A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities

Adel Alshamrani, Sowmya Myneni, Ankur Chowdhary, Dijiang Huang

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

Threats that have been primarily targeting nation states and their associated entities have expanded the target zone to include the private and corporate sectors. This class of threats, well known as advanced persistent threats (APTs), are those that every nation and well-established organization fears and wants to protect itself against. While nation-sponsored APT attacks will always be marked by their sophistication, APT attacks that have become prominent in corporate sectors do not make it any less challenging for the organizations. The rate at which the attack tools and techniques are evolving is making any existing security measures inadequate. As defenders strive to secure every endpoint and every link within their networks, attackers are finding new ways to penetrate into their target systems. With each day bringing new forms of malware, having new signatures and behavior that is close to normal, a single threat detection system would not suffice. While it requires time and patience to perform APT, solutions that adapt to the changing behavior of APT attacker(s) are required. Several works have been published on detecting an APT attack at one or two of its stages, but very limited research exists in detecting APT as a whole from reconnaissance to cleanup, as such a solution demands complex correlation and fine-grained behavior analysis of users and systems within and across networks. Through this survey paper, we intend to bring all those methods and techniques that could be used to detect different stages of APT attacks, learning methods that need to be applied and where to make your threat detection framework smart and undecipherable for those adapting APT attackers. We also present different case studies of APT attacks, different monitoring methods, and mitigation methods to be employed for fine-grained control of security of a networked system. We conclude this paper with different challenges in defending against APT and opportunities for further research, ending with a note on what we learned during our writing of this paper.

Original languageEnglish (US)
Article number8606252
Pages (from-to)1851-1877
Number of pages27
JournalIEEE Communications Surveys and Tutorials
Volume21
Issue number2
DOIs
StatePublished - Apr 1 2019

Fingerprint

Monitoring
Malware

Keywords

  • Advanced persistent threat
  • APT
  • intrusion detection
  • targeted attacks

ASJC Scopus subject areas

  • Electrical and Electronic Engineering

Cite this

A Survey on Advanced Persistent Threats : Techniques, Solutions, Challenges, and Research Opportunities. / Alshamrani, Adel; Myneni, Sowmya; Chowdhary, Ankur; Huang, Dijiang.

In: IEEE Communications Surveys and Tutorials, Vol. 21, No. 2, 8606252, 01.04.2019, p. 1851-1877.

Research output: Contribution to journalArticle

@article{a5bd05c8a7da4aaa8730b13ffa354213,
title = "A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities",
abstract = "Threats that have been primarily targeting nation states and their associated entities have expanded the target zone to include the private and corporate sectors. This class of threats, well known as advanced persistent threats (APTs), are those that every nation and well-established organization fears and wants to protect itself against. While nation-sponsored APT attacks will always be marked by their sophistication, APT attacks that have become prominent in corporate sectors do not make it any less challenging for the organizations. The rate at which the attack tools and techniques are evolving is making any existing security measures inadequate. As defenders strive to secure every endpoint and every link within their networks, attackers are finding new ways to penetrate into their target systems. With each day bringing new forms of malware, having new signatures and behavior that is close to normal, a single threat detection system would not suffice. While it requires time and patience to perform APT, solutions that adapt to the changing behavior of APT attacker(s) are required. Several works have been published on detecting an APT attack at one or two of its stages, but very limited research exists in detecting APT as a whole from reconnaissance to cleanup, as such a solution demands complex correlation and fine-grained behavior analysis of users and systems within and across networks. Through this survey paper, we intend to bring all those methods and techniques that could be used to detect different stages of APT attacks, learning methods that need to be applied and where to make your threat detection framework smart and undecipherable for those adapting APT attackers. We also present different case studies of APT attacks, different monitoring methods, and mitigation methods to be employed for fine-grained control of security of a networked system. We conclude this paper with different challenges in defending against APT and opportunities for further research, ending with a note on what we learned during our writing of this paper.",
keywords = "Advanced persistent threat, APT, intrusion detection, targeted attacks",
author = "Adel Alshamrani and Sowmya Myneni and Ankur Chowdhary and Dijiang Huang",
year = "2019",
month = "4",
day = "1",
doi = "10.1109/COMST.2019.2891891",
language = "English (US)",
volume = "21",
pages = "1851--1877",
journal = "IEEE Communications Surveys and Tutorials",
issn = "1553-877X",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "2",

}

TY - JOUR

T1 - A Survey on Advanced Persistent Threats

T2 - Techniques, Solutions, Challenges, and Research Opportunities

AU - Alshamrani, Adel

AU - Myneni, Sowmya

AU - Chowdhary, Ankur

AU - Huang, Dijiang

PY - 2019/4/1

Y1 - 2019/4/1

N2 - Threats that have been primarily targeting nation states and their associated entities have expanded the target zone to include the private and corporate sectors. This class of threats, well known as advanced persistent threats (APTs), are those that every nation and well-established organization fears and wants to protect itself against. While nation-sponsored APT attacks will always be marked by their sophistication, APT attacks that have become prominent in corporate sectors do not make it any less challenging for the organizations. The rate at which the attack tools and techniques are evolving is making any existing security measures inadequate. As defenders strive to secure every endpoint and every link within their networks, attackers are finding new ways to penetrate into their target systems. With each day bringing new forms of malware, having new signatures and behavior that is close to normal, a single threat detection system would not suffice. While it requires time and patience to perform APT, solutions that adapt to the changing behavior of APT attacker(s) are required. Several works have been published on detecting an APT attack at one or two of its stages, but very limited research exists in detecting APT as a whole from reconnaissance to cleanup, as such a solution demands complex correlation and fine-grained behavior analysis of users and systems within and across networks. Through this survey paper, we intend to bring all those methods and techniques that could be used to detect different stages of APT attacks, learning methods that need to be applied and where to make your threat detection framework smart and undecipherable for those adapting APT attackers. We also present different case studies of APT attacks, different monitoring methods, and mitigation methods to be employed for fine-grained control of security of a networked system. We conclude this paper with different challenges in defending against APT and opportunities for further research, ending with a note on what we learned during our writing of this paper.

AB - Threats that have been primarily targeting nation states and their associated entities have expanded the target zone to include the private and corporate sectors. This class of threats, well known as advanced persistent threats (APTs), are those that every nation and well-established organization fears and wants to protect itself against. While nation-sponsored APT attacks will always be marked by their sophistication, APT attacks that have become prominent in corporate sectors do not make it any less challenging for the organizations. The rate at which the attack tools and techniques are evolving is making any existing security measures inadequate. As defenders strive to secure every endpoint and every link within their networks, attackers are finding new ways to penetrate into their target systems. With each day bringing new forms of malware, having new signatures and behavior that is close to normal, a single threat detection system would not suffice. While it requires time and patience to perform APT, solutions that adapt to the changing behavior of APT attacker(s) are required. Several works have been published on detecting an APT attack at one or two of its stages, but very limited research exists in detecting APT as a whole from reconnaissance to cleanup, as such a solution demands complex correlation and fine-grained behavior analysis of users and systems within and across networks. Through this survey paper, we intend to bring all those methods and techniques that could be used to detect different stages of APT attacks, learning methods that need to be applied and where to make your threat detection framework smart and undecipherable for those adapting APT attackers. We also present different case studies of APT attacks, different monitoring methods, and mitigation methods to be employed for fine-grained control of security of a networked system. We conclude this paper with different challenges in defending against APT and opportunities for further research, ending with a note on what we learned during our writing of this paper.

KW - Advanced persistent threat

KW - APT

KW - intrusion detection

KW - targeted attacks

UR - http://www.scopus.com/inward/record.url?scp=85066988265&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85066988265&partnerID=8YFLogxK

U2 - 10.1109/COMST.2019.2891891

DO - 10.1109/COMST.2019.2891891

M3 - Article

AN - SCOPUS:85066988265

VL - 21

SP - 1851

EP - 1877

JO - IEEE Communications Surveys and Tutorials

JF - IEEE Communications Surveys and Tutorials

SN - 1553-877X

IS - 2

M1 - 8606252

ER -