HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows

Milajerdi, Sadegh M.; Gjomemo, Rigel; Eshete, Birhanu; Sekar, R.; Venkatakrishnan, V.

doi:10.1109/sp.2019.00026

Cited by 250 publications

(177 citation statements)

References 34 publications

Supporting

Mentioning

161

Contrasting

Unclassified

Order By: Relevance

“…Static models cannot capture dynamic behavior of long-running systems [53], while dynamic modeling during runtime risks poisoning from the attackers [83]. L4 : Provenance graphs are stored and analyzed only in memory, sacrificing long-term scalability [83], [87].…”

Section: Summary and Problem Statementmentioning

confidence: 99%

“…However, it does not mean that UNICORN forgets informative execution history; rather, UNICORN uses information flow dependencies in the graph to keep up-to-date important, relevant context information. Attackers can slowly penetrate the victim system in an APT, hoping that a time-based IDS eventually forgets this initial attack, but they cannot break the information flow dependencies that are essential to the success of the attack [87]. 3 Periodically, computes a fixed-size graph sketch.…”

Section: Designmentioning

confidence: 99%

“…The experiment simulated an enterprise setup [87] including security-critical services such as a web server, an SSH server, an Email server, and an SMB server (for shared file access). The red team carried out various nation-state and common threats through the use of, e.g., a Firefox backdoor, a Nginx backdoor, and phishing emails.…”

Section: B Darpa Tc Datasetsmentioning

confidence: 99%

“…More recent work [15], [19], [83], [87] suggests that data provenance might be a better data source for APT detection. Data provenance represents system execution as a directed acyclic graph (DAG) that describes information flow between system subjects (e.g., processes) and objects (e.g., files and sockets).…”

Section: Introductionmentioning

confidence: 99%

“…However, practical computational constraints limit the scope of the contextual analysis that is feasible. Thus, current systems suffer from some combination of the following three problems: 1) static models cannot capture long term system behavior, 2) the lowand-slow APT approach can gradually poison dynamic models, and 3) approaches that require in-memory computation [83], [87] scale poorly in the presence of long-running attacks [87].…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

137

111

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomalybased APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without predefined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects reallife APT scenarios with high accuracy.

show abstract

Section: Summary and Problem Statementmentioning

confidence: 99%

Section: Designmentioning

confidence: 99%

Section: B Darpa Tc Datasetsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

137

111

View full text Add to dashboard Cite

show abstract

Fuzzy inference based feature selection and optimized deep learning for Advanced Persistent Threat attack detection

Kumar,

Noliya,

Makani

2023

Adaptive Control & Signal

View full text Add to dashboard Cite

SummaryOne of the attacks that have rapidly happen is Advanced Persistent Threat (APT). APT attacks contain different sophisticated approaches and methods of attacking targets for stealing confidential as well as sensitive information. This research introduced novel and effective APT attack detection techniques, namely Smart Flower Cosine Algorithm‐driven Deep Convolutional Neural Network (SFCA‐DeepCNN). Here, the APT attack detection is done by the DeepCNN, wherein the weight of DeepCNN is updated by the proposed SFCA. The SFCA is modeled by unifying the Smart Flower Optimization Algorithm (SFOA) and Sine Cosine Algorithm (SCA). Additionally, the pre‐processing process is done by Quantile normalization, and the features are chosen based on the fuzzy‐based distance measures. Moreover, data augmentation is done to increase the size of data by performing the oversampling that avoids the overfitting problems. Furthermore, the proposed optimized deep learning scheme detects the accurate APT detection outcome. The performance improvement of the proposed method for testing accuracy is 9.417%, 10.47%, 4.232%, and 3.068% higher than the existing methods, such as, Deep Learning, Support Vector Machine (SVM), Bidirectional Long Short‐Term Memory (Bi‐LSTM), and Hidden Markov Model (HMM).

show abstract

Cyber situation perception for Internet of Things systems based on zero‐day attack activities recognition within advanced persistent threat

Cheng

Zhang

et al. 2020

Concurrency and Computation

View full text Add to dashboard Cite

With the development of the Internet of Things (IoT) technology, various attacks and threats have emerged. The advanced persistent threat (APT) refers to a class of advanced multiple-steps attacks among diverse attack activities, which brings severe threats to the IoT systems ascribe to its pertinence, concealment, and permeability.However, the existing technologies and methods fail to timely recognize the APT attack activities (especially the zero-day exploits) in a comprehensive scope. To address this problem, we propose a novel method of cyber situation perception for IoT systems, which based on zero-day attack activity recognition within APT (CSPAPTM). Moreover, we also design an edge computing framework for applying CSPAPTM to the typical IoT systems. Specifically, we first provide a cyber situation perception ontology construction module for describing the APT attack activities. Then, a malicious C&C DNS mining method (MCCDRM) is proposed to control the APT malicious activity correlation analysis trigger, which can effectively decrease the computing overhead. Finally, we propose a zero-day attack activity recognition method within APT (ZDAARA), which acts on system call instances to recognize the malicious activities, which cannot be detected by IDS. A relatively mature access control mechanism PO-SAAC is also applied to our method. Through the coalescent of these methods, CSPAPTM can accomplish the cyber situation perception effectively by the zero-day attack activities recognition in the IoT systems. The exhaustive experimental results demonstrate that the two kernel modules, that is, MCCDRM and ZDAARA in our CSPAPTM, can achieve both higher F 1 score and acceptable false positive rate.

show abstract

HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows

Cited by 250 publications

References 34 publications

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Fuzzy inference based feature selection and optimized deep learning for Advanced Persistent Threat attack detection

Cyber situation perception for Internet of Things systems based on zero‐day attack activities recognition within advanced persistent threat

Contact Info

Product

Resources

About