閱讀一篇論文State of the Art Analysis of Defense Techniques against Advanced Persistent Threats摘要其重點如下：

首先簡介一下APT流程包含：
Reconnaissance偵查：了解環境、人員、有價資源、防護機制
Delivery傳遞：透過各種管道，如社交工程、usb、email、釣魚網站，植入惡意程式
Exploitation滲透：持行惡意程式，感染主機，並且主動進行橫向擴散
Operation操作：Hacking動作，包含提權、擴散、毀跡等
Data Collection資料蒐集：蒐集機敏資料，如資料庫、智慧財產資料、信用卡/系統帳密
Exfiltration滲出：將這些資料在通訊行為縝密的偽裝下，一點一點地流出。

使用來偵測APT的資料，文獻所整理出有幫助的特徵包含：packet capture (PCAP)網路封包、TCP attributes

將偵測APT的問題視為建立一個異常分類演算法的問題anomaly classification algorithm.
方法選擇：推薦使用K- Nearest Neighbors and the Correlation-based algorithm.

作者對商用資安廠商所提供的防護機制做了一個比較表如下

有效做法為發展混合型防護機制，包含誘捕系統用來早期偵測以及誤導攻擊者，搭配網路流量監控、多層式的過濾偵測方法，以及持續累積已知威脅攻擊情資，並且推薦發展智慧化的APT 生命週期產生器，作為監控周期的單位。

Quote: “The proposal for a better industrial products will be to use a hybrid system that encompasses the features of honey pots for early detection and misleading for systems which are regularly monitored by a security team, fractal analysis for IT infrastructures involving heavy traffic flows and globally distributed network by backing up with a distributed multi staged detection system, system and attack intelligence for industrial systems and intrusion kill chains clubbed with context behavior in case of middle-sized implementation.”

參考來源
State of the Art Analysis of Defense Techniques against Advanced Persistent Threats
https://www.net.in.tum.de/fileadmin/TUM/NET/NET-2017-09-1/NET-2017-09-1_09.pdf