Paper Accepted at IEEE Security & Privacy 2019

SISL paper “HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows” has been accepted at the IEEE Security & Privacy Conference in San Francisco, CA May 20-22 2019.

CITATION

S. Momeni Milajerdi, R. Gjomemo, B. Eshete, R. Sekar and V. Venkatakrishnan, “HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows,” 2019, 2019 IEEE Symposium on Security and Privacy (SP), San Fransisco, CA, US, pp. 430-445.

ABSTRACT

In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to its detection capability, HOLMES is also able to generate a high-level graph that summarizes the attacker’s actions in real-time. This graph can be used by an analyst for an effective cyber response. An evaluation of our approach against some real-world APTs indicates that HOLMES can detect APT campaigns with high precision and low false alarm rate. The compact high-level graphs produced by HOLMES effectively summarizes an ongoing attack campaign and can assist real-time cyber-response operations.

DETAILS & FULL PAPER