HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows (1810.01594v2)

Abstract: In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to its detection capability, HOLMES is also able to generate a high-level graph that summarizes the attacker's actions in real-time. This graph can be used by an analyst for an effective cyber response. An evaluation of our approach against some real-world APTs indicates that HOLMES can detect APT campaigns with high precision and low false alarm rate. The compact high-level graphs produced by HOLMES effectively summarizes an ongoing attack campaign and can assist real-time cyber-response operations.

• The paper presents HOLMES, which correlates audit logs using host setup graphs and ancestral cover to detect APTs in real time.
• It integrates diverse data sources like Linux auditd, BSD dtrace, and Windows ETW to map system events to TTPs via the MITRE ATT&CK framework.
• Extensive evaluation shows HOLMES efficiently summarizes millions of audit records into concise, actionable alerts for improved incident response.

Real-time Detection of APTs Through Information Flow Correlation: Insights from the HOLMES Framework

Advanced Persistent Threats (APTs) represent a sophisticated category of cyberattacks involving stealthy and sustained efforts to infiltrate networks, often with the aim of exfiltrating sensitive information or causing significant damage. The paper "HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows" introduces an innovative system designed for the real-time detection of APTs by leveraging the correlation of suspicious information flows. This evaluation seeks to provide a technical overview of the methodologies, results, and implications explored within this research.

Technical Approach

HOLMES addresses the challenges inherent in detecting APTs, primarily their ability to elude conventional intrusion detection systems (IDS) due to their extended persistence and low visibility tactics. The framework proposes a novel approach utilizing Host Setup Graphs (HSGs) and the MITRE's ATT&CK framework to map suspicious activities to Tactics, Techniques, and Procedures (TTPs) associated with APT campaigns. The system processes audit data from host systems—specifically Linux auditd, BSD dtrace, and Windows ETW—and constructs a provenance graph that captures the flow of information between system entities such as processes and files.

The paper discusses the shortcomings of existing Security Information and Event Management (SIEM) systems that often fail to provide accurate correlations and high-level summaries of multifaceted APT activities. HOLMES, in contrast, integrates alert correlation into its design by establishing a high-level scenario graph that distills audit logs and system events into actionable TTP alerts. A crucial technical innovation here is the use of "ancestral cover," a mechanism that differentiates meaningful alert correlations from spurious dependencies, greatly reducing false positive rates.

Evaluation and Results

The system's efficacy is demonstrated through extensive evaluation against a dataset generated from a professional red-team exercise simulating real-world APT attacks. The choice of dataset, which involved typical APT activities such as stealthy recon, lateral movement, and exfiltration, provided a robust basis for performance benchmarking. HOLMES exhibited impressive precision and recall rates, effectively identifying APT campaigns with a minimal false alarm rate across various attack scenarios. The results underscore HOLMES's capability to clearly distinguish between benign and malicious activities, capturing attack campaigns with notable clarity and brevity—summarizing millions of audit records into compact scenario graphs.

Implications and Future Directions

HOLMES sets a significant precedent in the field of cyber threat detection by effectively translating high volumes of raw audit data into concise attack narratives. The system's design allows it to be comprehendible by cyber analysts, thus facilitating swift and informed incident responses. Moreover, the integration of the MITRE ATT&CK framework helps connect low-level system events with higher-level tactical patterns that are critical for recognizing sophisticated attack patterns inherent to APT operations.

In terms of future developments, the paper suggests the potential for expanding HOLMES to include finer-grained data sources and additional system-level insights, possibly incorporating advanced machine learning techniques to further refine detection capabilities. The modular design of HOLMES also lends itself well to future adaptations that could handle a more diverse range of threat vectors, catering to evolving patterns in cyber threats.

In conclusion, the HOLMES research not only provides a viable solution for detecting complex APTs in real-time but also opens pathways for further advancements in the domain of threat intelligence and automated cyber defense mechanisms. The system sets an important benchmark for future research looking to enhance the precision and agility of cyber threat detection systems.