Endpoint Detection and Response: Why Use Machine Learning?

Sjarif, Nilam Nur Amir; Chuprat, Suriayati; Mahrin, Mohd Naz’ri; Ahmad, Noor Azurati; Ariffin, A.; Senan, Firham M.; Zamani, Nazri Ahmad; Saupi, Afifah

doi:10.1109/ictc46691.2019.8939836

Cited by 6 publications

(4 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…During attacks, one may notice the involvement of processes like Powershell.exe and gswin32c.exe, which are not typically seen in normal situations but are linked to the execution of malicious scripts. Furthermore, as mentioned in previous studies [21][22][23], in EDR environments, rapid response is crucial, so the log preprocessing steps must be lightweight. Considering this, this paper proposes a lightweight feature extraction technique that focuses on identifying process chains using the Original Log.…”

Section: A Data Description and Data Featuringmentioning

confidence: 99%

Reference-Based AI Decision Support for Cybersecurity

Lee,

Han,

Lee

2023

IEEE Access

View full text Add to dashboard Cite

In the cyber environment, massive amounts of data are generated daily. Artificial Intelligence (AI) technologies can effectively manage this vast data to support efficient operations in the cyber environment. Thanks to active research, AI has advanced significantly in this regard. However, as AI achieves higher performance, it becomes increasingly complex, which results in the low interpretability of AI outputs. This black-box nature of AI technology makes AI chal-lenging to apply in fields like cybersecurity, where the risk of false positives is significant. To address this issue, researchers have been working on eXplainable Artificial Intelligence (XAI) technology, with the intention to enhance the utility of AI by providing interpretations of AI predictions. Most previous research has focused on understanding how models function in terms of feature importance to interpret AI results. However, this approach fails to provide clear interpretations in fields where interpretability is crucial, such as security. Therefore, this paper proposes a framework that offers interpretations of AI results, even in unsupervised environ-ments that are suitable for security scenarios. Additionally, we have improved the logic of cal-culation Reference and have enhanced the function and performance compared with previous research. We provide additional information that supports interpretation, such as P-Values and References, to offer more effective decision support to security analysts and to ultimately reduce false alarms and enhance model performance. Overall, we aim to improve the model's perfor-mance by providing clear interpretations that are suitable for security tasks, thereby contrib-uting to more effective decision-making by security analysts.

show abstract

Section: A Data Description and Data Featuringmentioning

confidence: 99%

Reference-Based AI Decision Support for Cybersecurity

Lee,

Han,

Lee

2023

IEEE Access

View full text Add to dashboard Cite

show abstract

“…However, most commercial threat detection systems are developed on closed platforms, rendering system adaption to each endpoint environment difficult. Consequently, it is expensive and time-consuming to develop and implement endpoint security systems [6]. Furthermore, detecting APT attacks with a single open-source threat detector is difficult because conventional systems can detect only fragmentary attacks based on limited log data.…”

Section: Introductionmentioning

confidence: 99%

“…can be defined as a total of 16 conditions, depending on whether the attacker performsSteps 4,6,7, and 8. Condition 1 is a type that goes through all Steps 4, 6, 7, 8, and Conditions 2, 3, 4, and 5 are patterns in which attackers do not go through only Steps 4, 6, 7, and 8.…”

mentioning

confidence: 99%

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

Jeon¹,

Lee²,

Lee³

et al. 2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

Recently, with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic, the possibility of cyberattacks through endpoints has increased. Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats. In particular, because telecommuting, telemedicine, and teleeducation are implemented in uncontrolled environments, attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information, and reports of endpoint attacks have been increasing considerably. Advanced persistent threats (APTs) using various novel variant malicious codes are a form of a sophisticated attack. However, conventional commercial antivirus and anti-malware systems that use signature-based attack detection methods cannot satisfactorily respond to such attacks. In this paper, we propose a method that expands the detection coverage in APT attack environments. In this model, an open-source threat detector and log collector are used synergistically to improve threat detection performance. Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks, as defined by MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response (GRR), an open-source threat detection tool, and Graylog, an open-source log collector. The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11% compared with that conventional methods.

show abstract

“…• HUC Packet Transmitter: A proxy tool used to intercept and redirect Transmission Control Protocol (TCP) connections in order to obfuscate attackers'communications with victim networks. Recently, detection utilizing Endpoint Detection and Response (EDR) * 1 on each computer is becoming more common [2]. As part of EDR, malware detection based on file name or hash is one of the more popular methods [3].…”

Section: Introductionmentioning

confidence: 99%

Detection of Malicious Tools by Monitoring DLL Using Deep Learning

Matsuda

Fujimoto

Mitsunaga

2020

Journal of Information Processing

View full text Add to dashboard Cite

In targeted attacks, various malicious tools are leveraged by attackers. According to the Cybersecurity and Infrastructure Security Agency (CISA), tools such as China Chopper, Mimikatz, PowerShell Empire, and HUC Packet Transmitter are used in targeted attacks. Standard malware detection methods include those based on file names or hashes. However, attackers tend to avoid detection by changing the file name of malicious tools or by rebuilding them. Therefore, detecting malicious tools used in targeted attacks is difficult. We found that the order of Windows built-in DLLs loaded by each malicious tool has unique characteristics. In this study, we propose a detection method of malicious tools by analyzing DLL information using deep learning, considering the DLL and its order of loading by each process. We confirmed that even if the file names are changed or tools are rebuilt, our proposed method could detect the mentioned four tools with high detection rates: with a recall rate of 97.45%, a precision rate of 97.29%, and F value of 97.37% on average. Furthermore, the proposed method can detect malicious tools with more than a 90% detection rate, even if about 10% of loaded DLLs are changed in the future.

show abstract

Endpoint Detection and Response: Why Use Machine Learning?

Cited by 6 publications

References 23 publications

Reference-Based AI Decision Support for Cybersecurity

Reference-Based AI Decision Support for Cybersecurity

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

Detection of Malicious Tools by Monitoring DLL Using Deep Learning

Contact Info

Product

Resources

About