HOLMES Architecture

HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows


In this paper, we present a new approach for the detection of Advanced and Persistent Threats (APTs). Our approach is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, our approach aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to its detection capability, our system (called HOLMES) is also able to generate a high-level graph that summarizes the attacker’s actions in real-time. This graph can be used by an analyst for an effective cyber response. In addition to operating as a detection system by itself, the system can be co-deployed with other IDS systems to improve cyber detection and response within the enterprise. An evaluation of our approach against some real-world APTs indicates that our system can detect APT campaigns with high precision and low false alarm rate, and the compact high-level graphs produced by our system is an effective summary of an attack campaign that is useful for planning real-time cyber-response operations.

Proceedings of the 40th IEEE Symposium on Security and Privacy (S&P)