HOME SEARCH RSS FEED SUBSCRIBE

Real-time APT Detection through Correlation of Suspicious Information Flows

Background


Advanced Persistent Threats (APTs) represent a critical cybersecurity challenge, characterized by their multi-stage nature, extended duration, and stealthy operations across numerous hosts within an enterprise network. These sophisticated attacks, often carried out by skilled adversaries, are difficult for conventional anti-malware and intrusion detection systems to identify, as they typically involve a series of low-level, seemingly innocuous events that, when combined, reveal a coordinated campaign. A primary difficulty lies in efficiently generating meaningful alerts from vast volumes of low-level host logs and network traffic without producing excessive noise, which can overwhelm security analysts. Furthermore, correlating these disparate alerts—originating from various activities and across different systems over time—into a reliable signal indicative of an ongoing APT campaign remains a substantial hurdle for existing approaches. Finally, even when potential indicators are present, effectively communicating a high-level, intuitive summary of the attack scenario to human analysts in real-time, enabling them to quickly grasp the scope and magnitude for effective response, is a persistent challenge.

Technology


Researchers at Stony Brook University and University of Illinois have developed HOLMES, a system designed for real-time detection of Advanced Persistent Threat (APT) campaigns, processing host logs and IPS alerts from an enterprise. It generates alerts from low-level event traces, focusing on significant attacker steps while minimizing noise. These alerts are then correlated by leveraging suspicious information flows across multiple attacker activities and by correlating tactics, techniques, and procedures used across APT stages, to produce a reliable signal indicating an ongoing APT campaign. Concurrently, HOLMES generates a high-level graph that summarizes the attacker's actions and the overall attack scenario in real-time, providing an intuitive overview for cyber-analysts to facilitate effective response.

Advantages

  • Real-time detection and high-level attack visualization
  • Efficient correlation of suspicious information flows
  • Low false alarm rates
  • Integration with existing intrusion detection systems

Application

  • Enterprise APT Detection Software
  • Managed Security Service Provider (MSSP) Offerings
  • Cyber Incident Response and Forensics Support
  • Specialized Government and Critical Infrastructure Security Solutions

Patent Status


Provisional Application Filed

Stage Of Development


System Available

Licensing Potential


Development partner - Commercial partner - Licensing

Licensing Status


Available 

Additional Info


https://stonybrook.technologypublisher.com/files/sites/050-9059.jpeg
Anthony Brown, https://stock.adobe.com/uk/images/209686850, stock.adobe.com
Patent Information:
Category(s):
Technology Classifications > Information Technology
Campus > Stony Brook University
Case ID: R050-9059
Bookmark this page
For Information, Contact:
James Martino
Licensing Specialist
State University of New York at Stony Brook
james.martino@stonybrook.edu
Inventors:
R. Sekar
V.N. Venkatakrishnan
Rigel Gjomemo
Birhanu Eshete
Sadegh Momeni
Keywords:
Home | Search | RSS | Subscribe
© 2026. All Rights Reserved. Powered by Inteum