Can Graph-Based Microservice Performance Detection Be Used for Microservice Intrusion Detection?

Microservice systems expose rich telemetry streams, including metrics, logs, and distributed traces. Existing performance anomaly detection methods increasingly model these systems as graphs, where nodes represent services and edges represent runtime dependencies. This paper asks whether graph-based microservice performance detection can also serve as a foundation for microservice intrusion detection. We deploy a Docker Compose based synthetic e-commerce microservice benchmark, run 50 controlled trials across five attack types under normal workloads, and collect metrics, logs, and distributed traces. Each request trace is converted into a request-level invocation graph with multi-modal node features derived from timestamped logs and per-service performance metrics. As a first baseline, we train a two-layer graph convolutional network for 6-way classification over 21,438 request graphs. The model achieves 96.2% test accuracy with a macro F1 of 0.955 under a graph-level random split. We then conduct modality ablation, trial-level split evaluation, non-graph baseline comparison, runtime analysis, t-SNE visualization, confusion-matrix analysis, and error-case inspection. The stricter trial-level results show that trace structure alone is insufficient, logs and metrics improve detection, and strong flattened baselines currently outperform the shallow graph model on the engineered feature set.