APT beaconing detection: A systematic review

Advanced Persistent Threat (APT) is a type of threat that has grabbed the attention of researchers, partic-ularly in the industrial security field. APTs are cyber intrusions carried out by skilled and well-resourced adversaries who target specific information in high-profile organizations and governments, frequently as part of a multi-phase long-term operation. One of the phases of the APT process is the command-and -control (C&C) phase, also known as beaconing. Beaconing is an important part of an APT lifecycle, where the adversaries establish channels with the compromised hosts in the targeted system, allowing them to launch additional attacks. Detecting and predicting this stage is therefore a practical way to guard against APTs. This paper discusses the techniques and methods used to detect APTs and also specifically to identify beaconing, either during the APT lifecycle or not. In it, we determine various artificial intelli-gence algorithms used for detecting, analyzing and comparing characteristics of datasets and data sources used to implement these detection techniques. Moreover, we present the strengths and challenges of var-ious APT/beaconing detection methods. Finally, this study outlines many cybersecurity vendor projects that have been created to identify APT or beaconing operations, categorized according to the detection approach utilized.(c) 2022 Elsevier Ltd. All rights reserved.