Command-line Risk Classification using Transformer-based Neural Architectures

TL;DR

This paper introduces a transformer-based neural system leveraging large language models for improved command-line risk classification, addressing limitations of rule-based and general-purpose classifiers in detecting dangerous commands in security-critical environments.

Contribution

The paper presents a novel transformer-based approach utilizing transfer learning to enhance command risk classification accuracy and rare command detection in security applications.

Findings

Effective on realistic production command datasets

Improves detection of rare dangerous commands

Can be adapted for other security tasks

Abstract

To protect large-scale computing environments necessary to meet increasing computing demand, cloud providers have implemented security measures to monitor Operations and Maintenance (O&M) activities and therefore prevent data loss and service interruption. Command interception systems are used to intercept, assess, and block dangerous Command-line Interface (CLI) commands before they can cause damage. Traditional solutions for command risk assessment include rule-based systems, which require expert knowledge and constant human revision to account for unseen commands. To overcome these limitations, several end-to-end learning systems have been proposed to classify CLI commands. These systems, however, have several other limitations, including the adoption of general-purpose text classifiers, which may not adapt to the language characteristics of scripting languages such as Bash or PowerShell, and may not recognize dangerous commands in the presence of an unbalanced class distribution. In this paper, we propose a transformer-based command risk classification system, which leverages the generalization power of Large Language Models (LLM) to provide accurate classification and the ability to identify rare dangerous commands effectively, by exploiting the power of transfer learning. We verify the effectiveness of our approach on a realistic dataset of production commands and show how to apply our model for other security-related tasks, such as dangerous command interception and auditing of existing rule-based systems.