Abstract
In today’s cyber warfare realm, every stakeholder in cyberspace is becoming more potent by developing advanced cyber weapons. They have equipped with the most advanced malware and maintain a hidden attribution. The precocious cyber weapons, targeted and motivated with some specific intention are called as Advanced Persistent Threats (APT). Developing defense mechanisms and performing attribution analysis of such advanced attacks are extremely difficult due to the intricate design of attack vector and sophisticated malware employed with high stealth and evasive techniques. These attacks also include advanced zero-day and negative-day exploits and payloads. This paper provides a comprehensive survey on the evolution of advanced malware design paradigms, APT attack vector and its anatomy, APT attack Tactics, Techniques, and Procedures (TTP) and specific case studies on open-ended APT attacks. The survey covers a detailed discussion on APT attack phases and comparative study on threat life-cycle specification by various organizations. This work also addresses the APT attack attribution and countermeasures against these attacks from classical signature and heuristic based detection to modern machine learning and genetics based detection mechanisms along with sophisticated zero-day and negative day malware countermeasure by various techniques like monitoring of network traffic and DNS logs, moving target based defense, and attack graph based defenses. Furthermore, the survey addresses various research scopes in the domain of APT cyber-attacks.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Data availability
The data used in this research are available upon request.
References
Adelstein F, Stillerman M, Kozen D (2002) Malicious code detection for open firmware. In 18th Annual Computer Security Applications Conference, 2002. Proceedings., pages 403–412. IEEE
Albanese M, Jajodia S, Noel S (2012) Time-efficient and cost-effective network hardening using attack graphs. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pages 1–12. IEEE
Alrabaee S, Saleem N, Preda S, Wang L, Debbabi M (2014) Oba2: an onion approach to binary code authorship attribution. Digit Investig 11:S94–S103
Alrabaee S, Shirani P, Debbabi M, Wang L (2016) On the feasibility of malware authorship attribution. In International Symposium on Foundations and Practice of Security, pages 256–272. Springer
Alshamrani A, Myneni S, Chowdhary A, Huang D (2019) A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities. IEEE Commun Surv Tutor 21(2):1851–1877
Altaher A (2017) An improved android malware detection scheme based on an evolving hybrid neuro-fuzzy classifier (ehnfc) and permission-based features. Neural Comput Appl 28(12):4147–4157
Antoine L, Joan C, François M, Fernandez José M (2018) Survey of publicly available reports on advanced persistent threat actors. Comput Secur 72:26–59
Any.Run. (2020) Smoke loader. https://any.run/malware-trends/smoke
Austin TH, Filiol E, Josse S, Stamp M (2013) Exploring hidden markov models for virus analysis: a semantic approach. In 2013 46th Hawaii International Conference on System Sciences, pages 5039–5048
Beaucamps P (2007) Advanced polymorphic techniques. Int J Comput Sci 2(3):194–205
Bejtlich R (2010) What is apt and what does it want. TaoSecurity Blog, January
Benjamin V, Li W, Holt T, Chen H (2015) Exploring threats and vulnerabilities in hacker web: forums, irc and carding shops. In 2015 IEEE international conference on intelligence and security informatics (ISI), pages 85–90. IEEE
Bergeron J, Debbabi M, Desharnais J, Erhioui MM, Lavoie Y, Tawbi N et al (2001) Static detection of malicious code in executable programs. Int J Req Eng 2001(184–189):79
Bohara A, Thakore U, Sanders WH (2016) Intrusion detection in enterprise systems by combining and clustering diverse monitor data. In Proceedings of the Symposium and Bootcamp on the Science of Security, pages 7–16
Caliskan A, Yamaguchi F, Dauber E, Harang R, Rieck K, Greenstadt R, Narayanan A (2015) When coding style survives compilation: de-anonymizing programmers from executable binaries. arXiv preprint arXiv:1512.08546
Castaneda F, Sezer EC, Xu J (2004) Worm vs. worm: preliminary study of an active counter-attack mechanism. In Proceedings of the 2004 ACM workshop on Rapid malcode, pages 83–93
Chai Y, Qiu J, Yin L, Zhang L, Gupta BB, Tian Z (2022) From data and model levels: improve the performance of few-shot malware classification. IEEE Trans Netw Service Manage 19(4):4248–4261. https://doi.org/10.1109/TNSM.2022.3200866
Chen P, Desmet L, Huygens C (2014) A study on advanced persistent threats. In IFIP International Conference on Communications and Multimedia Security, pages 63–72. Springer
Cho S, Han I, Jeong H, Kim J, Koo S, Oh H, Park M (2018) Cyber kill chain based threat taxonomy and its application on cyber common operational picture. In 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), pages 1–8. IEEE
Chowdhary A, Pisharody S, Huang D (2016) Sdn based scalable mtd solution in cloud network. In Proceedings of the 2016 ACM Workshop on Moving Target Defense, pages 27–36
Christodorescu M, Jha S, Seshia SA, Song D, Bryant RE (2005) Semantics-aware malware detection. In 2005 IEEE Symposium on Security and Privacy (S &P’05), pages 32–46. IEEE
Cimatti A, Clarke E, Giunchiglia F, Roveri M (1999) Nusmv: a new symbolic model verifier. In International conference on computer aided verification, pages 495–499. Springer
Cohen Frederick B (1994) A short course on computer viruses, 2nd edn. John Wiley & Sons Inc, USA (ISBN 0471007692)
DeepWebSitesLinks (2020) Deep web links | deep web sites | the deepweb 2020. https://www.deepwebsiteslinks.com/
Dell Secure Works Counter Threat Unit Threat Intelligence (2015a) Threat group 3390 cyberespionage. https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
DiMaggio J (2016) Tick cyberespionage group zeros in on Japan. https://www.symantec.com/connect/blogs/tick-cyberespionagegroup-zeros-japan
Doherty S (2013) Hidden lynx - professional hackers for hire. https://www.wired.com/images_blogs/threatlevel/2013/09/hidden_lynx_final.pdf
Dragon D (2020) Double Dragon: APT41, a dual espionage and cyber crime operation. https://content.fireeye.com/apt-41/rpt-apt41
Ellis DR, Aiken JG, Attwood KS, Tenaglia SD (2004) A behavioral approach to worm detection. In Proceedings of the 2004 ACM workshop on Rapid malcode, pages 43–53
Faheem U, Matthew E, Rajiv R, Ruzanna C, Ali Babar M, Awais R (2018) Data exfiltration: a review of external attack vectors and countermeasures. J Netw Comput Appl 101:18–54
Falcone R, Wilhoit K (2018) Analyzing oilrig’s ops tempo from testing to weaponization to delivery. https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/
Fan Y, Ye Y, Chen L (2016) Malicious sequential pattern mining for automatic malware detection. Expert Syst Appl 52:16–25
Farinholt B, Rezaeirad M, Pearce P, Dharmdasani H, Yin H, Le Blond S, McCoy D, Levchenko K (2017) To catch a ratter: monitoring the behavior of amateur darkcomet rat operators in the wild. In 2017 IEEE symposium on Security and Privacy (SP), pages 770–787. Ieee
Farwell J, Rohozinski R (2011) Stuxnet and the future of cyber war. Survival 53:23–40. https://doi.org/10.1080/00396338.2011.555586. (02)
FireEye (2014) Apt28:a window into Russia’s cyber espionage operations?. https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
FireEye (2018) Apt38: un-usual suspects. https://content.fireeye.com/apt/rpt-apt38
FIREEYE THREAT INTELLIGENCE (2016) Follow the money: dissecting the operations of the cyber crime group fin6. https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf
Galal HS, Mahdy YB, Atiea MA (2016) Behavior-based features model for malware detection. J Comput Virol Hacking Tech 12(2):59–67
Gaurav A, Gupta BB, Panigrahi PK (2022) A comprehensive survey on machine learning approaches for malware detection in IoT-based enterprise information system. Enterp Inf Syst 1–25
Giffin JT, Jha S, Miller BP (2002) Detecting manipulated remote call streams. In USENIX Security Symposium, pages 61–79
Gong RH, Zulkernine M, Abolmaesumi P (2005) A software implementation of a genetic algorithm based approach to network intrusion detection. In Sixth International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing and First ACIS International Workshop on Self-Assembling Wireless Network, pages 246–253. IEEE
GReAT (2015) Sofacy apt hits high profile targets with updated toolset. https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
GReAT (2017) Blackoasis apt and new targeted attacks leveraging zero-day exploit. https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/
GReAT (2019) Apt trends report q2, 2019. https://securelist.com/apt-trends-report-q2-2019/91897/
Guerrero-Saade JA (2015) The ethics and perils of apt research: an unexpected transition into intelligence brokerage. In Proceedings of the 25th Virus Bulletin International Conference
Gupta BB, Li K-C, Leung VCM, Psannis KE, Shingo Yamaguchi et al (2021) Blockchain-assisted secure fine-grained searchable encryption for a cloud-based healthcare cyber-physical system. IEEE/CAA J Automatica Sinica 8(12):1877–1890
Guri M, Monitz M, Mirski Y, Elovici Y (2015) Bitwhisper: Covert signaling channel between air-gapped computers using thermal manipulations. In 2015 IEEE 28th Computer Security Foundations Symposium, pages 276–289. IEEE
Hardy S, Crete-Nishihata M, Kleemola K, Senft A, Sonne B, Wiseman G, Gill P, Deibert RJ (2014) Targeted threat index: characterizing and quantifying politically-motivated targeted malware. In 23rd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 14), pages 527–541
Hawkes B (2019) 0day—in the wild. https://googleprojectzero.blogspot.com/p/0day.html
Hayashi K, Harbison M (2018) Tick group weaponized secure usb drives to target air-gapped critical systems. https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/
Holz T, Gorecki C, Rieck K, Freiling F (2008) Measuring and detecting fast-flux service networks. 01
Hosmer C (2008) Polymorphic and metamorphic malware. A Talk at BlackHat Conference US
Hu P, Li H, Fu H, Cansever D, Mohapatra P (2015) Dynamic defense strategy against advanced persistent threat with insiders. In 2015 IEEE Conference on Computer Communications (INFOCOM), pages 747–755. IEEE
Huss Darien Operation transparent tribe threat insight. https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf
Hutchins EM, Cloppert MJ, Amin RM et al (2011) Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead Issues Inf Warfare Secur Res 1(1):80
Ingols K, Lippmann R, Piwowarski K (2006) Practical attack graph generation for network defense. In 2006 22nd Annual Computer Security Applications Conference (ACSAC’06), pages 121–130. IEEE
Intelligence Fire Eye Threat (2015) Hammertoss: stealthy tactics define a russian cyber threat group. FireEye Inc, Milpitas, CA
INTEZER. Genetic malware analysis. https://www.intezer.com/
Jafarian JH, Al-Shaer E, Duan Q (2012) Openflow random host mutation: transparent moving target defense using software defined networking. In Proceedings of the first workshop on Hot topics in software defined networks, pages 127–132
Jha S, Sheyner O, Wing J (2002) Two formal analyses of attack graphs. In Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15, pages 49–63. IEEE
Joshi B, Joshi B, Mishra A, Arya V, Gupta AK, Peraković D (2022) A comparative study of privacy-preserving homomorphic encryption techniques in cloud computing. Int J Cloud Appl Comput (IJCAC) 12(1):1–11
Kampanakis P, Perros H, Beyene T (2014) Sdn-based solutions for moving target defense network protection. In Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014, pages 1–6. IEEE
Kaspersky (2017) Chasing lazarus: a hunt for the infamous hackers to prevent large bank robberies. https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies
Kaspersky (2018). The duqu 2.0. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf
Kintis P, Miramirkhani N, Lever C, Chen Y, Romero-Gómez R, Pitropakis N, Nikiforakis N, Antonakakis M (2017) Hiding in plain sight: a longitudinal study of combosquatting abuse. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 569–586
Koral I, Kemmerer Richard A, Porras Phillip A (1995) State transition analysis: a rule-based intrusion detection approach. IEEE Trans Softw Eng 21(3):181–199
Ko C, Ruschitzka M, Levitt K (1997) Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No. 97CB36097), pages 175–187. IEEE
KUL Lead. Research challenges and requirements to manage digital evidence
Laurenza G, Lazzeretti R, Mazzotti L (2020) Malware triage for early identification of advanced persistent threat activities. Digit Threats 1(3):1–17
Lee RB, Karig DK, McGregor JP, Shi Z (2004) Enlisting hardware architecture to thwart malicious code injection. In Security in Pervasive Computing, pages 237–252. Springer
Li W-J, Wang K, Stolfo SJ, Herzog B (2005) Fileprints: identifying file types by n-gram analysis. In Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, 5 pages 64–71. IEEE
Li Y, Dai W, Bai J, Gan X, Wang J, Wang X (2018) An intelligence-driven security-aware defense mechanism for advanced persistent threats. IEEE Trans Inf Forensics Secur 14(3):646–661
Li S, Qin D, Xiaobo W, Li J, Li B, Han W (2022) False alert detection based on deep learning and machine learning. Int J Semant Web Inf Syst (IJSWIS) 18(1):1–21
Ling Z, Hao ZJ (2022) An intrusion detection system based on normalized mutual information antibodies feature selection and adaptive quantum artificial immune system. Int J Semant Web Inf Syst (IJSWIS) 18(1):1–25
Malone S (2016) Using an expanded cyber kill chain model to increase attack resiliency. Black Hat US
Malwarebytes Labs (2016) Untangling kovter’s persistence methods. https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
Mandiant (2010) M-trends 2010: the advanced persistent threat. https://www.fireeye.com/current-threats/annual-threat-report/mtrends/rpt-2010-mtrends.html
Mandiant. Apt1 exposing one of china’s cyber espionage units. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
Marchetti M, Pierazzi F, Colajanni M, Guido A (2016) Analysis of high volumes of network traffic for advanced persistent threat detection. Comput Netw 109:127–141
Marczak WR, Scott-Railton J, Marquis-Boire M, Paxson V (2014) When governments hack opponents: a look at actors and technology. In 23rd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 14), pages 511–525
Marquis-Boire M, Marschalek M, Guarnieri C (2015) Big game hunting: the peculiarities in nation-state malware research. Black Hat, Las Vegas
Masri W, Podgurski A (2005) Using dynamic information flow analysis to detect attacks against applications. In Proceedings of the 2005 workshop on Software engineering for secure systems-building trustworthy applications, pages 1–7
Micro Focus Community. Activate framework | arcsight marketplace. https://marketplace.microfocus.com/arcsight/content/activate-framework
Milajerdi SM, Gjomemo R, Eshete B, Sekar R, Venkatakrishnan VN (2019) Holmes: real-time apt detection through correlation of suspicious information flows. In 2019 IEEE Symposium on Security and Privacy (SP), pages 1137–1152. IEEE
Ming J, Xin Z, Lan P, Dinghao W, Liu P, Mao B (2017) Impeding behavior-based malware analysis via replacement attacks to malware specifications. J Comput Virol Hack Tech 13(3):193–207
MITRE. (2020) Mitre att &ck . https://attack.mitre.org/
Mori A, Izumida T, Sawada T, Inoue T (2006) A tool for analyzing and detecting malicious mobile code. In Proceedings of the 28th International Conference on Software Engineering, pages 831–834
National Cybersecurity FFRDC. Common vulnerabilities and exposures. https://cve.mitre.org/
Neumann J (1948) The general and logical theory of automata, cerebral mechanisms in behavior. Hixon Sympos
Neumann J, Burks AW et al (1966) Theory of self-reproducing automata, vol 1102024. University of Illinois press, Urbana
NIST (2020) National vulnerability database. https://nvd.nist.gov/
Niu W, Zhang X, Yang G, Zhu J, Ren Z (2017) Identifying APT malware domain based on mobile DNS logging. Math Prob Eng, pp 1–9
Norouzi M, Souri A, Samad Zamini M (2016) A data mining classification approach for behavioral malware detection. J Comput Netw Commun, pp 1–9
O’Leary J, Kimble J, Vanderlee K, Fraser N (2017) Insights into Iranian cyber espionage: APT33 targets aerospace and energy sectors and has ties to destructive malware. Threat Research Blog
Ou X, Boyer WF, McQueen MA (2006) A scalable approach to attack graph generation. In Proceedings of the 13th ACM conference on Computer and communications security, pages 336–345
Page L, Brin S, Motwani R, Winograd T (1999) The pagerank citation ranking: bringing order to the web. Technical report. Stanford InfoLab
Pfeffer A, Call C, Chamberlain J, Kellogg L, Ouellette J, Patten T, Zacharias G, Lakhotia A, Golconda S, Bay J et al (2012) Malware analysis and attribution using genetic information. In 2012 7th International Conference on Malicious and Unwanted Software, pages 39–45. IEEE
Qin F (2017) Leakerlocker mobile ransomware threatens to expose user information. https://blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/
Rabek JC, Khazan RI, Lewandowski SM, Cunningham RK (2003) Detection of injected, dynamically generated, and obfuscated malicious code. In Proceedings of the 2003 ACM workshop on Rapid malcode, pages 76–82
Rad BB, Masrom M, Ibrahim S (2011) Evolution of computer virus concealment and anti-virus techniques: a short survey. arXiv preprint arXiv:1104.1070
Rid T, Buchanan B (2015) Attributing cyber attacks. J Strateg Stud 38(1–2):4–37
Ron(iagox86) (2020) Dnscat2. https://github.com/iagox86/dnscat2
Rosenberg I, Sicard G, David EO (2017) Deepapt: nation-state apt attribution using end-to-end deep neural networks. In International Conference on Artificial Neural Networks, pages 91–99. Springer
Rosenblum N, Zhu X, Miller BP (2011) Who wrote this code? identifying the authors of program binaries. In European Symposium on Research in Computer Security, pages 172–189. Springer
Rudd EM, Rozsa A, Günther M, Boult TE (2017) A survey of stealth malware attacks, mitigation measures, and steps toward autonomous open world solutions. IEEE Commun Surv Tutor 19(2):1145–1172
Russinovich M (2020) Windows sysinternals. https://docs.microsoft.com/en-us/sysinternals/
Samtani S, Zhu H, Chen H (2020) Proactively identifying emerging hacker threats from the dark web: a diachronic graph embedding framework (d-gef). ACM Trans Privacy Secur (TOPS) 23(4):1–33
Sanchez J (2017) Kovter: an evolving malware gone fileless. https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless
Santos I, Brezo F, Ugarte-Pedrero X, Bringas PG (2013) Opcode sequences as representation of executables for data-mining-based unknown malware detection. Inf Sci 231:64–82
Sato I, Okazaki Y, Goto S (2002) An improved intrusion detection method based on process profiling. IPSJ J 43(11):3316–3326
Sawilla RE, Ou X (2008) Identifying critical attack assets in dependency attack graphs. In European Symposium on Research in Computer Security, pages 18–34. Springer
Sawsan Abdul R, Hanine T, Chamseddine T, Azzam M (2020) Internet of things intrusion detection: centralized, on-device, or federated learning? IEEE Netw 34(6):310–317
Security N. Common malware persistence mechanisms. https://resources.infosecinstitute.com/common-malware-persistence-mechanisms
Sekar R, Bendre M, Dhurjati D, Bollineni P (2000) A fast automaton-based method for detecting anomalous program behaviors. In Proceedings 2001 IEEE Symposium on Security and Privacy. S &P 2001, pages 144–155. IEEE
Shalaginov A, Franke K, Huang X Malware beaconing detection by mining large-scale dns logs for targeted attack identification
Sharma K, Gupta BB (2016) Multi-layer defense against malware attacks on smartphone wi-fi access channel. Procedia Comput Sci 78:19–25
Sharma A, Gupta BB, Singh AK, Saraswat VK (2022) Orchestration of apt malware evasive manoeuvers employed for eluding anti-virus and sandbox defense. Comput Secur 115:102627
Sharma A, Gupta BB, Singh AK, Saraswat VK (2023) Multi-dimensional hybrid Bayesian belief network based approach for apt malware detection in various systems. In International Conference on Cyber Security, Privacy and Networking (ICSPN 2022), pages 177–190. Springer
Sharma A, Sahay SK (2014) Evolution and detection of polymorphic and metamorphic malwares: a survey. arXiv preprint arXiv:1406.7061
Shu X, Yao D, Ramakrishnan N (2015) Unearthing stealthy program attacks buried in extremely long execution paths. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 401–413
Souri A, Hosseini R (2018) A state-of-the-art survey of malware detection approaches using data mining techniques. HCIS 8(1):1–22
Srivastava AM, Rotte PA, Jain A, Prakash S (2022) Handling data scarcity through data augmentation in training of deep neural networks for 3d data processing. Int J Semant Web Inf Syst (IJSWIS) 18(1):1–16
Strom BE, Applebaum A, Miller DP, Nickels KC, Pennington AG, Thomas CB (2018) MITRE ATT and CK (trademark): design and philosophy. MITRE Corporation, McLean, VA
Sung AH, Xu J, Chavez P, Mukkamala S (2004) Static analyzer of vicious executables (save). In 20th Annual Computer Security Applications Conference, pages 326–334. IEEE
Sverdlove H (2013) Bit9 security incident update. https://www.carbonblack.com/blog/bit9-security-incident-update/
Symantec W (2011) Advanced persistent threats: a symantec perspective. Symantec World Headquarters
Ször P, Ferrie P (2001) Hunting for metamorphic. In In Virus Bulletin Conference, pages 123–144
Szurdi J, Kocso B, Cseh G, Spring J, Felegyhazi M, Kanich C (2014) The long “taile” of typosquatting domain names. In 23rd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 14), pages 191–206
T3rry7f (2015) Simple implementation of socks5 proxy (python and c#). https://blog.csdn.net/ts__cf/article/details/47659829
Tankard C (2011) Advanced persistent threats and how to monitor and deter them. Netw Secur 2011(8):16–19
Tenable. Nessus professional. https://www.tenable.com/products/nessus/nessus-professional
Ullah F, Srivastava G, Ullah S (2022) A malware detection system using a hybrid approach of multi-heads attention-based control flow traces and image visualization. J Cloud Comput 11(1):1–21
Ussath M, Jaeger D, Cheng F, Meinel C (2016) Advanced persistent threats: behind the scenes. In 2016 Annual Conference on Information Science and Systems (CISS), pages 181–186. IEEE
van Maarten D & Erik S. Operation wocao: shining a light on one of china’s hidden hacking groups. https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf
Vance A (2014) Flow based analysis of advanced persistent threats detecting targeted attacks in cloud computing. In 2014 First International Scientific-Practical Conference Problems of Infocommunications Science and Technology, pages 173–176. IEEE, 2014
Villeneuve N, Bennett JT, Moran N, Haq T, Scott M, Geers K (2013) Operation” Ke3chang: targeted attacks against ministries of foreign affairs. FireEye, Incorporated
Vukalović J, Delija D (2015) Advanced persistent threats-detection and defense. In 2015 38Th international convention on information and communication technology, electronics and microelectronics (MIPRO), pages 1324–1330. IEEE
Wang Y-M, Beck D, Vo B, Roussev R, Verbowski C (2005) Detecting stealth software with strider ghostbuster. In 2005 International Conference on Dependable Systems and Networks (DSN’05), pages 368–377. IEEE
Wang P, Wang Y-S (2015) Malware behavioural detection and vaccine development by using a support vector model classifier. J Comput Syst Sci 81(6):1012–1026
Wang K, Stolfo SJ (2004) Anomalous payload-based network intrusion detection. In International workshop on recent advances in intrusion detection, pages 203–222. Springer
Weaver N, Paxson V, Staniford S, Cunningham R (2003) A taxonomy of computer worms. In Proceedings of the 2003 ACM workshop on Rapid Malcode, pages 11–18
Wei L, Traore I (2004) Detecting new forms of network intrusion using genetic programming. Comput Intell 20(3):475–494
William Gamazo Sanchez Timeline of sandworm attacks. https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/
Xiao Liang X, Dongjin XC, Mandayam Narayan B, Vincent Poor H (2017) Cloud storage defense against advanced persistent threats: a prospect theoretic study. IEEE J Sel Areas Commun 35(3):534–544
Xiao L, Dongjin X, Mandayam NB, Vincent Poor H (2018) Attacker-centric view of a detection game against advanced persistent threats. IEEE Trans Mob Comput 17(11):2512–2523
Yang L-X, Li P, Yang X, Tang YY (2018) A risk management approach to defending against the advanced persistent threat. IEEE Trans Dependable Secure Comput 17(6):1163–1172
You I, Yim K (2010) Malware obfuscation techniques: a brief survey. In 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, pages 297–300
Yuan L-P, Hu W, Yu T, Liu P, Zhu S (2019) Towards large-scale hunting for android negative-day malware. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (\(\{\)RAID\(\}\) 2019), pages 533–545
Yuan Z, Yongqiang L, Xue Y (2016) Droiddetector: android malware characterization and detection using deep learning. Tsinghua Sci Technol 21(1):114–123
Zimmer D (2005) Malcode analyst pack. http://sandsprite.com/iDef/MAP/
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Sharma, A., Gupta, B.B., Singh, A.K. et al. Advanced Persistent Threats (APT): evolution, anatomy, attribution and countermeasures. J Ambient Intell Human Comput 14, 9355–9381 (2023). https://doi.org/10.1007/s12652-023-04603-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-023-04603-y