Endpoint Security Agent: A Comprehensive Approach to Real-time System Monitoring and Threat Detection

TL;DR

This paper introduces a modular, real-time endpoint security agent that uses native Windows tools and machine learning to monitor system activities, detect threats accurately, and support standardized threat classification and forensic analysis.

Contribution

It presents a novel, extensible security system combining native monitoring, machine learning detection, and MITRE ATT&CK mapping for improved endpoint threat detection.

Findings

High detection accuracy with minimal false positives.

Effective mapping to MITRE ATT&CK framework.

Promising preliminary evaluation results.

Abstract

As cyber threats continue to evolve in complexity and frequency, robust endpoint protection is essential for organizational security. This paper presents "Endpoint Security Agent: A Comprehensive Approach to Real-time System Monitoring and Threat Detection" a modular, real-time security solution for Windows endpoints. The agent leverages native tools like WMI and ETW for lowlevel monitoring of system activities such as process execution, registry modifications, and network behaviour. A machine learning-based detection engine, trained on labelled datasets of benign and malicious activity, enables accurate threat identification with minimal false positives. Detection techniques are mapped to the MITRE ATT&CK framework for standardized threat classification. Designed for extensibility, the system includes a centralized interface for alerting and forensic analysis. Preliminary evaluation shows promising results in detecting diverse attack vectors with high accuracy and efficiency.