Shaofei Li (Peking University), Jiandong Jin (Peking University), Hanlin Jiang (Peking University), Yi Huang (Peking University), Yifei Bao (Jilin University), Yuhan Meng (Peking University), Fengwei Hong (Peking University), Zheng Huang (Peking University), Peng Jiang (Southeast University), Ding Li (Peking University)
Endpoint Detection and Response (EDR) systems play a crucial role in modern cybersecurity by monitoring and responding to Advanced Persistent Threats (APT) on endpoints. Provenance analysis has emerged as a powerful technique for enhancing EDR capabilities by providing detailed insights into system activities and enabling advanced threat detection. However, enterprises still face significant challenges in effectively processing and analyzing provenance data for real-time threat detection and response. In this paper, we present SYSARMOR, a practice of integrating provenance analysis into EDR systems designed to address these challenges through a novel microservices architecture. SYSARMOR integrates efficient provenance data collection, real-time streaming processing, and asynchronous detection engine that combines Falco rule-based detection with provenance graph-based anomaly detection, NODLINK and KNOWHOW, to provide end-to-end online threat detection. To help security analysts investigate alerts, SYSARMOR offers a management front end that manages alerts and visualizes provenance graphs. We deploy SYSARMOR in a real-world enterprise environment and evaluate its performance and effectiveness. Our results demonstrate that SYSARMOR can detect real-world APT attacks effectively while maintaining high throughput and low latency. SYSARMOR is also scalable and can be easily deployed in multiple endpoints.