Attack Complex Research Articles

Development of algorithms for early detection of cyberattacks on networks using machine learning

Critical infrastructure protection and national security are enhanced by the security and reliability of networks. Various types of information circulate on these networks, ranging in classification from open to closed. The consequences of cyberattacks on these networks can be severe, including reputational damage, financial loss, operational disruption and data leakage. Traditional security methods, such as firewalls and anti-virus software, are becoming less effective against modern and ever-changing cyber threats. As a result, powerful network intrusion detection systems (IDS) have become indispensable for proactive detection and mitigation of cyber attacks. Machine learning has become a viable method for creating adaptive intrusion detection tools that can detect new and complex attack patterns. By learning from huge labelled network traffic datasets, ML models can understand the subtle patterns and differentiating features of normal and abnormal or malicious traffic flows. This allows them to detect possible cyber threats and intrusions that traditional signature-based IDSs cannot detect. Extracting discriminative features and training appropriate classification models from such data is a challenging task. In the presented study, we analyse the effectiveness of ML algorithms for detecting cyberattacks, in particular distributed denial of service (DDoS) attacks, in network traffic data. In the presented study, a network attack detection system is developed using ML and deep learning (DL) models and experimented on the CICIDS2017 dataset. The main objectives of the study are to develop a strategy for extracting valuable information from raw network streams; to study the impact of data preparation on the false positive rate; and to conduct a comparative analysis of ML models for cyberattack detection. The main goal of the study is to provide an understanding of the development of a reliable adaptive network intrusion detection system using ML approaches that increase cybersecurity capabilities and protect against future cyberattacks.

Capsule-based and TCN-based Approaches for Spoofing Detection in Voice Biometry

Nowadays, deep neural networks are in a phase of rapid development. Simultaneously, the field of biometric forgery is also advancing. Systems that can successfully pass face verification systems are emerging and continuously improving deepfake videos and voice messages are created. These developments can have a negative impact on a person’s reputation or cause serious security breaches. This paper proposes an approach for spoofing detection in voice biometrics using the ASVspoof2019 LA dataset The model is trained and validated on subsets representing one type of attack, and evaluated on a subset containing more advanced types of spoofing attacks, demonstrating the model’s ability to generalize to more complex attack scenarios. Two models, capsule-based and TCN-based, are proposed, noted as ResCapsGuard and Res2TCNGuard, respectively. ResCapsGuard achieved an Equal Error Rate (EER) value of 2.27, while Res2TCNGuard reached an EER value of 1.49. Notebooks with our models are available in repositories in github. Due to the fact that a random part is cut out of the audio, the results may vary.

DAF: An Effective Design-for-Testability Authorization Framework Based on Obfuscation Mechanisms for Defending Complex Attacks

DAF: An Effective Design-for-Testability Authorization Framework Based on Obfuscation Mechanisms for Defending Complex Attacks

Missing Data Imputation Based on Causal Inference to Enhance Advanced Persistent Threat Attack Prediction

With the continuous development of network security situations, the types of attacks increase sharply, but can be divided into symmetric attacks and asymmetric attacks. Symmetric attacks such as phishing and DDoS attacks exploit fixed patterns, resulting in system crashes and data breaches that cause losses to businesses. Asymmetric attacks such as Advanced Persistent Threat (APT), a highly sophisticated and organized form of cyber attack, because of its concealment and complexity, realize data theft through long-term latency and pose a greater threat to organization security. In addition, there are challenges in the processing of missing data, especially in the application of symmetric and asymmetric data filling, the former is simple but not flexible, and the latter is complex and more suitable for highly complex attack scenarios. Since asymmetric attack research is particularly important, this paper proposes a method that combines causal discovery with graph autoencoder to solve missing data, classify potentially malicious nodes, and reveal causal relationships. The core is to use graphic autoencoders to learn the underlying causal structure of APT attacks, with a special focus on the complex causal relationships in asymmetric attacks. This causal knowledge is then applied to enhance the robustness of the model by compensating for data gaps. In the final phase, it also reveals causality, predicts and classifies potential APT attack nodes, and provides a comprehensive framework that not only predicts potential threats, but also provides insight into the logical sequence of the attacker’s actions.

Uncovering Multi-step Attacks with Threat Knowledge Graph Reasoning

The rapid advancement of information technologies has significantly intensified the focus on cyberspace security across various sectors. In this evolving landscape, attackers deploy many of techniques- including exploits, weakness identification, and complex multi-step attacks- to gain unauthorized access to systems. Conversely, defenders harness insights from a variety of sources to pinpoint potential threats. Prominent public cybersecurity databases such as the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), Common Attack Pattern Enumeration and Classification (CAPEC), Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), and Common Platform Enumeration (CPE) provide extensive data on security entities and their interrelations, playing a pivotal role in enriching the understanding of cybersecurity challenges and assisting in comprehensive defensive analyses. However, the semantic cross-analysis of these databases, crucial for identifying obscure threat patterns, remains underexploited. In this study, we amalgamate data from these disparate sources into a cohesive threat knowledge graph and introduce a novel knowledge representation learning approach, A4CKGE (ATT&CK-CAPEC-CWE-CVE-CPE Knowledge Graph Embedding). This method utilizes advanced structural and textual analytics to predict interactions among security entities such as products, vulnerabilities, weaknesses, and multi-step attack sequences, employing complex attack templates generated through a Large Language Model (LLM). Our extensive experiments demonstrate that this approach significantly outperforms existing state-of-the-art methods in effectively predicting these relationships. The findings validate the efficacy of our threat knowledge graph in unveiling hidden connections, thereby highlighting its potential to strengthen cybersecurity defenses substantially.

Attention-Enhanced Defensive Distillation Network for Channel Estimation in V2X mm-Wave Secure Communication

Millimeter-wave (mm-wave) technology, crucial for future networks and vehicle-to-everything (V2X) communication in intelligent transportation, offers high data rates and bandwidth but is vulnerable to adversarial attacks, like interference and eavesdropping. It is crucial to protect V2X mm-wave communication from cybersecurity attacks, as traditional security measures often fail to counter sophisticated threats and complex attacks. To tackle these difficulties, the current study introduces an attention-enhanced defensive distillation network (AEDDN) to improve robustness and accuracy in V2X mm-wave communication under adversarial attacks. The AEDDN model combines the transformer algorithm with defensive distillation, leveraging the transformer’s attention mechanism to focus on critical channel features and adapt to complex conditions. This helps mitigate adversarial examples by filtering misleading data. Defensive distillation further strengthens the model by smoothing decision boundaries, making it less sensitive to small perturbations. To evaluate and validate the AEDDN model, this study uses a publicly available dataset called 6g-channel-estimation and a proprietary dataset named MMMC, comparing the simulation results with the convolutional neural network (CNN) model. The findings from the experiments indicate that the AEDDN, especially in the complex V2X mm-wave environment, demonstrates enhanced performance.

Cluster partition-fuzzy broad learning-based fast detection and localization framework for false data injection attack in smart distribution networks

The distributed renewable energy generations, as accessible and easily targets for attackers, introduce an extra false data injection attack (FDIA) threat in the smart distribution networks. Scattered attack points and complex attack features hinder the elimination of potential threats. In this context, an FDIA fast detection and pinpoint localization framework is proposed. This framework identifies abnormal signals and attacked nodes from the unique topology structure and status contiguity of smart distribution networks, namely, spatial-temporal correlations of power grids, by using a cluster partition-fuzzy broad learning system (CP-FBLS). Unlike most existing FDIA detection methods, which are dedicated to high accuracy but neglect the urgent need for rapid detection in smart distribution networks, the proposed CP-FBLS framework maintains the fast computational nature of a fuzzy broad learning system (FBLS), while avoiding the accuracy degradation caused by high-dimension of data in large-scale smart distribution networks. Moreover, the multi-layer structure of the proposed framework recognizes the location of FDIA, bridging the research gap of attack localization. To comprehensively evaluate the proposed strategy, datasets containing various FDIA types are constructed. Numerical simulations based on the above datasets in modified IEEE 34-bus and 123-bus distribution systems are implemented. The results of the case studies showed that the proposed method can achieve 98.43 % accuracy with 0.34 ms detection time, realizing rapid detection and localization of various FDIAs with satisfactory accuracy.

Advanced mathematical modeling of mitigating security threats in smart grids through deep ensemble model

A smart grid (SG) is a cutting-edge electrical grid that utilizes digital communication technology and automation to effectively handle electricity consumption, distribution, and generation. It incorporates energy storage systems, smart meters, and renewable energy sources for bidirectional communication and enhanced energy flow between grid modules. Due to their cyberattack vulnerability, SGs need robust safety measures to protect sensitive data, ensure public safety, and maintain a reliable power supply. Robust safety measures, comprising intrusion detection systems (IDSs), are significant to protect against malicious manipulation, unauthorized access, and data breaches in grid operations, confirming the electricity supply chain’s integrity, resilience, and reliability. Deep learning (DL) improves intrusion recognition in SGs by effectually analyzing network data, recognizing complex attack patterns, and adjusting to dynamic threats in real-time, thereby strengthening the reliability and resilience of the grid against cyber-attacks. This study develops a novel Mountain Gazelle Optimization with Deep Ensemble Learning based intrusion detection (MGODEL-ID) technique on SG environment. The MGODEL-ID methodology exploits ensemble learning with metaheuristic approaches to identify intrusions in the SG environment. Primarily, the MGODEL-ID approach utilizes Z-score normalization to convert the input data into a uniform format. Besides, the MGODEL-ID approach employs the MGO model for feature subset selection. Meanwhile, the detection of intrusions is performed by an ensemble of three classifiers such as long short-term memory (LSTM), deep autoencoder (DAE), and extreme learning machine (ELM). Eventually, the dung beetle optimizer (DBO) is utilized to tune the hyperparameter tuning of the classifiers. A widespread simulation outcome is made to demonstrate the improved security outcomes of the MGODEL-ID model. The experimental values implied that the MGODEL-ID model performs better than other models.

Mitigating Complex Cyber Threats: An Integrated Multimodal Deep Learning Framework for Enhanced Security

Abstract: The rapidly evolving landscape of cyber threats poses significant challenges to traditional cybersecurity methods, particularly in detecting and mitigating complex attacks that combine multiple data modalities. This article introduces a novel approach utilizing Multimodal Deep Learning (MDL) to enhance cybersecurity detection and prevention capabilities. By fusing Natural Language Processing (NLP) and computer vision techniques, our proposed MDL framework demonstrates superior performance in analyzing both textual and visual data associated with potential threats. Through a series of experiments and case studies, we show that this integrated approach significantly improves detection accuracy, reduces false positives, and exhibits remarkable adaptability to emerging attack vectors. Our results indicate a 37% increase in threat detection efficiency and a 42% reduction in false positives compared to traditional unimodal methods. Furthermore, we explore the potential applications of this technology in email security, social media monitoring, and advanced malware detection. This article not only contributes to the growing body of knowledge in AI-driven cybersecurity but also provides a roadmap for future developments, including the integration of audio analysis and the application of Explainable AI (XAI) to enhance trust and transparency in MDL-based security systems.

The Effect of Various Exercises on Developing Kinesthetic Awareness and Accuracy in Performing the Stabbing and Compound Attack Movement Skillsby Duelingfor Students

The problem of the research was represented by the lack of interest of many teachers in the use of diversification and change in various exercises, despite the positive role it plays in generalizing the motor program for any fencing skill, even though most of its skills are characterized by difficulty in performing them, which requires providing the largest number of motor programs in order to be The learner has full readiness and preparedness, and the research aims to prepare various exercises to develop sensory perception and accuracy in performing complex attack skills and the stabbing movement. And to identify the effect of various exercises in developing the students’ kinetic awareness and accuracy of combined attack skills and stabbing movements in fencing. Use the researcherthatThe experimental approach with two equal groups. The research sample represented the students of the third stage of the Department of Physical Education and Sports Sciences at the Islamic University for the academic year 2022-2023 AD, and they numbered (50) students. They were selected by a simple random method, and were divided into two groups (experimental and control), and the number of each group was (25). ) student. The experimental group applied the various exercises prepared by the researcherthatAccording to the stages of building the motor program for learning epee skills in fencing, it was included among the educational units approved in colleges of physical education for third-year students, at the rate of one educational unit per week, amounting to (6) educational units. The time of the educational unit was (90/min), and the time of the educational unit was divided into the preparatory section. (15/d), the main section (65/d), and the final section (10/d). The most important conclusions were that there was a significant effect of the various exercises in developing sensory-motor perception and accuracy of performance in learning fencing skills. The most important recommendations are the need to pay attention to various exercises during educational units because they help learners expand their educational awareness and thus reflect on their performance of skills.

AI-based security functions co optimization in the SFC

Dealing with large-scale attack traffic and complex attack scenarios can be challenging for a single attack detection system in the 6G era. The ubiquitous artificial intelligence security services enabled by the AI-based Security Functions (AISF) and Service Function Chain (SFC) become strong candidate to solve this problem. However, supervised learning-based AISF requires a significant amount of manually labeled data and is unable to adapt to changing attack scenarios once it is deployed. To this end, we propose an AISF co-optimization method in the SFC. The goal is to use unlabeled network traffic samples to update the model based on pseudo-labeling and co-training. First, we model the AISF chain composed of AISFs with various detection targets and feature subspaces. We also define its detection capability evaluation metrics and final detection result. Then, we design an AISF co-optimization flow including online detection and online optimization workflows. In online optimization, we design the dynamic threshold of normalized comprehensive confidence to generate pseudo-labels for network traffic samples and combine labeled and pseudo-labeled samples to train the new models of AISFs. These models replace the previous ones and continue to detect and optimize. Experimental results in a prototype system show that compared with a single AISF, the AISF chain has higher detection capabilities that can even detect unknown attacks to a certain extent, and co-optimization can make better use of unlabeled network traffic samples than individual optimization.

GoibhniUWE: A Lightweight and Modular Container-Based Cyber Range

Cyberattacks are rapidly evolving both in terms of techniques and frequency, from low-level attacks through to sophisticated Advanced Persistent Threats (APTs). There is a need to consider how testbed environments such as cyber ranges can be readily deployed to improve the examination of attack characteristics, as well as the assessment of defences. Whilst cyber ranges are not new, they can often be computationally expensive, require an extensive setup and configuration, or may not provide full support for areas such as logging or ongoing learning. In this paper, we propose GoibhniUWE, a container-based cyber range that provides a flexible platform for investigating the full lifecycle of a cyberattack. Adopting a modular approach, users can seamlessly switch out existing, containerised vulnerable services and deploying multiple different services at once, allowing for the creation of complex and realistic deployments. The range is fully instrumented with logging capabilities from a variety of sources including Intrusion Detection Systems (IDSs), service logging, and network traffic captures. To demonstrate the effectiveness of our approach, we deploy the GoibhniUWE range under multiple conditions to simulate various vulnerable environments, reporting on and comparing key metrics such as CPU and memory usage. We simulate complex attacks which span multiple services and networks, with logging at multiple levels, modelling an Advanced Persistent Threat (APT) and their associated Tactics, Techniques, and Procedures (TTPs). We find that even under continuous, active, and targeted deployment, GoibhniUWE averaged a CPU usage of less than 50%, in an environment using four single-core processors, and memory usage of less than 4.5 GB.

An improved intrusion detection method for IIoT using attention mechanisms, BiGRU, and Inception-CNN

In the field of Industrial Internet of Things (IIoT), existing intrusion detection models face challenges in three main areas: low accuracy in detecting attack traffic, feature redundancy when dealing with high-dimensional and complex attack traffic, making it difficult to capture critical information, and a tendency to favor learning common categories while neglecting rare categories when handling imbalanced data. To tackle these challenges, this study introduces an intrusion detection method that combines an attention mechanism, Bidirectional Gated Recurrent Units (BiGRU), and Inception Convolutional Neural Network (Inception-CNN) to enhance the model’s detection rate. Simultaneously, the method employs a mixed sampling strategy for data resampling to address the bias learning issue caused by data imbalance. Additionally, the method employs a hybrid sampling strategy for data resampling to address the bias learning issue caused by data imbalance. It also incorporates denoising techniques to handle potential dataset noise introduced by hybrid sampling. Furthermore, a feature selection method combining Pearson correlation coefficient and Random Forest is applied to eliminate feature redundancy, enhancing the model’s ability to capture crucial information from high-dimensional attack traffic. Experimental validation on internationally recognized datasets (Edge-IIoTset, CIC-IDS2017, and CIC IoT 2023) affirms the reliability of the proposed intrusion detection method. This approach underscores the significance of intrusion detection in the security of Industrial IoT and showcases its potential in addressing pertinent challenges in network security.

Convolutional Neural Networks Based Detection System for Cyber-attacks in Industrial Control Systems

Convolutional Neural Networks (CNNs) have emerged as a powerful tool for various pattern recognition tasks, including the detection of cyber-attacks in Industrial Control Systems (ICS). This paper presents a CNN-based detection system specifically designed to safeguard ICS from sophisticated cyber threats. The proposed system leverages the capability of CNNs to automatically learn and extract high-level features from raw data, enabling it to identify anomalies indicative of cyber-attacks with high accuracy. Utilizing a comprehensive cyber-attack dataset containing 59 different types of attacks, the system is trained to distinguish between normal and malicious traffic effectively. Based on the extensive dataset, this study demonstrates that the CNN-based detection system achieves a detection rate of 98.5% and a false-positive rate of 1.2%, significantly outperforming traditional methods. The high detection rate indicates the system's ability to accurately identify a wide range of attack types, while the low false-positive rate ensures minimal disruption to normal operations due to incorrect alerts. These results underscore the system's robustness and reliability in identifying subtle and complex attack patterns. Moreover, the CNN-based system is designed to adapt to new types of attacks as it continues to learn from updated datasets, making it a scalable and future-proof solution. Implementing this system can significantly enhance the cybersecurity posture of industrial environments by providing real-time monitoring and rapid response capabilities. The CNN-based detection system offers a significant advancement in ICS cybersecurity. Effectively identifying and mitigating cyber-attacks contributes to the resilience and reliability of critical infrastructure. The proposed approach improves security measures and ensures industrial processes' continuous and safe operation, which is vital for economic stability and public safety.

Defending hash tables from algorithmic complexity attacks with resource burning

We consider the problem of defending a hash table against a Byzantine attacker that is trying to degrade the performance of query, insertion and deletion operations. Our defense makes use of resource burning (RB)—the verifiable expenditure of network resources—where the issuer of a request incurs some RB cost. Our algorithm, Depth Charge, charges RB costs for operations based on the depth of the appropriate object in the list that the object hashes to in the table. By appropriately setting the RB costs, our algorithm mitigates the impact of an attacker on the hash table's performance. In particular, in the presence of a significant attack, our algorithm incurs a cost which is asymptotically less that the attacker's cost.

Collaborative intrusion detection using weighted ensemble averaging deep neural network for coordinated attack detection in heterogeneous network

Detecting coordinated attacks in cybersecurity is challenging due to their sophisticated and distributed nature, making traditional Intrusion Detection Systems often ineffective, especially in heterogeneous networks with diverse devices and systems. This research introduces a novel Collaborative Intrusion Detection System (CIDS) using a Weighted Ensemble Averaging Deep Neural Network (WEA-DNN) designed to detect such attacks. The WEA-DNN combines deep learning techniques and ensemble methods to enhance detection capabilities by integrating multiple Deep Neural Network (DNN) models, each trained on different data subsets with varying architectures. Differential Evolution optimizes the model’s contributions by calculating optimal weights, allowing the system to collaboratively analyze network traffic data from diverse sources. Extensive experiments on real-world datasets like CICIDS2017, CSE-CICIDS2018, CICToNIoT, and CICBotIoT show that the CIDS framework achieves an average accuracy of 93.8%, precision of 78.6%, recall of 60.4%, and an F1-score of 62.4%, surpassing traditional ensemble models and matching the performance of local DNN models. This demonstrates the practical benefits of WEA-DNN in improving detection capabilities in real-world heterogeneous network environments, offering superior adaptability and robustness in handling complex attack patterns.

Analysis of Attack Intensity on Autonomous Mobile Robots

Autonomous mobile robots (AMRs) combine a remarkable combination of mobility, adaptability, and an innate capacity for obstacle avoidance. They are exceptionally well-suited for a wide range of applications but usually operate in uncontrolled, non-deterministic environments, so the analysis and classification of security events are very important for their safe operation. In this regard, we considered the influence of different types of attacks on AMR navigation systems to subdivide them into classes and unified the effect of attacks on the system through their level of consequences and impact. Then, we built a model of an attack on a system, taking into account five methods of attack implementation and identified the unified response thresholds valid for any type of parameter, which allows for creating universal correlation rules and simplifies this process, as the trigger threshold is related to the degree of impact that the attack has on the finite subsystem. Also, we developed a methodology for classifying incidents and identifying key components of the system based on ontological models, which makes it possible to predict risks and select the optimal system configuration. The obtained results are important in the context of separating different types of destructive effects based on attack classes. Our study showed that it is sometimes difficult to divide spoofing attacks into classes by assessing only one parameter since the attacker can use a complex attack scenario, mixing the stages of the scenarios. We then showed how adding an attack intensity factor can make classification more flexible. The connections between subsystems and parameters, as well as the attack impact patterns, were determined. Finally, a set of unique rules was developed to classify destructive effects with uniform response thresholds for each parameter. In this case, we can increase the number of parameters as well as the type of parameter value.

Enhancing IoT Security with Activity-Based Attack Modeling and Hybrid Classification Techniques

The proliferation of Internet of Things (IoT) devices in industrial environments (Industrial IoT or IIoT) has brought about significant advancements in automation and data analytics. However, the integration of these devices also introduces new security vulnerabilities, making them prime targets for cyber-attacks. This study aims to enhance the security of IIoT systems by employing an activity-based attack modeling approach coupled with hybrid classification techniques. Our proposed method leverages a hybrid GRU-LSTM model to detect and mitigate security threats in real-time. Activity-based attack modeling involves the analysis of device behavior and the identification of deviations from normal activity patterns. By focusing on the contextual behavior of IIoT devices, we can more accurately detect anomalies indicative of potential security breaches. The hybrid GRU-LSTM model, which combines the strengths of Gated Recurrent Units (GRUs) and Long Short-Term Memory (LSTM) networks, is utilized to process the sequential data generated by IIoT devices. This combination enhances the model's ability to capture both short-term and long-term dependencies in the data, improving the detection accuracy of complex attack patterns. Our experimental results demonstrate that the proposed hybrid GRU-LSTM model achieves an impressive accuracy rate of 98.18% in identifying various types of cyber-attacks on IIoT systems. The implementation of this model at the edge of IIoT networks ensures real-time threat detection and response, minimizing the latency and reducing the dependency on centralized cloud computing resources. In conclusion, this research presents a robust and efficient approach to enhancing IIoT security through the integration of activity-based attack modeling and advanced hybrid classification techniques. The high accuracy of the proposed method highlights its potential for widespread adoption in securing IIoT environments against evolving cyber threats. This work contributes to the growing body of knowledge in IoT security and paves the way for further innovations in protecting industrial systems from cyber-attacks.

An ensemble deep learning-based cyber attack detection system using optimization strategy

Background of the studyCyber attack stories become a routine in which new levels of intention are shown by the cyber attacker through sophisticated attacks on networks. The conventional approaches struggle to detect unknown malware and complex attacks. It does not secure the user's individual information. Hence, deep learning methods are used to effectively predict the attacks. Proposed modelThis paper implements an intelligent cyber security mechanism by employing effective mechanisms. Initially, the significant data for this approach is gathered from the benchmark data sources, and then they are given into the optimal feature chosen. Here, the parameters are optimally chosen with the aid of the Modified Puzzle Optimization Algorithm (MPOA) for the successive outcomes. Moreover, the optimally selected attributes are fed into the Ensemble Serial Cascaded Deep learning with Attention Mechanism (ESCDLAM), which is the integration of the 1 Dimensional Convolutional Neural Networks (1DCNN), Recurrent Neural Network (RNN), and Deep Temporal Convolutional Networks (DTCN). Here, the parameter optimization takes place to improve detection performance. DatasetThe experimentation is conducted through a diverse datasets which includes CICIDS 2017 Friday Noon DDoS 0beefa93–4, NSL-KDD-Dataset, and Kddcup99 for the effective experimental analysis for detecting the cyber attacks. Findings of the resultsThe results outcome of the developed model shows 97 % in terms of accuracy, recall, MCC, and specificity. Also, the precision of the developed model attains a value of 95. ConclusionThe outcomes of the approach are compared with the other pre-existing approaches to show its supremacy.

A method of using modern endpoint detection and response (EDR) systems to protect against complex attacks

The subject of the research in this article is the architecture of Endpoint Detection and Response and the EDR agent as their base parts in terms of mechanisms for detecting and countering complex attacks on information and communication systems (ICS). The aim of the work is to develop of method for improving the efficiency of using Endpoint Detection and Response (EDR) to reduce the risks of compromising ICS information, industrial, and infrastructure objects by effectively redistributing and utilizing the available EDR mechanisms, the cybersecurity team, and other resources available for implementing security measures in an enterprise, institution, or organization. The article addresses the following tasks: reviewing and analyzing existing EDR systems, analyzing the architecture of EDR solutions and EDR agents, the features of their use, the logic behind the construction of methods and mechanisms for detecting threats to the system from malicious actors and malicious code. The task of providing recommendations for the organization of ICS is also separately addressed in terms of the need to protect the entire ICS and its individual elements, as well as in terms of the available resources (the cybersecurity team, their qualifications and level of awareness of the architecture of EDR solutions) and means (available EDR system elements) for organizing protection. The following methods are used: modeling attack mechanisms, modeling attacker behavior. The following results were obtained: general and specific recommendations were formulated for optimizing the operation of EDR systems and ensuring the effective use of EDR system elements in the information and communication networks of enterprises, organizations, and institutions of various types and orientations depending on the available resources and the information requiring protection. Conclusions: The identified recommendations for the application of EDR mechanisms for protecting information systems and networks allow optimizing the costs of creating a protection infrastructure and implementing security measures, taking into account the characteristics of the available tools and the training and awareness of the cybersecurity team both in terms of response time to threats and the complexity and cost of performing protection tasks.