A Survey on Advanced Persistent Threat Detection: A Unified Framework, Challenges, and Countermeasures

Abstract

In recent years, frequent Advanced Persistent Threat (APT) attacks have caused disastrous damage to critical facilities, leading to severe information leakages, economic losses, and even social disruptions. Via sophisticated, long-term, and stealthy network intrusions, APT attacks are often beyond the capabilities of traditional intrusion detection methods. Existing methods employ various techniques to enhance APT detection at different stages, but this makes it difficult to fairly and objectively evaluate the capability, value, and orthogonality of available techniques. Overly focusing on hardening specific APT detection stages cannot address some essential challenges from a global perspective, which would result in severe consequences. To holistically tackle this problem and explore effective solutions, we abstract a unified framework that covers the complete process of APT attack detection, with standardized summaries of state-of-the-art solutions and analysis of feasible techniques. Further, we provide an in-depth discussion of the challenges and countermeasures faced by each component of the detection framework. In addition, we comparatively analyze public datasets and outline the capability criteria to provide a reference for standardized evaluations. Finally, we discuss insights into potential areas for future research.