Technology - Real-time APT Detection through Correlation of Suspicious Information Flows

Real-time APT Detection through Correlation of Suspicious Information Flows

Background:


Advanced Persistent Threats (APTs) represent a critical cybersecurity challenge, characterized by their multi-stage nature, extended duration, and stealthy operations across numerous hosts within an enterprise network. These sophisticated attacks, often carried out by skilled adversaries, are difficult for conventional anti-malware and intrusion detection systems to identify, as they typically involve a series of low-level, seemingly innocuous events that, when combined, reveal a coordinated campaign. A primary difficulty lies in efficiently generating meaningful alerts from vast volumes of low-level host logs and network traffic without producing excessive noise, which can overwhelm security analysts. Furthermore, correlating these disparate alerts—originating from various activities and across different systems over time—into a reliable signal indicative of an ongoing APT campaign remains a substantial hurdle for existing approaches. Finally, even when potential indicators are present, effectively communicating a high-level, intuitive summary of the attack scenario to human analysts in real-time, enabling them to quickly grasp the scope and magnitude for effective response, is a persistent challenge.

Technology Overview:


Researchers at Stony Brook University and University of Illinois have developed HOLMES, a system designed for real-time detection of Advanced Persistent Threat (APT) campaigns, processing host logs and IPS alerts from an enterprise. It generates alerts from low-level event traces, focusing on significant attacker steps while minimizing noise. These alerts are then correlated by leveraging suspicious information flows across multiple attacker activities and by correlating tactics, techniques, and procedures used across APT stages, to produce a reliable signal indicating an ongoing APT campaign. Concurrently, HOLMES generates a high-level graph that summarizes the attacker's actions and the overall attack scenario in real-time, providing an intuitive overview for cyber-analysts to facilitate effective response.


Anthony Brown, https://stock.adobe.com/uk/images/209686850, stock.adobe.com

Advantages:

  • Real-time detection and high-level attack visualization
  • Efficient correlation of suspicious information flows
  • Low false alarm rates
  • Integration with existing intrusion detection systems

Applications:

  • Enterprise APT Detection Software
  • Managed Security Service Provider (MSSP) Offerings
  • Cyber Incident Response and Forensics Support
  • Specialized Government and Critical Infrastructure Security Solutions

Intellectual Property Summary:


Provisional Application Filed

Stage of Development:


System Available

Licensing Status:


Available 

Licensing Potential:


Development partner - Commercial partner - Licensing


Patent Information:
Direct Link:
https://suny.technologypublisher.com/tech/Real-time_APT_Detection_through_Cor relation_of_Suspicious_Information_Flows