TY - JOUR
T1 - A Survey on Advanced Persistent Threat Detection
T2 - A Unified Framework, Challenges, and Countermeasures
AU - Zhang, Bo
AU - Gao, Yansong
AU - Kuang, Boyu
AU - Yu, Changlong
AU - Fu, Anmin
AU - Susilo, Willy
N1 - Publisher Copyright:
© 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2025/3
Y1 - 2025/3
N2 - In recent years, frequent Advanced Persistent Threat (APT) attacks have caused disastrous damage to critical facilities, leading to severe information leakages, economic losses, and even social disruptions. Via sophisticated, long-term, and stealthy network intrusions, APT attacks are often beyond the capabilities of traditional intrusion detection methods. Existing methods employ various techniques to enhance APT detection at different stages, but this makes it difficult to fairly and objectively evaluate the capability, value, and orthogonality of available techniques. Overly focusing on hardening specific APT detection stages cannot address some essential challenges from a global perspective, which would result in severe consequences. To holistically tackle this problem and explore effective solutions, we abstract a unified framework that covers the complete process of APT attack detection, with standardized summaries of state-of-the-art solutions and analysis of feasible techniques. Further, we provide an in-depth discussion of the challenges and countermeasures faced by each component of the detection framework. In addition, we comparatively analyze public datasets and outline the capability criteria to provide a reference for standardized evaluations. Finally, we discuss insights into potential areas for future research.
AB - In recent years, frequent Advanced Persistent Threat (APT) attacks have caused disastrous damage to critical facilities, leading to severe information leakages, economic losses, and even social disruptions. Via sophisticated, long-term, and stealthy network intrusions, APT attacks are often beyond the capabilities of traditional intrusion detection methods. Existing methods employ various techniques to enhance APT detection at different stages, but this makes it difficult to fairly and objectively evaluate the capability, value, and orthogonality of available techniques. Overly focusing on hardening specific APT detection stages cannot address some essential challenges from a global perspective, which would result in severe consequences. To holistically tackle this problem and explore effective solutions, we abstract a unified framework that covers the complete process of APT attack detection, with standardized summaries of state-of-the-art solutions and analysis of feasible techniques. Further, we provide an in-depth discussion of the challenges and countermeasures faced by each component of the detection framework. In addition, we comparatively analyze public datasets and outline the capability criteria to provide a reference for standardized evaluations. Finally, we discuss insights into potential areas for future research.
KW - Advanced persistent threat
KW - artificial intelligence
KW - causality analysis
KW - intrusion detection
KW - system security
UR - https://www.scopus.com/pages/publications/85211373575
U2 - 10.1145/3700749
DO - 10.1145/3700749
M3 - Article
AN - SCOPUS:85211373575
SN - 0360-0300
VL - 57
JO - ACM Computing Surveys
JF - ACM Computing Surveys
IS - 3
M1 - 62
ER -