Anomaly detection in endpoint security: Leveraging baseline deviation techniques for enhanced protection

Abstract

The aim of the study was to develop approaches for utilising deviations from a baseline to identify anomalies in endpoint protection, with the goal of enhancing threat detection efficiency. The work involved an analysis of anomaly detection in endpoint protection and the development of baseline deviation approaches to improve security. The research results included the creation of baseline programs for analysing network traffic using Z-scores, as well as for identifying correlated events based on timestamps and values, which enabled the detection of anomalous activities. Process schemas for classifying anomalous events and responding to them using machine learning (ML) methods were demonstrated. Furthermore, approaches such as dynamic baseline updating, multivariate deviation analysis, temporal contextual models, integration with event correlation analysis, and risk-based deviation ranking systems were developed. Dynamic baseline updating allowed for real-time adaptation to system behaviour changes, multivariate analysis revealed complex relationships between parameters, and temporal contextual models accounted for cyclical patterns and trends in the data. On the other hand, integration with event correlation analysis uncovered interdependencies between different types of activity, while risk-based deviation ranking systems prioritised detected anomalies, enabling faster responses to the most critical threats. The results also included an analysis of the advantages, limitations, and application examples of each approach, covering areas such as virtual private networks, supervisory control and data acquisition (SCADA) systems, and Internet of Things (IoT) devices. The findings confirm that the proposed approaches reduce false positives, improve anomaly detection accuracy, and enhance the resilience of cybersecurity systems.