HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows
This addresses the challenge of real-time APT detection for cybersecurity analysts, though it appears incremental as it builds on existing case studies and correlation techniques.
The authors tackled the problem of detecting Advanced and Persistent Threats (APTs) by developing HOLMES, a system that correlates suspicious information flows to produce a real-time detection signal and high-level attack graphs, achieving high precision and low false alarm rates in evaluations against real-world APTs.
In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to its detection capability, HOLMES is also able to generate a high-level graph that summarizes the attacker's actions in real-time. This graph can be used by an analyst for an effective cyber response. An evaluation of our approach against some real-world APTs indicates that HOLMES can detect APT campaigns with high precision and low false alarm rate. The compact high-level graphs produced by HOLMES effectively summarizes an ongoing attack campaign and can assist real-time cyber-response operations.