TY - JOUR
T1 - A Survey on Advanced Persistent Threats
T2 - Techniques, Solutions, Challenges, and Research Opportunities
AU - Alshamrani, Adel
AU - Myneni, Sowmya
AU - Chowdhary, Ankur
AU - Huang, Dijiang
N1 - Funding Information:
Manuscript received March 28, 2018; revised October 25, 2018; accepted December 8, 2018. Date of publication January 9, 2019; date of current version May 31, 2019. This work was supported in part by the Naval Research Laboratory under Grant N00173-15-G017, in part by the National Science Foundation, U.S., under Grant DGE-1723440, Grant OAC-1642031, and Grant SaTC-1528099, and in part by the National Science Foundation, China, under Grant 61628201 and Grant 61571375. The work of D. Huang was supported in part by NSF, in part by ONR, in part by ARO, in part by NATO, and in part by the Consortium of Embedded System. (Adel Alshamrani and Sowmya Myneni contributed equally to this work.) (Corresponding author: Adel Alshamrani.) A. Alshamrani is with the Department of Cybersecurity, College of Computer Science and Engineering, University of Jeddah, Jeddah 23218, Saudi Arabia, and also with the School of Computing, Informatics, and Decision Systems Engineering, Arizona State University, Tempe, AZ 85281 USA (e-mail: asalshamrani@uj.edu.sa).
Funding Information:
This work was supported in part by the Naval Research Laboratory under Grant N00173-15-G017, in part by the National Science Foundation, U.S., under Grant DGE-1723440, Grant OAC-1642031, and Grant SaTC-1528099, and in part by the National Science Foundation, China, under Grant 61628201 and Grant 61571375. The work of D. Huang was supported in part by NSF, in part by ONR, in part by ARO, in part by NATO, and in part by the Consortium of Embedded System.
Publisher Copyright:
© 1998-2012 IEEE.
PY - 2019/4/1
Y1 - 2019/4/1
N2 - Threats that have been primarily targeting nation states and their associated entities have expanded the target zone to include the private and corporate sectors. This class of threats, well known as advanced persistent threats (APTs), are those that every nation and well-established organization fears and wants to protect itself against. While nation-sponsored APT attacks will always be marked by their sophistication, APT attacks that have become prominent in corporate sectors do not make it any less challenging for the organizations. The rate at which the attack tools and techniques are evolving is making any existing security measures inadequate. As defenders strive to secure every endpoint and every link within their networks, attackers are finding new ways to penetrate into their target systems. With each day bringing new forms of malware, having new signatures and behavior that is close to normal, a single threat detection system would not suffice. While it requires time and patience to perform APT, solutions that adapt to the changing behavior of APT attacker(s) are required. Several works have been published on detecting an APT attack at one or two of its stages, but very limited research exists in detecting APT as a whole from reconnaissance to cleanup, as such a solution demands complex correlation and fine-grained behavior analysis of users and systems within and across networks. Through this survey paper, we intend to bring all those methods and techniques that could be used to detect different stages of APT attacks, learning methods that need to be applied and where to make your threat detection framework smart and undecipherable for those adapting APT attackers. We also present different case studies of APT attacks, different monitoring methods, and mitigation methods to be employed for fine-grained control of security of a networked system. We conclude this paper with different challenges in defending against APT and opportunities for further research, ending with a note on what we learned during our writing of this paper.
AB - Threats that have been primarily targeting nation states and their associated entities have expanded the target zone to include the private and corporate sectors. This class of threats, well known as advanced persistent threats (APTs), are those that every nation and well-established organization fears and wants to protect itself against. While nation-sponsored APT attacks will always be marked by their sophistication, APT attacks that have become prominent in corporate sectors do not make it any less challenging for the organizations. The rate at which the attack tools and techniques are evolving is making any existing security measures inadequate. As defenders strive to secure every endpoint and every link within their networks, attackers are finding new ways to penetrate into their target systems. With each day bringing new forms of malware, having new signatures and behavior that is close to normal, a single threat detection system would not suffice. While it requires time and patience to perform APT, solutions that adapt to the changing behavior of APT attacker(s) are required. Several works have been published on detecting an APT attack at one or two of its stages, but very limited research exists in detecting APT as a whole from reconnaissance to cleanup, as such a solution demands complex correlation and fine-grained behavior analysis of users and systems within and across networks. Through this survey paper, we intend to bring all those methods and techniques that could be used to detect different stages of APT attacks, learning methods that need to be applied and where to make your threat detection framework smart and undecipherable for those adapting APT attackers. We also present different case studies of APT attacks, different monitoring methods, and mitigation methods to be employed for fine-grained control of security of a networked system. We conclude this paper with different challenges in defending against APT and opportunities for further research, ending with a note on what we learned during our writing of this paper.
KW - APT
KW - Advanced persistent threat
KW - intrusion detection
KW - targeted attacks
UR - http://www.scopus.com/inward/record.url?scp=85066988265&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85066988265&partnerID=8YFLogxK
U2 - 10.1109/COMST.2019.2891891
DO - 10.1109/COMST.2019.2891891
M3 - Article
AN - SCOPUS:85066988265
SN - 1553-877X
VL - 21
SP - 1851
EP - 1877
JO - IEEE Communications Surveys and Tutorials
JF - IEEE Communications Surveys and Tutorials
IS - 2
M1 - 8606252
ER -