HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows

In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to…

• NS
  National Science Foundation

  Awards: 1514472, 1069311, CNS-1319137, CNS-1514472, DGE-1069311, 1319137
• UD
  U.S. Department of Defense
• DA
  Defense Advanced Research Projects Agency

  Awards: N6600118C4035, FA8650-15-C-7561, FA8650-15-C
• OO
  Office of Naval Research

  Awards: N00014-17-1, N00014-15-1-2378, N00014-17-1-2891, N00014
• AF
  Air Force Office of Scientific Research