KWAME NKRUMAH UNIVERSITY OF SCIENCE AND TECHNOLOGY
COLLEGE OF ENGINEERING
COMPUTER ENGINEERING DEPARTMENT
COE 456: SECURE NETWORK SYSTEMS
END OF SEMESTER ASSIGNMENT SERIES: ASSIGNMENT 2
[​ADVANCED PERSISTENT ATTACKS: A SURVEY​]
SUBMITTED BY:
BOAKYE BRITWUM BLESSED
5949416
JUNE 25, 2020
ASSIGNMENT 2
INTRODUCTION
REVIEW
Definition: What is APA?
Attack Model: How Does APA Work?
Comparing the Attack Model to Actual Attacks
Mitigation Techniques
SUMMARY
REFERENCES
1
2
3
3
3
7
9
11
12
i
5949416: Advanced Persistent Attacks: A Survey
INTRODUCTION
Cyber attacks have inevitably advanced over the years since its inception alongside the adoption
of the internet into mainstream applications. It has evolved a lot over the past decades, adaptively
growing from viruses and malware in the beginnings to malware and botnets in recent times. A
more recent class of such attacks, known as Advanced Persistent Threat (APT) attacks, here on
referred to as Advanced Persistent Attacks (APA), have been drawing increasing attention from
researchers, primarily in industrial security. APAs are covert cyber attacks executed by
sophisticated and well-resourced adversaries targeting specific information in high-profile
companies and governments, customarily over a long period.
APAs originally described cyber intrusions that targeted government and military domains [​40​].
They however have evolved and are no longer limited to such organizations, now extending to a
wide range of industries as highlighted by ​[1]​[2]​. Currently, the revenue from APA protection
market worldwide stands at an estimated 5.2 billion US dollars and is estimated to reach 10.6
billion by 2024 ​[3]​. These reports and statistics show how APAs are gaining fast notoriety in
large scale cyber intrusions targeting both governments and corporations.
Since APAs are growing and evolving at a high rate, it is only prudent and vastly pertinent that
the academic community indulges the specificity of the threat, and as such provides objective
and comprehensive approaches to the problem. This report presents the results of a study of the
APA phenomenon and provides a taxonomy of the attack’s phases, mechanisms and
countermeasures.
1
5949416: Advanced Persistent Attacks: A Survey
REVIEW
Definition: What is APA?
According to ​[4]​, the United States National Institute of Standards and Technology defines an
APT as “an adversary that possess sophisticated levels of expertise and significant resources
which allow it to create opportunities to achieve its objectives by using multiple attack vectors
(e.g. vyber, physical and deception). These objectives typically include establishing and
extending footholds within the information technology infrastructure of the targeted
organizations for purposes of exfiltrating information, undermining or impeding critical aspects
of a mission, program or organization; or position itself to carry out these objectives in the
future. The advanced persistent threat: (a) pursues its objectives repeatedly over a extended
period of time; (b) adapts to defenders’ efforts to resist it; and (c) is determined to maintain the
level of interaction needed to execute its objectives.”
It follows that an APA is an attack perpetrated by the stated category of attackers and thus
possesses certain characteristics that make it clearly distinct from traditional attacks. These
characteristics are (a) specific targets and clear objectives; (b) highly organized and
well-resourced actors; (c) long-term campaign with re-iterated attempts; (d) stealth and evasive
attack techniques. Table ​1 summarizes the distinction between traditional threats and APAs for
various attack attributes, as presented by P Chen et al in [40].
Attack Model: How Does APA Work?
APAs are meticulously strategised, usually involving a number of steps. While specific APAs
have unique features, the processes in APAs are similar, differing mostly in the techniques used
at each stage. P Chen et al [40] summarized that quintessence APA will have the following six
2
5949416: Advanced Persistent Attacks: A Survey
phases: “(a) reconnaissance and weaponization; (b) delivery; (c) initial intrusion; (d) command
and control; (e) lateral movement; (f) data exfiltration.” Figure ​1​ describes the APA cycle.
Table 1. ​Comparison of traditional attacks to APAs
Traditional Attacks
APAs
Attacker
Mostly single person
Highly organized, well resourced
group
Target
Unspecified, mostly individual
systems
Specific organizations, states,
governmental institutions
Purpose
Financial benefits, show-off
Competitive advantages
Approach
‘Smash and grab’, short period
Repeated attempts, adapts to
resistance, long term
(i)
Reconnaissance and
Weaponization. Similarly described by most researchers,
reconnaissance, also referred to as information gathering, has been an essential preparation step
before attacks are launched. In this stage, attackers seek to identify and study the targeted
organization, collating as much intelligence as possible about the technical infrastructure and key
personnel in the organization. The information is gathered using Open-Source Intelligence
(OSINT) tools and social engineering techniques. Aside from grabbing information from the
web, attackers might employ big data analytics and data mining techniques to automatically
process the collected data and effectively produce actionable intelligence. The attackers then
devise their plan and prepare the necessary tools based on the intelligence.
(ii) Delivery. Described similarly by [​39​],[​40​] and [​42​], attackers after their reconnaissance and
meticulous preparation deliver their exploits to their targets, whether directly or indirectly. For
direct delivery, attackers send exploits to their targets using various social engineering
3
5949416: Advanced Persistent Attacks: A Survey
techniques like spear phishing. Indirect delivery is rather stealthy: the attackers would
compromise a 3rd party that is trusted by the target and then serve their exploits through the
compromised agent. Example is the watering hole attack which has been used in several AP
campaigns ​[5]​,​[6]​.
(iii) Initial Intrusion. This is when APA perpetrators first gain unauthorized access to the target
system/network, according to [​39​],[​40​] and [​42​]. Though attackers might obtain access
credentials through social engineering and use them for “authorized” access, they would
typically execute malicious code that exploits vulnerabilities in a target system. The malicious
code would have been served to the system already in the delivery stage, and then after
successful execution, provide access in the intrusion stage. While several APAs ​[1]​,​[7] have
leveraged zero-day attacks for initial intrusion, many also employed older exploits that target
unpatched applications.
Initial intrusion proves a pivotal phase in an APA since the actor where the actor establishes a
foothold in the target network/system. [​39​],[​40​] and [​42​] continued that a successful intrusion
typically resulted in the installation of backdoors and rootkits on the victim system. The actor
would then connect to the victim network through the backdoor, generating network traffic and
file evidence, and inadvertently providing defenders a chance to detect the attack in an early
phase.
(iv) Command and Control. After successfully installing backdoors on the target network, APA
actors would use command and control (C2) mechanisms to gain control of the target
compromised systems, thereby enabling further exploitation of the network. In order that they
4
5949416: Advanced Persistent Attacks: A Survey
may remain covert, attackers usually make use of various legitimate services and publicly
available tools, typically the ones described below:
-
Social Networking Sites​[8]​.
-
Tor Anonymity Network.
-
Remote Access Tools (RATs) [​9​],[​10​].
(v) Lateral Movement. ​In this phase, according to [​39​],[​42​], attackers would traverse the
network after having established communications between their systems and the C2 servers on
the compromised systems. Here, it is sought to expand control over the target organization and
consequently enable themselves to discover and collect valuable data. [​40​] stipulated that Lateral
movement typically involves (a) performing internal reconnaissance to access the network; (b)
compromising additional systems in order to harvest credentials and escalate privileges; (c)
identifying and gathering valuable digital assets like development plans, trade secrets, classified
intelligence, etc..
[​40​] also pointed out that, since attackers want to exfiltrate maximum information over the
attack’s life span and that their activities are designed to be stealth, this phase in the attack cycle
lasts longest. Attackers would use the period to delve deeper into the network and make their
activities even more evasive by using legitimate OS features and stealing credentials for
undetectable illegitimate access.
(vi) Data Exfiltration. The primary goal of an APA is realized in this phase, making it very
mission critical [​40​]. Typically, the acquired strategic intelligence is channelled to an internal
staging server where it would often be compressed and encrypted for transmission to external
locations under the attackers’ control. Attackers usually use secure protocols like SSL/TLS, or
5
5949416: Advanced Persistent Attacks: A Survey
leverage anonymity features of the Tor network to conceal the transmission process ​[8]​.
Attackers would also usually cover their tracks by disabling auditing and deleting any log entries
on the affected systems (log tampering) [​39​],[​40​],[​42​].
Figure 1​. The Advanced Persistent Attack Cycle
Comparing the Attack Model to Actual Attacks
In order to ascertain the commonalities in various APAs established in the six-phase model they
proposed, [​40​] presented a comparison between various APAs reported in sources
[​6​],[​7​],[​11​],[​12​] shown in Table ​2​ below.
Table 2. ​Comparison of Different APAs
Name
Double Dragon:
APT41 [​12​]
Operation
Snowman [​6​]
Operation
Ke3chang [​11​]
RAS Breach [​7​]
Active
2012 - 2019
Unknown -
May 2010 -
Unknown 6
5949416: Advanced Persistent Attacks: A Survey
Time
February2014
December 2013
March 2011
Recon. and
Weaponizat
ion
HIGHNOON,
SOGU, WIDETONE,
Built-in Windows
commands (ping,
nestate, etc.)
identify
weakness
in vfw.org, RAT,
backdoor
Officials’
emails,
trojanized docs,
backdoor, and
C2
Tools
employees’
emails,
zero-day
exploits,
trojanized docs,
backdoor, RAT
Delivery
Watering hole
attack(compromise
websites), spear
phishing
watering hole
attack
(compromise &
infect vfw.org)
spear phishing
(malicious zip
file)
spear phishing
(malicious xls
file)
Initial
Intrusion
CHINACHOP,
Credential theft,
CVE-2019-3369,
Spear-phishing,
TeamViewer
drive-by
download
(CVE-2014-032
2)
Victims opened
the executable
file
xls vulnerability
(CVE-2011-060
9)
Command
and Control
ACEHASH,
Windows Credential
Editor, Mimikatz,
Gh0st, HIGHNOON,
etc
ZxShell, Gh0st
RAT
Custom C2
protocol based
on HTTP
protocol
Poison Ivy RAT
Lateral
Movement
Modification of the
legitimate WMI
Performance
Adapter, Scheduled
tasks, SOGU,
CROSSWALK, etc
unknown
Compromised
internal systems,
collected data
Performed
privilege
escalation and
gathered secure
ID data
Data
Exfiltration
Compressed data
using rar, clearing
bash history,
intellectual property
theft, in-game
currencies
Unknown,
potentially US
military
intelligence
Compressed and
encrypted data
as rar files
Compressed and
encrypted data
as rar files, used
FTP for
transmission
7
5949416: Advanced Persistent Attacks: A Survey
Mitigation Techniques
Given the stealthiness and complexity of APAs, there exists no single solution that provides
absolute protection. Current best techniques involve a wide range of countermeasures resulting
in multi-tier defenses. The researches used in this study proposed a number of methods for
mitigating APAs, the most recurrent of which were described as:
1.
Anomaly Detection [​13​][​41​]. There is an expected behavioral pattern in network traffic,
which is presumed to be normal. This method detects deviation from normal by detecting
abnormal behavior. An anomaly detection system provides a baseline for normal network
and system behavior [​39​].
2. Whitelists [​14​],[​15​]. This is when only a few well-known and trusted domains,
applications, network traffic and processes are granted access while others are not
considered, limiting unknown processes whether or not they are genuine.
3. Blacklists [​16​]. This is a list of known malicious applications and processes which
identifies and blocks their operations. This method, opposite to whitelisting, can only
prevent known threats.
4. Intrusion Detection Systems (IDS) [​17​]. This is an intrusion detection technique based on
analysis of service ports, protocols, IP addresses, system events, system calls, etc., and is
aimed at alerting the system's administrator of suspected breaches.
5. Awareness [​18​],[​19​],[​38​]. Most cases of security breaches exploit the human factor in the
security chain. Since human interactions are inevitable, it is important to sensitize the
8
5949416: Advanced Persistent Attacks: A Survey
users of the risks and importance of confidentiality, meanwhile assessing their knowledge
and understanding of information security and its implications.
6. Deception [​20​],[​21​],[​25​]. This is the art of truth bias to prevent suspicion, which is
mostly done through devices that hide their true identity. An attacker is made to believe
his efforts are paying off by granting him access to a dummy system or honey device and
keep him busy until he is tracked.
7. Cryptography [​22​],[​23​]. This technique involves changing information into a format that
cannot be understood by other parties. This method ensures attackers have no use for
information they have accessed, given they would not be able to understand it.
8. Traffic/Data Analysis [​24​],[​25​],[​26​],[​35​]. This technique uses statistical methods to
analyse traffic and data based network protocol, user category, operations carried out, etc.
9. Security Information and Event Management (SIEM) [​27​]. SIEM systems collect data for
analysis in attempts to detect and prevent unauthorized access. The systems apply
multiple statistical operations to make decisions on the data.
10. Pattern Recognition [​28​],[​29​]. This technique is based on the ideology that malicious
applications have similar modus operandi, and can therefore be traced using these
operational similarities.
11. Risk Assessment [​30​],[​34​]. The risks and possibility of attack possessed by an application
is first assessed by monitoring its activities in a controlled environment. The impact value
of the risks and risk level is then aggregated and used as aid in highlighting suspected
attacks.
9
5949416: Advanced Persistent Attacks: A Survey
12. Multi-layer Security [​31​],[​32​],[​33​],[​36​],[​37​]. Communications in computer systems
involve various layers of specific applications. This method uses multiple defence
mechanisms in attempting to trap the activities of malicious applications. It combines
techniques like Access Control Lists (ACLs), encryption, redundancy checks, logs, etc.
Adelaiye et al [​39​] presents a pie chart, shown in Figure ​2​, that classified the mitigation methods
employed by the 25 researchers studied in their publication.
Figure 2. ​Mitigation Techniques Leveraged by 25 Researchers Against APAs
SUMMARY
Advanced Persistent Attacks are a growing threat to information systems, organizations and
government. This study has highlighted the anatomy of APAs and the common vulnerabilities
associated with the threat. Having investigated the challenges in securing information systems
against APAs, 12 mitigation techniques are highlighted by various researchers, and from the
10
5949416: Advanced Persistent Attacks: A Survey
work done, it is agreed that there is a need to combine some of the methods highlighted to
achieve higher countermeasure efficiency based on their mitigation effectiveness.
APAs are sophisticated, specific and evolving threats, yet certain patterns can be identified in
their process. Traditional countermeasures are needed but are not sufficient for the protection
against APAs. In order to mitigate the risks posed by APTs, defenders have to gain a baseline
understanding of the steps and techniques involved in the attacks, and develop new capabilities
that address the specifics of APT attacks.
REFERENCES
1. McAfee Labs, “Protecting Your Critical Assets: Lessons Learned from “Operation Aurora”,”
McAfee Inc., Santa Clara, CA 95054, 2010. [Online]. Available:
https://www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf
2. Global Research and Analysis Team, “APT trends report Q1 2019,” April 2019. Accessed on
June 11, 2020. [Online]. Available: ​https://securelist.com/apt-trends-report-q1-2019/90643/​.
3. Statista, “Advanced persistent threat global market size 2015-2024,” 2019. Accessed on June
11, 2020. Available:
https://www.statista.com/statistics/497945/advanced-persistent-threat-market-worldwide/​.
4. NIST, “Managing Information Security Risk: Organization, Mission, and Information
System View.” SP 800-39 2011
5. Haq, T., Khalid, Y.: Internet Explorer 8 Exploit Found in Watering Hole Campaign
Targeting Chinese Dissidents (2013)
6. Kindlund, D., et al., “Operation SnowMan: DeputyDog Actor Compromises US Veterans of
Foreign Wars Website,” FireEye, 2014. [Online]. Available:
11
5949416: Advanced Persistent Attacks: A Survey
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Operation_Snow
Man.pdf.
7. Rivner, U., “Anatomy of an Attack” 2011, Accessed on June 10, 2020. Available:
https://blogs.rsa.com/anatomy-of-an-attack/
8. Information Warfare Monitor and Shadowserver Foundation, “Shadows in the Cloud:
Investigating Cyber Espionage 2.0,” 2010. [Online]. Available:
https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf
9. Bennett, J.T., et al., “Poison Ivy: Assessing Damage and Extracting Intelligence,” FireEye
Inc, Milpitas, CA 95035, 2013. [Online]. Available:
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison
-ivy.pdf
10. Villeneuve, N., Bennett, J.T., “XtremeRAT: Nuisance or Threat,” FireEye Inc, Milpitas, CA
95035, 2014. [Online]. Available:
https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html
11. Villeneuve, N., et al., “Operation Ke3chang: Targeted Attacks Against Ministries of Foreign
Affairs,”
FireEye
Inc,
Milpitas,
CA
95035,
2013.
[Online].
Available:
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operati
on-ke3chang.pdf
12. FireEye, “Double Dragon: APT41, a Dual Espionage and Cyber Crime Operation,” 2019.
13. V. Mahadevan, W. Li, V. Bhalodia and N. Vasconcelos, "Anomaly detection in crowded
scenes," ​2010 IEEE Computer Society Conference on Computer Vision and Pattern
Recognition​, San Francisco, CA, 2010, pp. 1975-1981, doi: 10.1109/CVPR.2010.5539872.
12
5949416: Advanced Persistent Attacks: A Survey
14. Jun Ho Huh, John Lyle, Cornelius Namiluko, and Andrew Martin, “Managing application
whitelists in trusted distributed systems,” ​Future Generation Computer Systems,​
27(2):211–226, feb 2011.
15. Jian Wu, Pradeep Teregowda, Juan Pablo Fernández Ramı́rez, Prasenjit Mitra, Shuyi Zheng,
and C. Lee Giles, “The evolution of a crawling strategy for an academic document search
engine,” ​In Proceedings of the 3rd Annual ACM Web Science Conference,​ ACM Press, 2012.
16. Benjamin Edwards, Tyler Moore, George Stelle, Steven Hofmeyr, and Stephanie Forrest,
“Beyond the blacklist: modeling malware spread and the effect of interventions,”
​In
Proceedings of the 2012 workshop on New security paradigms,​ pages 53–66, ACM Press,
2012.
17. Ibrahim Ghafir and Vaclav Prenosil, “Proposed approach for targeted attacks detection,”
Lecture Notes in Electrical Engineering, pages 73–80, Springer International Publishing,
December 2016.
18. Bulgurcu, Cavusoglu, and Benbasat, “Information security policy compliance: An empirical
study of rationality-based beliefs and information security awareness,” MIS Quarterly,
34(3):523, 2010.
19. Shari Lawrence Pfleeger, M. Angela Sasse, and Adrian Furnham, “From weakest link to
security hero: Transforming staff security behavior,” ​Journal of Homeland Security and
Emergency Management,​ 11(4), January 2014.
20. Kara Nance and Matt Bishop, “Introduction to deception, digital forensics, and malware
minitrack,” In Proceedings of the 50th Hawaii International Conference on System Sciences
(2017),​ Hawaii International Conference on System Sciences, 2017.
13
5949416: Advanced Persistent Attacks: A Survey
21. Lyn M. Van Swol, Michael T. Braun, and Miranda R. Kolb, “Deception, detection,
demeanor, and truth bias in face-to-face and computer-mediated communication,”
Communication Research​, 42(8):1116–1142, April 2013.
22. Christian Cachin, Marko Vukolic Sorniotti, and Thomas Weigold, “Blockchain,
Cryptography, and Consensus,” 2016.
23. Chris Peikert, “A decade of lattice cryptography,” ​Foundations and Trends R in Theoretical
Computer Science,​ 10(4):283–424, 2016.
24. Mauro Conti, Luigi V. Mancini, Riccardo Spolaor, and Nino Vincenzo Verde, “Can’t you
hear me knocking: Identification of user actions on android apps via traffic analysis,” ​In
Proceedings of the 5th ACM Conference on Data and Application Security and Privacy​,
pages 297–304. ACM, 2015.
25. N. Virvilis and D. Gritzalis, "The Big Four - What We Did Wrong in Advanced Persistent
Threat Detection?," ​2013 International Conference on Availability, Reliability and Security,
Regensburg,​ 2013, pp. 248-254, doi: 10.1109/ARES.2013.32.
26. Yunfei Su, Mengjun Li, ChaoJing Tang, and Rongjun Shen, “A framework of APT detection
based on dynamic analysis,” ​In Proceedings of the 2015 4th National Conference on
Electrical, Electronics and Computer Engineering,​ Atlantis Press, 2016.
27. Luigi Coppolino, Michael Jger, Nicolai Kuntze, and Roland Rieke, “A trusted information
agent for security information and event management,” ​Security Analysis of System
Behaviour,​ page 265, 2014.
14
5949416: Advanced Persistent Attacks: A Survey
28. J. Wright, Y. Ma, J. Mairal, G. Sapiro, T. S. Huang and S. Yan, "Sparse Representation for
Computer Vision and Pattern Recognition," ​in Proceedings of the IEEE, vol. 98, no. 6, pp.
1031-1044, June 2010, doi: 10.1109/JPROC.2010.2044470.
29. Y. Wang, J. Liu and Z. Huang, "A Network Gene-Based Framework for Detecting Advanced
Persistent Threats," ​2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and
Internet Computing, Guangdong​, 2014, pp. 97-102, doi: 10.1109/3PGCIC.2014.41.
30. Chi-Chun Lo and Wan-Jia Chen, “A hybrid information security risk assessment procedure
considering interdependences between controls,” Expert Systems with Applications,
39(1):247– 257, jan 2012.
31. G. Geraci, H. S. Dhillon, J. G. Andrews, J. Yuan and I. B. Collings, "Physical Layer Security
in Downlink Multi-Antenna Cellular Networks," ​in IEEE Transactions on Communications,​
vol. 62, no. 6, pp. 2006-2021, June 2014, doi: 10.1109/TCOMM.2014.2314664
32. Daesung Moon, Hyungjin Im, Jae Lee, and Jong Park, “MLDS: Multi-layer defense system
for preventing advanced persistent threats,” Symmetry, 6(4):997–1010, dec 2014.
33. Xue Yang, Zhihua Li, Zhenmin Geng, and Haitao Zhang, “A multi-layer security model for
Internet of Things,” ​Internet of Things,​ pages 388–393, Springer Berlin Heidelberg, 2012.
34. G. ​G. Granadillo, J. Garcia-Alfaro, H. Debar, C. Ponchel and L. R. Martin, "Considering
technical and financial impact in the selection of security countermeasures against Advanced
Persistent Threats (APTs)," ​2015 7th International Conference on New Technologies,
Mobility and Security (NTMS)​, Paris, 2015, pp. 1-6, doi: 10.1109/NTMS.2015.7266480​.
35. Ibrahim Ghafir, Vaclav Prenosil, Mohammad Hammoudeh, Francisco J. Aparicio-Navarro,
Khaled Rabie, and Ahmad Jabban, “Disguised executable files in spear-phishing emails,” ​In
15
5949416: Advanced Persistent Attacks: A Survey
Proceedings of the 2nd International Conference on Future Networks and Distributed
Systems -​ ICFNDS. ACM Press, 2018.
36. P. Bhatt, E. T. Yano and P. Gustavsson, "Towards a Framework to Detect Multi-stage
Advanced Persistent Threats Attacks," ​2014 IEEE 8th International Symposium on Service
Oriented System Engineering​, Oxford, 2014, pp. 390-395, doi: 10.1109/SOSE.2014.53.
37. Paul Giura and Wei Wang, “Using large scale distributed computing to unveil advanced
persistent threats,” ​Science J,​ 1(3):93–105, 2012.
38. Z. S. Zainudin and N. Nuha Abdul Molok, "Advanced Persistent Threats Awareness and
Readiness: A Case Study in Malaysian Financial Institutions," ​2018 Cyber Resilience
Conference (CRC)​, Putrajaya, Malaysia, 2018, pp. 1-3, doi: 10.1109/CR.2018.8626835.
39. Adelaiye, Oluwasegun & Ajibola, Aminat & Silas, Faki, “Evaluating Advanced Persistent
Threats Mitigation Effects: A Review,” ​International Journal of Information Security
Science,​ Vol.7, No.4, pp.159-171, 2018.
40. Chen P., Desmet L., Huygens C., “A Study on Advanced Persistent Threats,” In: ​De Decker
B., Zúquete A, (eds) Communications and Multimedia Security​, Springer, Berlin, Heidelberg,
Lecture Notes in Computer Science, vol 8735, CMS 2014.
41. D. Goodman and X. Jay, "Web-APT-Detect: A Framework For Web-based Advanced
Persistent Threat Detection Using Self-translation Machine With Attention," in IEEE Letters
of the Computer Society​, doi: 10.1109/LOCS.2020.2998185.
42. A. Alshamrani, S. Myneni, A. Chowdhary and D. Huang, "A Survey on Advanced Persistent
Threats: Techniques, Solutions, Challenges, and Research Opportunities," ​in IEEE
16
5949416: Advanced Persistent Attacks: A Survey
Communications Surveys & Tutorials​, vol. 21, no. 2, pp. 1851-1877, Second Quarter 2019,
doi: 10.1109/COMST.2019.2891891
17