A machine learning-enhanced endpoint detection and response framework for fast and proactive defense against advanced cyber attacks
Authors: 
Sun-Jin Lee, So-Eun Jeon, Il-Gu LeeAuthors Info & Claims
Abstract
The risk of intelligent cyber-attacks is increasing as the number of endpoint devices surges and non-face-to-face services expand. As the damage caused by advanced persistent threat (APT), an advanced cyber-attack, increases, companies are researching endpoint detection and response (EDR) or endpoint protection platform. However, because conventional open source-based EDR tools rely on the administrator's preset settings, detecting or responding to APT attacks with new patterns or variant malware requires substantial effort. In this study, fast detection and proactive response (FDPR) is proposed. FDPR complements the limitations of existing single EDR tools by combining google rapid response, an open-source detection-centric tool, an open-source host-based intrusion detection system security (OSSEC), and a response-centric EDR tool. As a result of the experiment, the attack detection performance of FDPR was 97.6%, 3.55 times, and 1.2 times, respectively, compared to the conventional ruleset-based intrusion detection system (R-IDS) and the conventional deep learning-based intrusion detection system (DL-IDS). In addition, compared to R-IDS, the passive response level was improved by 5.76 times, and the active response was enhanced by 11.53%, proving the superiority of the FDPR model.
References
[1]
Arfeen A, Ahmed S, Khan MA, Jafri SFA (2021) Endpoint detection & response: a malware identification solution. In: 2021 international conference on cyber warfare and security (ICCWS), pp 1–8.
[2]
Gartner (2022) 7 Top Trends in Cybersecurity for 2022. [Online]. https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022
[3]
George DAS et al. XDR: the evolution of endpoint security solutions-superior extensibility and analytics to satisfy the organizational needs of the future Int J Adv Res Sci Commun Technol (IJARSCT) 2021 8 1 493-501
[4]
GRR team (2021) What is GRR? [Online]. https://grr-doc.readthedocs.io/en/latest/what-is-grr.html
[5]
GRR team (2023) GRR. [Online]. https://github.com/google/grr
[6]
Hwang C, Kim D, and Lee T Semi-supervised based unknown attack detection in EDR environment KSII Trans Internet Info 2020 14 4909-4926
[7]
Infosec (2018) Anatomy of an APT attack: Step by Step approach. [Online]. https://resources.infosecinstitute.com/topics/hacking/anatomy-of-an-apt-attack-step-by-step-approach/
[8]
ITRC (2017) Global WannaCry Ransomware Attack Infects More than 200k Users. [Online]. https://www.idtheftcenter.org/post/global-wannacry-ransomware-attack-infects-more-than-200k-users/
[9]
Jeon SE, Lee SJ, Lee EY, Lee YJ, Ryu JH, et al. An effective threat detection framework for advanced persistent cyberattacks Comput Mater Contin 2023 75 4231-4253
[10]
JoelGMSec (2023) PSRansom. [Online]. https://github.com/JoelGMSec/PSRansom
[11]
Joloudari J, Haderbadi M, Mashmool A, Ghasemigol M, Band S, and Mosavi A Early detection of the advanced persistent threat attack using performance analysis of deep learning IEEE Access 2020 8 186125-186137
[12]
Khosravi M and Ladani BT Alerts correlation and causal analysis for APT based cyber attack detection IEEE Access 2021 8 162642-162656
[13]
Kieseberg P, Neuner S, Schrittwieser S, Schmiedecker M, Weippl E (2017) Real-time forensics through endpoint visibility. In: Int Conf Dig Forens Cyber Crime, pp 18–32
[14]
Lee S, Shim H, Lee Y, Park T, Park S, Lee I (2021) Study on systematic ransomware detection techniques. In: 2021 23rd international conference on advanced communication technology (ICACT), pp 297–301.
[15]
Metasploit Documentation (2023) How to use msfvenom. [Online]. https://docs.metasploit.com/docs/using-metasploit/basics/how-to-use-msfvenom.html
[16]
Microsoft (2021) Security management. [Online]. https://docs.microsoft.com/ko-kr/defender-cloud-apps/managing-alerts
[17]
MITRE (2023) ATT&CK Matrix for Enterprise. [Online]. https://attack.mitre.org/
[18]
Mohamed N and Belaton B SBI model for the detection of advanced persistent threat based on strange behavior of using credential dumping technique IEEE Access 2021 9 42919-42932
[19]
NextronSystems (2022) APTSimulator. [Online]. https://github.com/NextronSystems/APTSimulator
[20]
Osquery (2023) Welcome to osquery. [Online]. https://osquery.readthedocs.io/en/stable
[21]
OSSEC Project Team (2021a) Output and alert options. [Online]. https://www.ossec.net/docs/docs/manual/output/index.html
[22]
OSSEC Project Team (2021b) Active Response. [Online]. https://www.ossec.net/docs/docs/manual/ar/index.html
[23]
OSSEC Project Team (2022) About OSSEC HIDS. [Online]. https://www.ossec.net/about/
[24]
OSSEC Project Team (2023a) OSSEC. [Online]. https://github.com/ossec/ossec-hids
[25]
OSSEC Project Team (2023b) UNIX: active response configuration. [Online]. https://www.ossec.net/docs/docs/manual/ar/ar-unix.html
[26]
Park S, Yun S, Jeon S, Park N, Shim H, Lee Y, Lee S, Park T, Shin N, Kang M, and Lee I Performance evaluation of open-source endpoint detection and response combining google rapid response and osquery for threat detection IEEE Access 2022 10 20259-20269
[27]
Park NE et al. Performance evaluation of a fast and efficient intrusion detection framework for advanced persistent threat-based cyberattacks Comput Electr Eng 2023 105
[28]
Wazuh Inc (2023a) Active response. [Online]. https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html
[29]
Wazuh Inc (2023b) Wazuh. [Online]. https://wazuh.com/
[30]
Yaacob MN, Idrus S, Zulkarnain S, Ali W, Ashiqin WN, Mustafa W, Jamlos M, Wahab A, and Helmy M Decision making process in keystroke dynamics J Phys Conf Ser 2020 1529
Index Terms
- A machine learning-enhanced endpoint detection and response framework for fast and proactive defense against advanced cyber attacks
Index terms have been assigned to the content through auto-classification.
Recommendations
Detection of advanced persistent threat using machine-learning correlation analysis
AbstractAs one of the most serious types of cyber attack, Advanced Persistent Threats (APT) have caused major concerns on a global scale. APT refers to a persistent, multi-stage attack with the intention to compromise the system and gain ...
A multi-layer approach for advanced persistent threat detection using machine learning based on network traffic
Advanced Persistent Threat (APT) is a dangerous network attack method that is widely used by attackers nowadays. During the APT attack process, attackers often use advanced techniques and tools, thus, causing many difficulties for information security ...
Modeling and control of Cyber-Physical Systems subject to cyber attacks: A survey of recent advances and challenges
Highlights- In general, the cyber-attacks in the literature can be classified into three main types: denial of service (DoS) attacks, deception attacks, and replay ...
AbstractCyber Physical Systems (CPS) are almost everywhere; they can be accessed and controlled remotely. These features make them more vulnerable to cyber attacks. Since these systems provide critical services, having them under attack would ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
© The Author(s), under exclusive licence to Springer-Verlag GmbH Germany, part of Springer Nature 2024. Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 05 July 2024
Accepted: 26 January 2024
Author Tags
Qualifiers
- Research-article
Funding Sources
- Korea Institute for Advancement of Technology
- Institute of Information Communication Technology Planning and Evaluation
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 29 Nov 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in