	US 12,474,939 B2
	Sound and clear provenance tracking for microservice deployments
Vinod Yegneswaran, Foster City, CA (US); Ashish Gehani, Atherton, CA (US); Hassaan Irshad, Union City, CA (US); Xutong Chen, Evanston, IL (US); and Yan Chen, Northfield, IL (US)
Assigned to SRI International, Menlo Park, CA (US)
Filed by SRI International, Menlo Park, CA (US); and Northwestern University, Evanston, IL (US)
Filed on Oct. 19, 2021, as Appl. No. 17/505,018.
Claims priority of provisional application 63/256,143, filed on Oct. 15, 2021.
Claims priority of provisional application 63/094,159, filed on Oct. 20, 2020.
Prior Publication US 2022/0121461 A1, Apr. 21, 2022
Int. Cl. G06F 9/455 (2018.01); G06F 11/30 (2006.01); G06F 11/34 (2006.01)

CPC G06F 9/455 (2013.01) [G06F 11/302 (2013.01); G06F 11/3495 (2013.01)]

20 Claims

1. A method for providing namespace-aware provenance tracking in a containerized environment, comprising:

monitoring, by one or more custom kernel hooks, event audit records from an operating system (OS) kernel in response to determining that specific required namespace related information was not captured in the event audit records;

augmenting, by the one or more custom kernel hooks, the event audit records from the OS kernel with one or more additional namespace aware audit records that include namespace information determined by the one or more custom kernel hooks and related to the a container in the containerized environment associated with the event audit records, wherein the namespace information related to the container includes namespace IDs;

processing, by an audit reporter, at least the additional namespace aware audit records to interpret the namespace IDs contained within the namespace aware audit records;

creating by the audit reporter, a namespace-aware provenance graph that is namespace and container aware based on the namespace aware audit records; and

handling, by a machine learning system, security policy violations using the namespace-aware provenance graph.