Securing endpoints is challenging due to the evolving nature of threats and attacks. With endpoint logging systems becoming mature, provenance-graph representations enable the creation of sophisticated behavior rules. However, adapting to the pace of emerging attacks is not scalable with rules. This led to the development of ML models capable of learning from endpoint logs. However, there are still open challenges: i) malicious patterns of malware are spread across long sequences of events, and ii) ML classification results are not interpretable. To address these issues, we develop and present EagleEye, a novel system that i) uses rich features from provenance graphs for behavior event representation, including command-line embeddings, ii) extracts long sequences of events and learns event embeddings, and iii) trains a lightweight Transformer model to classify behavior sequences as malicious or not. We evaluate and compare EagleEye against state-of-the-art baselines on two datasets, namely a new real-world dataset from a corporate environment, and the public DARPA dataset. On the DARPA dataset, at a false-positive rate of 1%, EagleEye detects $\approx$89% of all malicious behavior, outperforming two state-of-the-art solutions by an absolute margin of 38.5%. Furthermore, we show that the Transformer's attention mechanism can be leveraged to highlight the most suspicious events in a long sequence, thereby providing interpretation of malware alerts.

翻译：端点安全防护因威胁与攻击的不断演变而面临挑战。随着端点日志系统日趋成熟，溯源图表示使得复杂行为规则的构建成为可能。然而，基于规则的方法难以适应新兴攻击的快速变化。这推动了能够从端点日志中学习的机器学习模型的发展。但当前仍存在以下开放性问题：i) 恶意软件的攻击模式分散在长事件序列中，ii) 机器学习分类结果缺乏可解释性。为解决这些问题，我们开发并提出了鹰眼系统，这一新颖系统具有以下特点：i) 利用溯源图中的丰富特征（包括命令行嵌入）进行行为事件表示，ii) 提取长事件序列并学习事件嵌入表示，iii) 训练轻量级Transformer模型以判别行为序列是否恶意。我们在两个数据集上对鹰眼系统进行评估并与前沿基线方法进行对比，这两个数据集分别为来自企业环境的新型真实数据集以及公开的DARPA数据集。在DARPA数据集上，当误报率为1%时，鹰眼系统可检测约89%的恶意行为，以38.5%的绝对优势超越两种前沿解决方案。此外，我们证明Transformer的注意力机制可用于突显长序列中最可疑的事件，从而为恶意软件警报提供可解释性依据。