Cloud　attack　provenance　is　a　well-established　industrial　practice　for　assuring　transparency　and　accountability　for　a　service　provider　to　tenants.　However,　the　multi-tenancy　and　self-service　nature　coupled　with　the　sheer　size　of　a　cloud　implies　many　unique　challenges　to　cloud　forensics.　Although　Virtual　Machine　Introspection　(VMI)　is　a　powerful　tool　for　attack　provenance　due　to　the　privilege　isolation,　the　stealthiness　of　state-of-the-art　attacks　and　the　lack　of　precise　information　make　existing　attack　provenance　solutions　difficult　to　fulfill　real-time　forensics　when　tracking　enormous　suspicious　behaviors.　To　this　end,　we　propose　an　instruction-level　tracing　framework　for　inspecting　the　presence　of　attacks　by　dynamically　tracking　shared　processor　hardware　event　patterns　and　analyzing　the　attack　traces.　To　overcome　the　challenges　of　real-time　detection　and　provenance,　we　advocate　Last　Branch　Record　(LBR)　profiling,　to　extract　the　suspicious　execution　flows.　With　the　hardware　assistance　and　software-based　virtualization　introspection,　we　show　that　the　framework　can　provide　an　effective　response　to　threats　in　different　cases,　thereby　enabling　a　quick　attack　provenance　with　high　fidelity.　The　evaluation　shows　that　our　prototype　introduces　negligible　performance　penalties.　©　2005-2012　IEEE.