Endpoint Detection and Response (EDR) solutions embrace the method of attack provenance graph to discover unknown threats through system event correlation. However, this method still faces some unsolved problems in the fields of interoperability, reliability, flexibility, and practicability to deliver actionable results. Our research highlights the limitations of current solutions in detecting obfuscation, correlating attacks, identifying low-frequency events, and ensuring robust context awareness in relation to command-line activities. To address these challenges, we introduce DEFENDCLI, an innovative system leveraging provenance graphs that, for the first time, delves into command-line-level detection. By offering finer detection granularity, it addresses a gap in modern EDR systems that has been overlooked in previous research. Our solution improves the precision of the information representation by evaluating differentiation across three levels: unusual system process calls, suspicious command-line executions, and infrequent external network connections. This multi-level approach enables EDR systems to be more reliable in complex and dynamic environments. Our evaluation demonstrates that DEFENDCLI improves precision by approximately 1.6x compared to the state-of-the-art methods on the DARPA Engagement Series attack datasets. Extensive real-time industrial testing across various attack scenarios further validates its practical effectiveness. The results indicate that DEFENDCLI not only detects previously unknown attack instances, which are missed by other modern commercial solutions, but also achieves a 2.3x improvement in precision over the state-of-the-art research work.

翻译：端点检测与响应（EDR）解决方案采用攻击溯源图方法，通过系统事件关联来发现未知威胁。然而，该方法在互操作性、可靠性、灵活性以及生成可操作结果的实用性方面仍存在一些未解决的问题。我们的研究揭示了当前解决方案在检测混淆攻击、关联攻击事件、识别低频事件以及确保与命令行活动相关的鲁棒上下文感知方面的局限性。为应对这些挑战，我们提出了DEFENDCLI——一种创新的溯源图系统，首次实现了命令行层级的检测。通过提供更精细的检测粒度，该系统弥补了现代EDR系统中先前研究忽视的空白。我们的解决方案通过评估三个层级的差异化特征来提升信息表征的精确度：异常系统进程调用、可疑命令行执行以及低频外部网络连接。这种多层次方法使EDR系统在复杂动态环境中具有更高的可靠性。我们在DARPA Engagement Series攻击数据集上的评估表明，DEFENDCLI相比现有最优方法将精确度提升了约1.6倍。跨多种攻击场景的大规模实时工业测试进一步验证了其实用效能。结果表明，DEFENDCLI不仅能检测到其他现代商业解决方案遗漏的先前未知攻击实例，其精确度相比前沿研究工作更提升了2.3倍。