HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows

TL;DR

HOLMES is a real-time system that detects APT campaigns by correlating suspicious information flows and generates attack graphs to assist analysts, demonstrating high precision and low false alarms in real-world scenarios.

Contribution

HOLMES introduces a novel correlation-based approach for real-time APT detection and attack graph generation, improving detection robustness and response effectiveness.

Findings

High detection precision with low false alarms

Effective real-time attack graph summarization

Successful detection of real-world APT campaigns

Abstract

In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to its detection capability, HOLMES is also able to generate a high-level graph that summarizes the attacker's actions in real-time. This graph can be used by an analyst for an effective cyber response. An evaluation of our approach against some real-world APTs indicates that HOLMES can detect APT campaigns with high precision and low false alarm rate. The compact high-level graphs produced by HOLMES effectively summarizes an ongoing attack campaign and can assist real-time cyber-response operations.