Shaofei Li (Peking University), Jiandong Jin (Peking University), Hanlin Jiang (Peking University), Yi Huang (Peking University), Yifei Bao (Jilin University), Yuhan Meng (Peking University), Fengwei Hong (Peking University), Zheng Huang (Peking University), Peng Jiang (Southeast University), Ding Li (Peking University)

Endpoint Detection and Response (EDR) systems play a crucial role in modern cybersecurity by monitoring and responding to Advanced Persistent Threats (APT) on endpoints. Provenance analysis has emerged as a powerful technique for enhancing EDR capabilities by providing detailed insights into system activities and enabling advanced threat detection. However, enterprises still face significant challenges in effectively processing and analyzing provenance data for real-time threat detection and response. In this paper, we present SYSARMOR, a practice of integrating provenance analysis into EDR systems designed to address these challenges through a novel microservices architecture. SYSARMOR integrates efficient provenance data collection, real-time streaming processing, and asynchronous detection engine that combines Falco rule-based detection with provenance graph-based anomaly detection, NODLINK and KNOWHOW, to provide end-to-end online threat detection. To help security analysts investigate alerts, SYSARMOR offers a management front end that manages alerts and visualizes provenance graphs. We deploy SYSARMOR in a real-world enterprise environment and evaluate its performance and effectiveness. Our results demonstrate that SYSARMOR can detect real-world APT attacks effectively while maintaining high throughput and low latency. SYSARMOR is also scalable and can be easily deployed in multiple endpoints.

View More Papers

SAGA: A Security Architecture for Governing AI Agentic Systems

Georgios Syros (Northeastern University), Anshuman Suri (Northeastern University), Jacob Ginesin (Northeastern University), Cristina Nita-Rotaru (Northeastern University), Alina Oprea (Northeastern University)

Read More

“These cameras are just like the Eye of Sauron”:...

Shijing He (King’s College London), Yaxiong Lei (University of St Andrews), Xiao Zhan (Universitat Politecnica de Valencia), Ruba Abu-Salma (King’s College London), Jose Such (INGENIO (CSIC-UPV))

Read More

The Dark Side of Flexibility: Detecting Risky Permission Chaining...

Xunqi Liu (State Key Laboratory of Integrated Services Networks, School of Cyber Engineering, Xidian University), Nanzi Yang (University of Minnesota), Chang Li (State Key Laboratory of Integrated Services Networks, School of Cyber Engineering, Xidian University), Jinku Li (State Key Laboratory of Integrated Services Networks, School of Cyber Engineering, Xidian University), Jianfeng Ma (State Key Laboratory…

Read More