DEFENDCLI: {Command-Line} Driven Attack Provenance Examination

TL;DR

DEFENDCLI introduces a command-line level attack detection system using provenance graphs, significantly enhancing precision and reliability in identifying complex threats compared to existing solutions.

Contribution

This paper presents DEFENDCLI, a novel system that leverages multi-level command-line activity analysis for improved attack detection in EDR systems, addressing key limitations of current methods.

Findings

Improves detection precision by approximately 1.6x on DARPA datasets.

Detects previously unknown attack instances missed by other solutions.

Achieves a 2.3x improvement in precision over state-of-the-art methods.

Abstract

Endpoint Detection and Response (EDR) solutions embrace the method of attack provenance graph to discover unknown threats through system event correlation. However, this method still faces some unsolved problems in the fields of interoperability, reliability, flexibility, and practicability to deliver actionable results. Our research highlights the limitations of current solutions in detecting obfuscation, correlating attacks, identifying low-frequency events, and ensuring robust context awareness in relation to command-line activities. To address these challenges, we introduce DEFENDCLI, an innovative system leveraging provenance graphs that, for the first time, delves into command-line-level detection. By offering finer detection granularity, it addresses a gap in modern EDR systems that has been overlooked in previous research. Our solution improves the precision of the information representation by evaluating differentiation across three levels: unusual system process calls, suspicious command-line executions, and infrequent external network connections. This multi-level approach enables EDR systems to be more reliable in complex and dynamic environments. Our evaluation demonstrates that DEFENDCLI improves precision by approximately 1.6x compared to the state-of-the-art methods on the DARPA Engagement Series attack datasets. Extensive real-time industrial testing across various attack scenarios further validates its practical effectiveness. The results indicate that DEFENDCLI not only detects previously unknown attack instances, which are missed by other modern commercial solutions, but also achieves a 2.3x improvement in precision over the state-of-the-art research work.