As command-line interfaces remain an integral part of high-computation environments, the risk of exploitation through stealthy, complex command-line abuse continues to grow. Conventional security solutions often struggle with these command-line-based anomalies due to their context-specific nature and lack of labeled data, especially in detecting rare, malicious patterns amidst legitimate, high-volume activity. This gap has left organizations vulnerable to sophisticated threats like Living-off-the-Land (LOL) attacks, where standard detection tools frequently miss or misclassify anomalous command-line behavior. We introduce Scalable Command-Line Anomaly Detection Engine (SCADE), who addresses these challenges by introducing a dual-layered detection framework that combines a global statistical analysis with local context-specific anomaly detection, innovatively using a novel ensemble of statistical models such as BM25 and Log Entropy, adapted for command-line data. The framework also features a dynamic thresholding mechanism for adaptive anomaly detection, ensuring high precision and recall even in environments with extremely high Signal-to-Noise Ratios (SNRs). Initial experimental results demonstrate the effectiveness of the framework, achieving above 98% SNR in identifying unusual command-line behavior while minimizing false positives. In this paper, we present SCADE's core architecture, including its metadata-enriched approach to anomaly detection and the design choices behind its scalability for enterprise-level deployment. We argue that SCADE represents a significant advancement in command-line anomaly detection, offering a robust, adaptive framework for security analysts and researchers seeking to enhance detection accuracy in high-computation environments.

翻译：随着命令行界面在高计算环境中持续扮演关键角色，通过隐蔽、复杂的命令行滥用进行攻击的风险日益增长。传统安全解决方案常因上下文特异性及缺乏标注数据而难以应对此类基于命令行的异常，特别是在海量合法活动中检测罕见恶意模式时。这一缺陷使组织易受"就地取材"（Living-off-the-Land, LOL）攻击等复杂威胁的侵害，标准检测工具常会漏判或误判异常命令行行为。本文提出可扩展命令行异常检测引擎（SCADE），通过引入双层检测框架应对这些挑战：该框架将全局统计分析（创新性地采用BM25与对数熵等统计模型集成方案）与局部上下文特异性异常检测相结合，并专门针对命令行数据进行了适配。该框架还具备动态阈值机制以实现自适应异常检测，即使在极高信噪比环境中也能确保高精度与高召回率。初步实验结果验证了框架的有效性，在识别异常命令行行为时实现超过98%的信噪比，同时将误报率降至最低。本文详细阐述SCADE的核心架构，包括其基于元数据增强的异常检测方法，以及为实现企业级部署可扩展性所作的设计选择。我们认为SCADE代表了命令行异常检测领域的重大进展，为安全分析师和研究人员提供了鲁棒的自适应框架，可显著提升高计算环境中的检测准确率。