Existing endpoint detection and response (EDR) systems suffer from poor interoperability and insufficient robustness against obfuscated commands, low-frequency malicious behaviors, and command-line contextual ambiguity when performing event correlation via attack provenance graphs. To address these limitations, this paper proposes the first command-line-granular attack provenance framework, constructing fine-grained provenance graphs that integrate system call analysis, command-line behavioral modeling, and network connection frequency detection to enable multi-level dynamic correlation. We introduce a novel three-tiered differential evaluation mechanism, significantly enhancing detection accuracy and adaptability in complex, heterogeneous environments. Evaluated on the DARPA TC dataset, our approach achieves a 1.6× improvement in precision over state-of-the-art baselines; in industrial deployments, it outperforms mainstream EDR solutions by 2.3×. Moreover, it successfully identifies multiple previously undetected zero-day attacks missed by existing commercial EDR systems.

Endpoint Detection and Response (EDR) solutions embrace the method of attack provenance graph to discover unknown threats through system event correlation. However, this method still faces some unsolved problems in the fields of interoperability, reliability, flexibility, and practicability to deliver actionable results. Our research highlights the limitations of current solutions in detecting obfuscation, correlating attacks, identifying low-frequency events, and ensuring robust context awareness in relation to command-line activities. To address these challenges, we introduce DEFENDCLI, an innovative system leveraging provenance graphs that, for the first time, delves into command-line-level detection. By offering finer detection granularity, it addresses a gap in modern EDR systems that has been overlooked in previous research. Our solution improves the precision of the information representation by evaluating differentiation across three levels: unusual system process calls, suspicious command-line executions, and infrequent external network connections. This multi-level approach enables EDR systems to be more reliable in complex and dynamic environments. Our evaluation demonstrates that DEFENDCLI improves precision by approximately 1.6x compared to the state-of-the-art methods on the DARPA Engagement Series attack datasets. Extensive real-time industrial testing across various attack scenarios further validates its practical effectiveness. The results indicate that DEFENDCLI not only detects previously unknown attack instances, which are missed by other modern commercial solutions, but also achieves a 2.3x improvement in precision over the state-of-the-art research work.