2019 IEEE Symposium on Security and Privacy (SP) 2019
DOI: 10.1109/sp.2019.00026
|View full text |Cite
|
Sign up to set email alerts
|

HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows

Abstract: In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detectio… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
161
0
1

Year Published

2019
2019
2023
2023

Publication Types

Select...
3
2
1

Relationship

1
5

Authors

Journals

citations
Cited by 274 publications
(177 citation statements)
references
References 34 publications
0
161
0
1
Order By: Relevance
“…Static models cannot capture dynamic behavior of long-running systems [53], while dynamic modeling during runtime risks poisoning from the attackers [83]. L4 : Provenance graphs are stored and analyzed only in memory, sacrificing long-term scalability [83], [87].…”
Section: Summary and Problem Statementmentioning
confidence: 99%
See 4 more Smart Citations
“…Static models cannot capture dynamic behavior of long-running systems [53], while dynamic modeling during runtime risks poisoning from the attackers [83]. L4 : Provenance graphs are stored and analyzed only in memory, sacrificing long-term scalability [83], [87].…”
Section: Summary and Problem Statementmentioning
confidence: 99%
“…However, it does not mean that UNICORN forgets informative execution history; rather, UNICORN uses information flow dependencies in the graph to keep up-to-date important, relevant context information. Attackers can slowly penetrate the victim system in an APT, hoping that a time-based IDS eventually forgets this initial attack, but they cannot break the information flow dependencies that are essential to the success of the attack [87]. 3 Periodically, computes a fixed-size graph sketch.…”
Section: Designmentioning
confidence: 99%
See 3 more Smart Citations