Endoguard: An Embedded Security Framework For Real-Time Threat Detection And Prevention In Web Applications

In today’s digital world, web applications and SaaS platforms are used in banking, e-commerce, healthcare, education, and enterprise systems. These applications process large amounts of sensitive data and critical transactions, making them major targets for cyberattacks.Traditional security solutions such as firewalls, IDS, and WAFs mainly focus on protecting the network perimeter. They are effective against known external attacks like SQL injection and cross-site scripting, but they are weak against identity-based attacks and business logic abuse.Modern attackers often use stolen credentials obtained through phishing or credential stuffing. Since these credentials are valid, traditional systems treat these actions as normal. This creates a serious security gap where attackers can perform fraud, unauthorized transactions, and data theft without detection.To overcome these limitations, embedded security is required. Embedded security integrates protection directly inside the application and continuously monitors user behavior. It odellin user actions, devices, IP addresses, and historical activity to detect suspicious behavior in real time.EndoGuard is designed based on this concept. It provides application-level security by monitoring internal activities, assigning risk scores, and responding immediately to threats before major damage occurs.

RELATED WORK

Many studies show the limitations of traditional perimeter-based security systems. OWASP Top 10 highlights broken access control, authentication failures, and insecure design as major risks in modern web applications.Behavioral analytics research explains that monitoring login patterns, device usage, and unusual transactions helps detect advanced threats such as account takeovers and insider attacks.Threat odelling and attack tree approaches show that attackers often exploit business logic rather than technical vulnerabilities. These attacks are difficult to detect using traditional firewalls.Machine learning and anomaly detection systems improve threat detection, but many are complex and expensive to deploy. EndoGuard focuses on a lightweight and practical solution using rule-based detection with future support for intelligent models.

PROPOSED SYSTEM

1. Existing System

Existing systems mainly rely on authentication, firewalls, and static rule-based detection. Once users are authenticated, their actions are usually trusted without continuous monitoring. This makes systems vulnerable to account hijacking, insider misuse, and logic abuse.

2. Proposed EndoGuard Framework

EndoGuard is an embedded security framework that works inside the application layer. It monitors user activities such as login attempts, password changes, account updates, and sensitive transactions.

The system follows four major stages:

1. Event Ingestion
2. Context Enrichment
3. Rule Execution
4. Risk Assessment

Captured events are enriched with contextual data such as IP intelligence, device fingerprinting, and user history. A rule engine then evaluates the event and assigns a dynamic risk score.

3. Risk Classification

• Low Risk → Event is logged
• Medium Risk → Sent for admin review
• High Risk → Immediate action like MFA or account suspension

This helps reduce false positives and improves response speed.

METHODOLOGY

The system is developed using PHP for backend operations, PostgreSQL for database management, and Fat-Free Framework for lightweight application handling.

Working Process

Figure 1: Workflow Diagram

User Activity

↓

Event Captured by SDK

↓

Context Enrichment

↓

Rule Evaluation

↓

Risk Score Calculation

↓

Low / Medium / High Risk Classification

↓

Security Action Triggered

This workflow explains how every user event moves through the detection pipeline.

1. User performs an action inside the application
2. SDK captures the event
3. Event data is enriched with context
4. Rule engine processes the event
5. Risk score is calculated
6. Security response is triggered
7. Event is displayed in admin dashboard

The admin dashboard provides audit trails, user timelines, alert queues, and review mechanisms for better monitoring and investigation.

RESULTS AND DISCUSSION

EndoGuard showed strong performance in detecting suspicious activities and reducing delayed threat response.

Key Outcomes

• Faster identification of abnormal login behavior
• Better detection of credential misuse
• Improved monitoring of insider threats
• Real-time alert generation for high-risk activities
• Better transparency through audit trails

The system successfully handled event monitoring with low overhead and improved threat visibility compared to traditional external security systems. The risk scoring mechanism helped administrators focus on important threats instead of reviewing every activity manually.

CONCLUSION

EndoGuard provides a practical solution for modern cybersecurity challenges by embedding security directly into web applications. Traditional perimeter-based security is not enough to handle identity-based attacks, insider misuse, and business logic abuse.By combining real-time monitoring, contextual analysis, behavioral tracking, and dynamic risk scoring, EndoGuard improves application-level security significantly. The system is lightweight, scalable, and easy to integrate into existing platforms.This project proves that embedded security frameworks can offer stronger protection than traditional reactive systems and help organizations build safer and more reliable digital platforms.

FUTURE SCOPE

Future improvements for EndoGuard include:

• Integration of machine learning for advanced anomaly detection
• Cloud-native deployment support
• Distributed security architecture for large-scale systems
• Mobile application monitoring
• AI-based predictive threat analysis
• Advanced fraud detection for fintech platforms

These improvements can make EndoGuard more powerful for enterprise-level security environments.

SYSTEM ARCHITECTURE AND DESIGN

1. Architecture Overview

Figure 1: System Architecture Diagram

The architecture of EndoGuard is designed to provide embedded security directly inside the application layer rather than depending only on external protection systems. The framework is modular, lightweight, and scalable, making it suitable for web applications, SaaS platforms, fintech systems, and enterprise applications.

The architecture mainly consists of the following components:

1. User Interaction Layer
2. Event Collection Layer
3. Context Enrichment Layer
4. Rule Engine Layer
5. Risk Scoring Engine
6. Response and Action Layer
7. Monitoring Dashboard
8. Database Management Layer

When a user performs any activity such as login, password reset, fund transfer, profile update, or privilege change, the SDK captures the event and forwards it to the security engine.The context enrichment layer collects additional information such as IP address, browser details, device fingerprint, geolocation, and previous user behavior history. This helps improve decision-making accuracy.The rule engine evaluates the event using predefined and customizable rules. Based on the result, the risk scoring engine calculates a dynamic risk value and classifies the activity.Finally, the response layer performs actions such as logging, administrator alerting, account suspension, or multi-factor authentication.

2. Module Description

Module 1: User Authentication Monitoring

This module tracks login attempts, failed logins, password changes, and session activities. It helps detect brute-force attacks, credential stuffing, and account takeovers.

Module 2: Context Enrichment Module

This module gathers supporting information such as IP intelligence, device details, browser fingerprinting, and location tracking. It improves anomaly detection by providing context.

Module 3: Rule-Based Detection Engine

This module applies predefined security rules such as unusual login time, repeated failed attempts, sudden device change, and suspicious transaction behavior.

Module 4: Dynamic Risk Scoring Module

Each event is assigned a numerical score based on severity and abnormality. Higher scores indicate higher security risk.

Module 5: Security Response Module

This module triggers actions based on the risk level. Low-risk activities are logged, medium-risk events are flagged for review, and high-risk activities trigger immediate prevention.

Module 6: Admin Dashboard Module

Administrators can monitor events, review alerts, access audit trails, and investigate suspicious users using a centralized interface.

IMPLEMENTATION DETAILS

1. Software Requirements

• Operating System: Windows / Linux
• Frontend: HTML, CSS, JavaScript
• Backend: PHP
• Framework: Fat-Free Framework
• Database: PostgreSQL
• Server: Apache / XAMPP
• Browser: Chrome / Edge

2. Hardware Requirements

• Processor: Intel i3 or above
• RAM: Minimum 4 GB
• Storage: 256 GB or above
• Internet Connection: Required for deployment and testing

3. Database Design

Figure 3: Database Design (ER Diagram)

Users

↓

Login Events

↓

Risk Score Table

↓

Alert Management

↓

Admin Review Queue

↓

Audit Trail

This ER-style diagram represents the relationship between core database tables used in EndoGuard.The database stores user information, event logs, risk scores, device history, alerts, and administrator reviews.

Important tables include:

• Users Table
• Login Events Table
• Device Fingerprint Table
• Risk Score Table
• Alert Management Table
• Admin Review Queue

Each event is stored with timestamp, IP address, device details, and action type for future analysis and auditing.

4. Security Implementation

The system implements:

• Secure session management
• Multi-factor authentication triggers
• Device fingerprint validation
• IP reputation checking
• Login anomaly detection
• Sensitive transaction monitoring
• Detailed audit trail maintenance

These mechanisms ensure both preventive and detective security.