Authors : Loveth A. Odozor; Olutoye Samuel Ransome-Kuti; Qozeem Odeniran; Anthony Obulor Olisa; Seth Nti Berko; Jehoshaphat T. Abaya

Volume/Issue : Volume 10 - 2025, Issue 9 - September

Google Scholar : https://tinyurl.com/yk692t9s

Scribd : https://tinyurl.com/msba7bh6

DOI : https://doi.org/10.38124/ijisrt/25sep154

Note : A published paper may take 4-5 working days from the publication date to appear in PlumX Metrics, Semantic Scholar, and ResearchGate.

Note : Google Scholar may take 30 to 40 days to display the article.

Abstract : In the rapidly evolving threat landscape available today, traditional mechanisms of incident response no longer suffice. As a result, attackers can linger in networks undetected, causing more damage over time, hence the need for improved methods of incident response. To achieve speed and effectiveness in the Incident response, a new approach is taking shape. It is data-driven, adaptive, and grounded in real-time insight. Organizations are increasingly adopting data- driven incident response strategies that leverage adversarial reasoning and malware behavior analytics into the incident response lifecycle, particularly during detection and containment, which can significantly enhance threat mitigation capabilities. By using adversarial reasoning to anticipate attacker behavior and malware behavior analytics to spot patterns in execution, security teams can close the gap between detection and containment. This paper examines how these two components collaborate to enhance incident response. It also examines the technologies behind them, real-world examples, and the challenges teams face when putting these methods into practice, as well as how organizations can modernize their incident response lifecycle using a data-driven approach, where the automatic transmission of data from EDR (Endpoint Detection and Response) SIEM (Security Information and Event Management), and threat intel feeds powerful real-time decision-making. The goal is simple: move faster, think smarter, and respond before attackers can do lasting harm.

Keywords : EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management), Data-Driven, Adversarial, Behavior, Detection.

References :

1. Abo-alian, A., El-Habashy, M., Abouelhassan, A., & Abdelmaboud, A. (2025). What to monitor in Active Directory? A data-driven approach to prioritize MITRE ATT&CK® techniques for adversary emulation. Scientific Reports, 15, 12948. https://doi.org/10.1038/s41598-025-12948-x
2. Chen, T., Zeng, H., Lv, M., & Zhu, T. (2024). CTIMD: Cyber threat intelligence-enhanced malware detection using API call sequences with parameters. Computers & Security, 136, 103518. https://doi.org/10.1016/j.cose.2023.103518
3. Darem, A. A., Al-Sariera, N. M., Alshamrani, A., Alhomoud, A., & Ghaleb, F. A. (2021). Visualization and deep-learning-based malware variant detection using behavior analysis. Future Generation Computer Systems, 123, 273–291. https://doi.org/10.1016/j.future.2021.06.032
4. Galli, A., La Gatta, V., Moscato, V., Postiglione, M., & Sperlì, G. (2024). Explainability in AI-based behavioral malware detection systems. Computers & Security, 141, 103842. https://doi.org/10.1016/j.cose.2024.103842
5. Han, W., Xue, J., Huang, L., Lu, Y., & Zhang, Y. (2019). MalDAE: Detecting and explaining malware based on correlation and fusion of static and dynamic characteristics. Computers & Security, 83, 310–328. https://doi.org/10.1016/j.cose.2019.02.007
6. Herranz-Oliveros, C., Mingorance-Estrada, Á., Garrido, D., & de la Riva, C. (2024). Unsupervised learning for detecting lateral movement in Active Directory attack graphs. Electronics, 13(19), 3944. https://doi.org/10.3390/electronics13193944
7. Huang, Z., Zhang, C., Ma, Y., & Zou, D. (2022). TAGSeq: Explainable behavior-aware malware detection based on tagging API calls. PLOS ONE, 17(2), e0263644. https://doi.org/10.1371/journal.pone.0263644
8. Ilić, S., Bošnjak, L., & Žagar, M. (2024). Going beyond API calls in dynamic malware analysis. Electronics, 13(17), 3553. https://doi.org/10.3390/electronics13173553
9. Karbab, E. B., & Debbabi, M. (2019). MalDy: Portable, data-driven malware detection framework for cyber security. Digital Investigation, 28, S77–S87. https://doi.org/10.1016/j.diin.2019.01.017
10. Li, C., Chen, Z., Zhu, H., & Qiao, Y. (2023). Real-time provenance graph reduction for attack investigation (ProvGRP). Electronics, 13(1), 100. https://doi.org/10.3390/electronics13010100
11. Li, C., Cheng, Z., Zhu, H., Wang, L., Lv, Q., Wang, Y., Li, N., & Sun, D. (2022). DMalNet: Dynamic malware analysis based on API feature engineering and graph learning. Computers & Security, 122, 102872. https://doi.org/10.1016/j.cose.2022.102872
12. Li, C., Fung, H., Charland, A., & Ding, Z. (2021). I-MAD: An interpretable malware detector using galaxy transformer. Computers & Security, 108, 102371. https://doi.org/10.1016/j.cose.2021.102371
13. Li, C., Lv, Q., Li, N., Wang, Y., Sun, D., & Qiao, Y. (2022). A novel deep framework for dynamic malware detection based on API sequence intrinsic features. Computers & Security, 116, 102686. https://doi.org/10.1016/j.cose.2022.102686
14. Li, C., Lv, Q., Li, N., Wang, Y., Sun, D., & Qiao, Y. (2023). CBSeq: A channel-level behavior sequence for malware detection. IEEE Transactions on Information Forensics and Security, 18, 803–817. https://doi.org/10.1109/TIFS.2023.3300521
15. Macas, I., Žák, M., & Franklin, D. (2024). Adversarial examples survey: Attacks and defenses in deep learning-enabled cybersecurity. Expert Systems with Applications, 238, 122223. https://doi.org/10.1016/j.eswa.2023.122223
16. Rabbani, M., Rashidi, L., & Ghorbani, A. A. (2024). A graph learning-based approach for lateral movement detection. IEEE Transactions on Network and Service Management, 21(5), 5361–5373. https://doi.org/10.1109/TNSM.2024.3414267
17. Ren, J., Geng, R., & Zhang, X. (2025). Provenance-based APT campaigns detection via masked graph representation learning. Computers & Security, 148, 104159. https://doi.org/10.1016/j.cose.2024.104159
18. Rohini, S., Ramesh, G., & Nair, A. R. (2024). MAGIC: Malware behaviour analysis and impact quantification through signature co-occurrence and regression. Computers & Security, 139, 103735. https://doi.org/10.1016/j.cose.2024.103735
19. Šádlek, J., Čáp, K., & Stočes, M. (2025). Severity-based triage of cybersecurity incidents using kill chain attack graphs. Journal of Information Security and Applications, 89, 103956. https://doi.org/10.1016/j.jisa.2024.103956
20. Smiliotopoulos, P., Kambourakis, G., & Kolias, C. (2024). A comprehensive survey on detecting lateral movement attacks across cyber-defense systems. Heliyon, 10(10), e26317. https://doi.org/10.1016/j.heliyon.2024.e26317
21. Wang, T., Tang, W., Su, Y., & Li, J. (2025). Provenance graph-based deep learning framework for APT detection in edge computing. Applied Sciences, 15(16), 8833. https://doi.org/10.3390/app15168833
22. Wu, P., Gao, M., & Sun, F. (2025). Multi-perspective API call sequence behavior analysis and fusion for malware classification. Computers & Security, 148, 104177. https://doi.org/10.1016/j.cose.2024.104177
23. Xue, H., Zhang, R., & Li, J. (2024). Dynamic analysis of malicious behavior propagation based on feature extraction. Frontiers in Physics, 12, 1493209. https://doi.org/10.3389/fphy.2024.1493209
24. Zenitani, K. (2023). Attack graph analysis: An explanatory guide. Computers & Security, 125, 103081. https://doi.org/10.1016/j.cose.2022.103081
25. Zipperle, D., Stocker, V., Reiser, H.-P., & Mulliner, C. (2022). A survey on provenance-based intrusion detection systems. ACM Computing Surveys, 55(9), 190:1–190:37. https://doi.org/10.1145/3539605