INTRODUCTION

Advanced Persistent Threats (APT) are a significant cyber security threat that can
have severe consequences on multinational corporations, governments, and the public. These
attacks involve persistent cyber-attacks on a target in multiple stages, compromising
organizations by retrieving information and causing maximum loss in terms of finance and
cyber damage. Chang, k. (2019).

The Advanced Persistent Threat (APT) attack is a security threat created by the U.S.
Air Force Command in 2006 to facilitate smooth communication with government agencies.
It is a type of global hacking attack that targets specific companies or organizations, taking
the form of a stealthy and continuous attack. An APT attack is characterized by an intelligent
and continuous threat, using a considerable amount of expertise and resources to create
opportunities with various attack methods to achieve specific goals. Unlike traditional cyber
threats, which can be remotely controlled and executed, an APT attack takes a long time to
detect due to the clear target and continuous attacks at various times. Sakthivelu, U. (2023b).

APT attack detection faces several challenges, including long-duration attacks,

malware detection, powerful and determined attackers, lack of dedicated APT network
intrusion datasets, infrastructure-oriented threats, and adversarial machine learning (AML)-
based attack detection methods. APT is a complex and targeted attack method that poses an
enormous challenge to network information security systems. It is much more advanced than
independent hackers and has strong shielding ability, making it difficult for traditional
methods to detect and put up a defense. It is also persistent, the attack is continuous and of
long duration, making it difficult for single, point-based detection techniques to handle.
APT's carrier exists in big data, it brings a series of difficulties to APT detection and
protection. It can also use big data to test and respond to APT. If comprehensive information
data at all levels and stages is detected, different data can be used to find different stages for
APT analysis. Yim, k. (2023).

It is an ongoing, secretive attack using innovative hacking methods to access a system and
stay inside for a long period. Typical attackers include cyber criminals like APT34 and
APT28, from Iran, the Middle East, and North Korea. APT attackers focus on countries and
large organizations, systematically exfiltrating information over long periods. They have
longer dwell times, either chipping away at objectives or waiting for the right moment. APT
attackers often target organizations in developed countries, aiming to gain intelligence or
vital information to damage a larger system or gain a competitive advantage. Powerful and
determined attackers can easily build complex tools or strategies to break down defense
systems, especially with the invention and availability of resources. A dedicated APT
network intrusion dataset is needed for efficient investigation, as most datasets don't work as
hosts get compromised gradually. Infrastructure-oriented threats, such as correlating events,
large interconnections, and data exfiltration techniques, also pose challenges in detecting and
preventing APT attacks.

Various tactics, techniques, and procedures (TTPs) are used in each stage of an APT
attack, which advances to the next stage. The term "tactics" refers to the method used by the
APT to execute the attack from beginning to end, the techniques used by the APT during its
attack are described as its technological strategy, and the "procedure" of an APT describes the
steps used by the attacker to achieve its objectives.

The key contributions of this work include the development of a forward-backward

inference online algorithm to assess the state of IT assets, the proposed general-sum Markov
game based on dynamic Bayesian inference with insufficient detection information, and
numerical simulations that confirm the effectiveness of the algorithms in inferring potential
threats and improving security utility by about 10% compared to the state-of-the-art.

Cyber threats, particularly advanced persistent threats (APTs), pose a significant

threat to internet users. To prevent these attacks, a common tool is the Remote Desktop
Protocol (RDP). This study identifies and mitigates malicious attacks in RDP using event
logs in Windows. Multiple datasets are combined to overcome individual dataset limitations
while maintaining attack models. A supervised learning algorithm detects anomalous RDP
sessions using relevant features.
 Case Studies

Advanced Persistent Threats (APTs) pose significant challenges for organizations.

Machine learning models, such as supervised learning and deep learning, can identify subtle
attack patterns and predict new forms. Real-time runtime analysis frameworks like Stream
Spot and UNICORN can detect APTs with high accuracy and low false-positive rates.
Provenance graphs, which track network activity and resource relationships, can also be used
for APT detection. However, challenges like high-volume data processing and lateral attack
reconstruction make these methods challenging.
These models focus on reducing latency and defending against covert APT behaviors
by analyzing data across multiple hosts in a network.
Related work in cybersecurity includes the use of the attack graph model and game theory for
risk assessment with limited detection information. Accurate reasoning algorithms and
approximate reasoning algorithms have been widely adopted, and virtual machines can be
used to estimate the probability of a cyber-attack.

This study develops an attack detection system that enables early discovery of
Advanced Persistent Threat (APT) attacks. The system uses the NSL-KDD database for
attack detection and verification, with principal component analysis (PCA) as the main
method for feature sampling and enhancement of detection efficiency. The advantages and
disadvantages of using classifiers are then compared to detect the dataset, and the support
vector machine (SVM) is found to have the highest recognition rate, reaching 97.22% (for the
trained sub data A).

To overcome this, synthetic datasets are generated by simulating user and attacker behavior,
but these datasets may not fully depict real-world user behavior. Datasets are crucial for
training and testing machine learning algorithms. The main limitations of generic intrusion
datasets and systems include capture of attack traffic at external endpoints, ineffectiveness
when attack vectors are within internal networks, and inefficiency in resizing real-world
settings in semi-supervised learning. Real-time detection and prevention systems are limited,
and most existing systems work on post-infiltration scenarios.

Facing increasingly severe security threats of APTs, corresponding ACD systems and
risk mitigation methods are critical research issues to be solved. There are two obstacles to
preventing APT attacks in dynamic environments: the uncertainty of attackers' current state
and the uncertainty of attackers' strategies. The feasibility of defense depends on both the
attacker's and defender's behaviors, and the defender should consider as many methods of
attack as possible. Current ACD systems' risk assessment and mitigation approaches are
highly effective since they are tailored to known attack strategies. However, it has not been
established that they can highly select optimal defense strategies under uncertain types or
strength of attacks.

APT attack detection can be classified into two models based on the host and network
traffic. Host-based detection systems use classification models and algorithms to analyze
network connectivity, CPU usage, memory access, and process creation. Network traffic-
based detection collects communication traffic data and analyses it by feature extraction and
detection. Neural networks have been observed to deal with attack recognition effectively,
with deep neural networks often dealing better with real-time APT attacks due to their high
complexity and limitations.
Conclusion

This paper analyzes attack scenarios involving malicious codes and surveys,
classifying them into various detection methods. The paper presents attack scenarios based on
APT attacks, analyzing the methods used in these attacks. The paper also discusses the
techniques employed when using malicious codes, including phishing emails, exploiting
vulnerabilities in programs like Microsoft Office, and using a variety of detection methods.
This articles focusing on the latest malware detection technologies, classifying and analyzing
overall malicious code detection technologies without being limited to a specific method, and
presenting actual attack scenarios. The authors expect this article to be helpful in developing
effective malicious code detection technologies against various attacks in the future.

It is organized into sections focusing on risk mitigation using the attack graph and game
theory in cyber-security, the threat model and outlines the proposed IBAAT defense
architecture, the attack and defense model on Bayesian Attack Graph (BAG), the proposed
threat mitigation algorithm, and the performance of IBAAT.

Present a systematic literature review on Advanced Persistent Threats (APTs) behavior

during targeted, multi-stage, and covert attacks. Four key themes are identified, including
detection strategies and stealthy nature. The authors propose an enhanced APT detection
technique that incorporates the correlation between APT attributes and network
vulnerabilities.