Investigating attacks using Provenance graph over Distributed Microservice architecture
μProv - An application-agnostic framework to capture fine-grained system interactions across microservices leveraging eBPF and constructs dynamic runtime provenance graphs representing the causal relationships between system subjects and objects.
Key Features
- Custom eBPF-based logging solution: μProv consists of a low-overhead logging solution based on the extended Berkeley Packet Filters (eBPF) designed explicitly for distributed microservice environments.
- Extracting dynamic provenance graphs: μProv leverages provenance graphs constructed from low-level system events to detect vulnerabilities while effectively illustrating the causal relationships between processes, file accesses, and network activities, providing a holistic view of system behavior.
- Vulnerability integration in microservices and dataset generation: We integrate real-world attack scenarios with known vulnerabilities into our system to evaluate its effectiveness. We have developed “PicShare”, a PoC microservice web application that enables users to upload, view, and receive picture recommendations.
Contributors
Utkalika Satapathy
IIT Kharagpur, India
Sandip Chakraborty
IIT Kharagpur, India
Teaser Video
Publications
- Utkalika Satapathy, Harsh Borse, Sandip Chakraborty: “Disprotrack: Distributed provenance tracking over serverless applications”, COMSNETS 2025