extracting dynamic provenance graphs: μProv leverages provenance graphs constructed from low-level system events to detect vulnerabilities while effectively illustrating the causal relationships between processes, file accesses, and network activities, providing a holistic view of system behavior.
  • Vulnerability integration in microservices and dataset generation: We integrate real-world attack scenarios with known vulnerabilities into our system to evaluate its effectiveness. We have developed “PicShare”, a PoC microservice web application that enables users to upload, view, and receive picture recommendations.

Bibtex

@inproceedings{satpathy2025towards,
  title={Towards Generating a Robust, Scalable and Dynamic Provenance Graph for Attack Investigation over Distributed Microservice Architecture},
  author={Satpathy, Utkalika and Borse, Harsh and Chakraborty, Sandip},
  booktitle={2025 17th International Conference on COMmunication Systems and NETworks (COMSNETS)},
  pages={566--574},
  year={2025},
  organization={IEEE}
}

Cite

Satpathy, U., Borse, H., & Chakraborty, S. (2025, January). Towards Generating a Robust, Scalable and Dynamic Provenance Graph for Attack Investigation over Distributed Microservice Architecture. In 2025 17th International Conference on COMmunication Systems and NETworks (COMSNETS) (pp. 566-574). IEEE.

← Back to all publications