Exploration of Mobile Device Behavior for Mitigating Advanced Persistent Threats (APT): A Systematic Literature Review and Conceptual Framework

During the last several years, the Internet of Things (IoT), fog computing, computer security, and cyber-attacks have all grown rapidly on a large scale. Examples of IoT include mobile devices such as tablets and smartphones. Attacks can take place that impact the confidentiality, integrity, and availability (CIA) of the information. One attack that occurs is Advanced Persistent Threat (APT). Attackers can manipulate a device’s behavior, applications, and services. Such manipulations lead to signification of a deviation from a known behavioral baseline for smartphones. In this study, the authors present a Systematic Literature Review (SLR) to provide a survey of the existing literature on APT defense mechanisms, find research gaps, and recommend future directions. The scope of this SLR covers a detailed analysis of most cybersecurity defense mechanisms and cutting-edge solutions. In this research, 112 papers published from 2011 until 2022 were analyzed. This review has explored different approaches used in cybersecurity and their effectiveness in defending against APT attacks. In a conclusion, we recommended a Situational Awareness (SA) model known as Observe–Orient–Decide–Act (OODA) to provide a comprehensive solution to monitor the device’s behavior for APT mitigation.


Introduction
The rapid expansion of the Internet of Things (IoT) and its ability to provide a broad variety of services make it the fastest-growing technology with a substantial impact on both business environments and social life [1]. Examples of IoT include mobile devices such as tablets and smartphones [2]. Smartphones have encroached on every aspect of modern life as they store personal and financial information, as well as information about companies and product marketing and development. However, the mobile nature of the smartphone, which means its physical location changes frequently [3], the diverse end-point devices with multiple Operating Systems (OS) and distributed heterogeneous networks [4,5], and the limited resources with restricted computing power, minimal storage capacity, and very specific energy resources [6,7], lead to a lack of security and privacy protection that can be embedded into the smartphone. As a result, it is easy for smartphones to suffer cyber and physical attacks [7].
One type of attack that occurs on a smartphone is known as Advanced Persistent Threats (APTs). This is a sophisticated and specific target attack with the aim of either data theft, disrupting the targeted system, or both [3]. In order to compromise the targeted system, APTs employs social engineering techniques to collect the required information about the target. APTs then employs either cyber techniques such as spear phishing and a watering hole or physical attacks to deliver the payload to the targeted system. Instead of directly executing a large number of activities, only a few essential activities are performed 1.
Some of the detection solutions lack APT detection for every stage of the attack life cycle. Work done by Mohammad and Belaton [13] focused on the credential dumping technique through monitoring CPU, RAM, Windows Registry, and file systems in order to detect APT. However, the authors only focused on one stage of the APT (credential access stage) and did not provide a comprehensive solution to detect APTs in all stages of the APT life cycle.

2.
Some of the detection solutions are ineffective to detect an APT. Friedberg et al. [16] and Han et al. [17] proposed IDS to model the device behavior in order to detect APT using system events. However, these techniques might raise false positive alarms when normal system behavior changes. 3.
Some of the detection solutions are inefficient in detecting APTs. Luh et al. [15] have proposed AIDIS, an Advanced Intrusion Detection and Interpretation System for APT detection and classification using Machine Learning techniques. However, this solution may not be capable of early detection of APTs.

4.
Most APT detection solutions only focused on a group of users instead of individual user protection. Indeed, the risk associated with each device's behavior varies according to the user's behavior [18].

5.
Most APT detection solutions fail to adopt any cyber security framework such as the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) [19]. These detection solutions are not comprehensive to detect APT. NIST is an example of a cyber-security framework [20]. It categorizes the cybersecurity capabilities into five core functions (Identify, Protect, Detect, Respond, and Recovery) to organize and improve the cybersecurity models [20]. Based on NIST, most solutions fail to include the identify stage, which means the existing APT detection solutions are unable to quantify the risk related to the vulnerabilities of the attack. In addition, these APT solutions fail to include the protection stage as these solutions do not provide a function to prevent data leakage [21] or APT lateral movement [22].

1.
Advanced: The adversary is familiar with infiltration tools and may create its exploits [28]; 2.
Persistent: The adversary plans to carry out a task, get instructions, and achieve certain objectives [28]; 3.
Because of their targeted nature, advanced attackers have intents and objectives that vary from those of traditional attacks. As shown in Table 1, some of the differences between APTs and traditional malware attacks are based on the APT features considered as the attack definition, attacker, target, purpose, and attack life cycle [29]. Table 1. Differences between APTs and traditional malware attacks.

Characteristics Advanced Persistent Threats Traditional Malware Attacks
Attack definition APT is a highly sophisticated, well-organized, and well-targeted attack (e.g., Stuxnet).
The term "malware" refers to software intended to attack and disrupt digital systems (e.g., ransomware).

Attacker
Government actors and organized criminal groups A cracker (a hacker in illegal activities).

Target
Targets a wide range of businesses and organizations, including diplomatic organizations, the information technology sector, and others.
Targets any personal or business device.

Purpose
The purpose of this attack is to damage a specified target or steal sensitive data. The purpose of this attack is financial gain.
Attack life cycle Maintain persistence as possible using different conceal tools.
The malware is eliminated when it is identified via security tools (e.g., anti-virus software).

Advanced Persistent Threat Process
Each APT campaign is unique in its behavior, and attacks are customized to a specific victim or organization [24]. Generally, in the APT attack process, after collecting the required information about the target, the first step is establishing a point of entry into the network [28]. Then, malicious software that is customized to a specific target creates a communication network that enables attackers to inject malicious code. In a stealthy fashion, this malicious software moves sideways through the system, sniffing for security vulnerabilities and exploiting them in order to infect other network systems. In addition, the malicious software creates copies of itself in order to preserve persistence inside the targeted system. As a result, APTs may establish new connections until they achieve their goal of either surveillance with data theft or disrupting the targeted system.
One example is the FrozenCell attack life cycle on mobile devices that has been described in the MITRE framework [30]. In the FrozenCell analysis, MITRE has presented the TTP of an APT attack, consisting of six stages (Tactics): (1) Initial Access, (2) Defense Evasion, (3) Credential Access, (4) Discovery, (5) Collection, (6) and Exfiltration [30]. Each of the stages between "Initial access" and "Exfiltration" does not have to take place in the same sequence every time. FrozenCell is a multi-platform attack called "Two-tailed Scorpion/APT-C-23" utilized to surveil the compromised mobile devices and desktop users [30]. The FrozenCell attack life cycle is illustrated in Figure 1 below. malicious software creates copies of itself in order to preserve persistence inside the targeted system. As a result, APTs may establish new connections until they achieve their goal of either surveillance with data theft or disrupting the targeted system.
One example is the FrozenCell attack life cycle on mobile devices that has been described in the MITRE framework [30]. In the FrozenCell analysis, MITRE has presented the TTP of an APT attack, consisting of six stages (Tactics): (1) Initial Access, (2) Defense Evasion, (3) Credential Access, (4) Discovery, (5) Collection, (6) and Exfiltration [30]. Each of the stages between "Initial access" and "Exfiltration" does not have to take place in the same sequence every time. FrozenCell is a multi-platform attack called "Two-tailed Scorpion/APT-C-23" utilized to surveil the compromised mobile devices and desktop users [30]. The FrozenCell attack life cycle is illustrated in Figure 1 below. 1. Initial Access-The APT attack initially accesses the system using spear phishing with malicious executables that impersonate chat application updates such as Facebook, WhatsApp, and Messenger, in addition to applications that target Middle Eastern countries using the "Masquerade as Legitimate Application" technique; 2. Defense Evasion-After successfully accessing the targeted system, FrozenCell downloads and installs additional applications using the "Download New Code at Runtime" technique and establishes communication with a command and control (C&C) server controlled by APT attackers; 3. Credential Access-FrozenCell reads SMS messages and retrieves account information for other applications using "Access Stored Application Data and Capture SMS Messages" techniques; 4. Discovery-FrozenCell conducts a search about pdf, doc, docx, ppt, pptx, xls, and xlsx file types using the "File and Directory Discovery" technique. In addition, geolocation services for mobile towers are utilized by FrozenCell to track targets via the "Location Tracking" technique. Furthermore, FrozenCell captures the device manufacturer, model, and serial number, as well as phone information such as cell location, mobile country code (MCC), and mobile network code (MNC) using "System Information Discovery and System Network Configuration Discovery" techniques; 1. Initial Access-The APT attack initially accesses the system using spear phishing with malicious executables that impersonate chat application updates such as Facebook, WhatsApp, and Messenger, in addition to applications that target Middle Eastern countries using the "Masquerade as Legitimate Application" technique; 2.
Defense Evasion-After successfully accessing the targeted system, FrozenCell downloads and installs additional applications using the "Download New Code at Runtime" technique and establishes communication with a command and control (C&C) server controlled by APT attackers; 3.
Credential Access-FrozenCell reads SMS messages and retrieves account information for other applications using "Access Stored Application Data and Capture SMS Messages" techniques; 4.
Discovery-FrozenCell conducts a search about pdf, doc, docx, ppt, pptx, xls, and xlsx file types using the "File and Directory Discovery" technique. In addition, geolocation services for mobile towers are utilized by FrozenCell to track targets via the "Location Tracking" technique. Furthermore, FrozenCell captures the device manufacturer, model, and serial number, as well as phone information such as cell location, mobile country code (MCC), and mobile network code (MNC) using "System Information Discovery and System Network Configuration Discovery" techniques; 5.
Collection-FrozenCell gathers the required information such as application account information, recorded calls, SMS messages, device images, and the location of the target; 6.
Exfiltration-FrozenCell compresses and encrypts data before exfiltration by using password-protected 0.7z archives.

Common Device Behavioral Sources Used for Attack Detection
By 2025, 64 billion IoT devices will be connected to varied cutting-edge environments including smart cities, Industry 4.0, and crowdsensing (e.g., Flightradar24, OpenSky, ElectroSense) [31]. Because each of these environments has its own set of characteristics regarding devices, data, communication channels, and purposes, it is more difficult to meet their common challenges: optimizing device performance and providing an accurate service. To overcome these challenges, behavioral data science has evolved from studying theoretical and empirical issues regarding human behavior [32] to conquering the cyber world and providing a promising alternative to model device behaviors [33]. A device's behavior could be classified as normal or abnormal based on how it operates [8].
In general, two main behavioral sources (external and in-device behavior) have been used to collect device behavior patterns in order to identify the suspicious activity that leads to abnormal device behavior [12]. Figure 2 illustrates the common device behavior solutions life cycle through three stages, including device behavior monitoring, behavior processing and evaluation, and APT detection.

Common Device Behavioral Sources Used for Attack Detection
By 2025, 64 billion IoT devices will be connected to varied cutting-edge environments including smart cities, Industry 4.0, and crowdsensing (e.g., Flightradar24, OpenSky, Elec-troSense) [31]. Because each of these environments has its own set of characteristics regarding devices, data, communication channels, and purposes, it is more difficult to meet their common challenges: optimizing device performance and providing an accurate service. To overcome these challenges, behavioral data science has evolved from studying theoretical and empirical issues regarding human behavior [32] to conquering the cyber world and providing a promising alternative to model device behaviors [33]. A device's behavior could be classified as normal or abnormal based on how it operates [8].
In general, two main behavioral sources (external and in-device behavior) have been used to collect device behavior patterns in order to identify the suspicious activity that leads to abnormal device behavior [12]. Figure 2 illustrates the common device behavior solutions life cycle through three stages, including device behavior monitoring, behavior processing and evaluation, and APT detection.

Device Behavior Monitoring
The first step is to monitor and collect the device behavior sources, which include indevice behavior and externally-collected behavior sources, as shown in Figure 3.
1. Externally-collected behavior sources-This category contains an external device (proxy or a gateway) that monitors devices and collects network-based data [12].
• Network communications-From the perspective of the network's communications, a diverse range of behavioral features can be collected from the network packets. These behavioral features rely on the traffic inspection granularity and the collected TCP/IP layers [34,35]. 2. In-device behavior-In this category, the devices are subjected to behavioral data monitoring [12]. In the case of device behavior data, data is often gathered from different sources such as hardware events, resource usage, software and processes, device sensors, and actuators.

Device Behavior Monitoring
The first step is to monitor and collect the device behavior sources, which include in-device behavior and externally-collected behavior sources, as shown in Figure 3.  • Hardware Events-In modern microprocessors, hardware performance counters (HPCs) are specific registers designated for storing hardware-related event counters. These events may be used to detect suspicious events [12]; • Resource Usage-Device components' use and status are monitored for anomaly detection. The most frequently observed components are the processor, memory, disk, and network [12]; • Software and Processes-The installed software on each device has its own unique behavior. Then, in conjunction with the isolated software behaviors, a global device behavior may be modeled for anomaly detection [12]. Software may be modeled in a

1.
Externally-collected behavior sources-This category contains an external device (proxy or a gateway) that monitors devices and collects network-based data [12].
• Network communications-From the perspective of the network's communications, a diverse range of behavioral features can be collected from the network packets. These behavioral features rely on the traffic inspection granularity and the collected TCP/IP layers [34,35].

2.
In-device behavior-In this category, the devices are subjected to behavioral data monitoring [12]. In the case of device behavior data, data is often gathered from different sources such as hardware events, resource usage, software and processes, device sensors, and actuators.
• Hardware Events-In modern microprocessors, hardware performance counters (HPCs) are specific registers designated for storing hardware-related event counters. These events may be used to detect suspicious events [12]; • Resource Usage-Device components' use and status are monitored for anomaly detection. The most frequently observed components are the processor, memory, disk, and network [12]; • Software and Processes-The installed software on each device has its own unique behavior. Then, in conjunction with the isolated software behaviors, a global device behavior may be modeled for anomaly detection [12]. Software may be modeled in a variety of ways, including: -System calls and logs-These features are used to observe the interaction between the operating system and its installed apps [36,37]. These interactions include activities for managing processes, files, and communications that have been utilized to detect abnormalities [36,37]; -Process properties-The features of each process, such as its name, status, or threads, may be used to model the behavior of the device software. Resources needed to run specific software or code are also included in this category [38]; -Software signatures-Software snapshots (signatures) may be used for the detection of software modifications caused by anomalous behavior [39].
• Device Sensors and Actuators-These features, such as the camera, GPS, etc., may be used for anomaly detection [40,41].

Behavior Processing and Evaluation Techniques
In the second step, to create and evaluate a fingerprinting profile, the data need to be processed using different approaches, including rule-based, statistical, knowledge-based, machine learning and deep learning, and time-series approaches [12].
To build and evaluate the performance of the learning model, the dataset is divided into two distinct sub-datasets. These two sub-datasets are the training data and test data [42]. Training data are the sub-dataset used to train a model. These datasets contain data observations in behavioral sources. While the test data are the sub-dataset used to evaluate the performance of a model built using a training dataset [42]. The purpose of creating a model is to predict known and unknown threats.

Attack Detection
In the third step, detection may be achieved either by modeling normal device behavior and identifying abnormalities or by gathering normal and abnormal behavioral data and carrying out the classification methods in order to detect the suspicious activities [12]. Next, APT defense mechanisms will be present.

General Overview of Advanced Persistent Threat Mitigation Approaches
This section presents a general overview of APT mitigation approaches.

Threat Modeling Approaches
A risk model can be defined as a quantitative depiction that identifies the threat possibilities and the impact they will have on a specific asset [43]. Threat modeling is a risk modeling component that identifies, prioritizes, monitors, and evaluates the security risks in an iterative process [43]. Threat modeling formalizes the process of identifying and evaluating the security vulnerabilities and threats of a device, an application, and a network service [44]. Threat modeling aims to be proactive in recognizing, categorizing, and describing threats that provide attacker visibility. This promotes resilience by preparing for, surviving, and recovering from a cybersecurity incident. The following is a list of the ten most important threat modeling approaches identified in this study: 1.
DFD (data flow diagrams)-DFD is a graphical system depiction that illustrates all of the inputs, logical internal processes, and outputs. As part of the threat modeling process, DFDs focus on external elements and trust boundaries and storing and processing the data [45]. As a result of this method, the security analysts will be able to track data flow across the system in order to identify critical processes and threats to those processes. This approach has the following steps: view System as an adversary, characterize the system, and identify the threats [46]. View System as an adversary analyzes the visible and accessible processes and functionalities that an attacker may use to breach the system. Characterizing the system means obtaining a background of system information and identifying weak points that need to be addressed. While identifying the threats includes thinking about and describing possible methods of attacking the entrance and exit points of the system [46]; 2. STRIDE (Spoofing, Tampering, Repudiation, Denial of Service, and Elevation of Privilege)-STRIDE is a system-based threat classification that classifies threats according to their explicit types [47]. It was first introduced to Microsoft developers in 1999 to aid them in identifying threats related to their software products. The root cause might be classified as a security flaw in the design, a security bug in the code, or an issue resulting from an unsafe configuration [47]. STRIDE assists in mitigating risks regarding confidentiality, availability, authentication, authorization, and nonrepudiation [48]. STRIDE Categories may have several threats, or a threat can have multiple STRIDE Categories; 3.
Attack trees-Attack trees are conceptual diagrams that utilize a branching, hierarchical data structure to represent threats and their possible attack vectors needed to achieve the attacker's objective [49,50]. It was introduced by Bruce Schneier to represent threats against computer systems [43]. Attack trees categorize all known system attacks and assign risk and cost values to each attack vector [49]. Defining the main goal and breaking it down into sub-goals are common stages in the attack tree approach. The root node signifies the attack's purpose, and the leaf nodes reflect the several paths that may be used to achieve that goal [51]; 4.
Stochastic or mathematical models-In this approach, attacks and their characteristics are often converted to Markov chains and analyzed using state transition matrices [52]. Markov chains have the ability to determine chains of attack vectors that require previous and current system states to be met before an attack may proceed on its current path [52].
The game theory concept has also been used to model cyber threats such as APT. The game-theoretic basis is to build a multi-stage Bayesian game framework to capture incomplete information about deceptive APTs and their multi-stage movement [43];

5.
Kill chain-The term kill chain originated as a military concept relating to the attack's structure [43]. The idea is to effectively prevent or counter the opponent throughout the attack lifecycle [53]. The intrusion kill chain is defined as reconnaissance, weaponization, delivery, exploitation, installation, command, and control (C2), and actions on objectives (AOO) [53]. Effectively attributing cyber attacks requires identifying them based on their attack patterns and different phases of the kill chain. These attack patterns are Tactics, Techniques, and Procedures (TTP) of APT. A tactic is a behavior that is used to reach an objective, the technique is a potential method for implementing a tactic [54], and the procedure is a set of APT activities executed at  [55]. To achieve the APT's goal, different tactics can be used. In turn, these tactics are accomplished by using one or many techniques; 6.
MITRE ATT&CK-MITRE ATT&CK is an acronym for the Massachusetts Institute of Technology Research and Engineering, Adversarial Tactics, Techniques, and Common Knowledge [8]. MITRE established the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework in 2013 in an effort to better understand cyber threats [56]. MITRE had ATT&CK matrices associated with Enterprise assets (Linux/MacOS/Windows), mobile devices, and an initial PRE-ATT&CK pattern prior to October 2020 [43]. PRE-ATT&CK was a framework that aligns with the first three steps of the kill chain, namely reconnaissance, weaponization, and delivery. Version 11 of the ATT&CK Enterprise framework now includes PRE-ATT&CK and more closely aligns with all phases of the kill chain, including the post-access phases of exploitation, installation, C2, and AOO [43]. Tactics represent an adversary's tactical objectives during an operation. The ATT&CK model's techniques define the actions that adversaries may take to achieve their tactical goals. [57]. ATT&CK builds on the Cyber Kill Chain by concentrating on the techniques, tactics, and indicators of Compromise (IOC) associated with these adversaries. A significant difference between an ATT&CK technique and an IOC is that many ATT&CK techniques are legitimate system functions that may be utilized for malicious purposes [57], making them more difficult to detect by the defender. MITRE has also mapped software attacks from publicly reported technique use and accounts for the capability of the software adversary to use a technique [54]; 7.
Common Attack Pattern Enumeration and Classification (CAPEC)-CAPEC is a standard vulnerability database that provides a list of the most common methods attackers employ to exploit vulnerabilities identified in Common Weakness Enumerations (CWE) [43]. This means that CAPEC focuses on application security and defines the common characteristics and strategies used by attackers to exploit known vulnerabilities. CAPEC analyzes and categorizes cyber-attacks according to a set of attack patterns that may occur pre-or post-exploitation. In addition, it defines the stages of common cyber-attacks and documents their countermeasures. Within the CAPEC Model, there are three levels of the attack patterns (Meta, Standard, and Detailed) [43]. Attack patterns describe the characteristics and techniques used by adversaries to exploit known system vulnerabilities. The first is meta attack patterns, which lack detailed information on the technology or implementation by cyber attacks. The second is standard attack patterns, which are more procedural and specific. The third pattern is the detailed attack pattern. 8.
Threat Assessment and Remediation Analysis (TARA)-TARA is a MITRE initiative that identifies and assesses cyber threats, as well as the effectiveness of countermeasures [58]. TARA includes an adversary TTP threat matrix called the Cyber Threat Susceptibility Analysis (CTSA). CTSA and Cyber Risk Remediation Analysis (CTRA) are then utilized to complete the TARA process [43]. CSTA consists of defining the assets in scope, identifying related TTP, removing unlikely TTP, applying a ranking system and constructing a threat matrix that defines the score, target assets, and adversary type [43]; 9.
Diamond-Diamond is a model that correlates and describes the capabilities of an adversary with the infrastructure of a target. It observes cyber-attacks assuming that the attacker's targets and its TTP will vary over time [59]. The diamond threat model is a formal approach to applying scientific principles to intrusion analysis that maps the features of an adversary's capacity to a target's infrastructure [43]. It is used to track attack groups assuming that the attacker's targets and its TTP will vary over time [59]. It derives its name from the diamond shape used to visually represent the four components of an intrusion: the adversary, the infrastructure, the capacity, and the victim. [59]. Similar to the Kill Chain and ATT&CK models, the diamond approach is based on an attacker using their (TTP) against a targeted system to achieve a predetermined objective. It provides a tested and repeatable approach for identifying activities and correlating them with an attack using quantifiable measures [43]; 10. The National Institute of Standards and Technology (NIST) special publication 800-154-NIST 800-154 covers the fundamentals of threat modeling for data-centric systems [56]. Using NIST, threat modeling is described via a four-step qualitative approach [56]. The first step is the identification and characterizing stage that includes only specific information about a single system or a limited set of closely connected systems. The second stage, which is based on risk assessments, determines the possible attack vectors of an adversary (probability and effect). The third stage focuses on identifying security controls to mitigate particular attack actions. Finally, the threat model is analyzed to identify all possible attack vectors and security controls for unacceptably high risks [44].

The Process of Risk Management Approaches
Along with the growing number of cyber-attacks, cybersecurity has grown to be one of the most vital parts of digital systems. The goal of cybersecurity is to decrease cybersecurity risks for organizations and users through the protection of digital assets and user privacy [60]. For such risks, a risk management system is required to identify risks and risk factors, as well as to propose approaches to decrease such risks [60]. One of the risk management models is Information Security Risk Management (ISRM). ISRM is the key means through which a business safeguards the Confidentiality, Integrity, and Availability (CIA) of the assets [61]. As illustrated in Figure 4, the ISRM process consists of the following steps:  1. Context establishment-The external and internal contexts for ISRM should be established, which includes identifying the fundamental criteria, defining the scope and bounds, and establishing an appropriate organization to operate the ISRM [62]; 2. Risk assessment-This step necessitates gathering the required resource data (e.g., information assets, their vulnerabilities, mappings of each threat-asset-vulnerability combination, and identifying the possible effect of each risk scenario) [61]. The risk assessment process consists of three stages as follows: • Risk identification-Includes asset identification within the established scope, threat identification, control identification, and consequence identification of losses of CIA of the assets [62]; 1.
Context establishment-The external and internal contexts for ISRM should be established, which includes identifying the fundamental criteria, defining the scope and bounds, and establishing an appropriate organization to operate the ISRM [62]; 2.
Risk assessment-This step necessitates gathering the required resource data (e.g., information assets, their vulnerabilities, mappings of each threat-asset-vulnerability combination, and identifying the possible effect of each risk scenario) [61]. The risk assessment process consists of three stages as follows: • Risk identification-Includes asset identification within the established scope, threat identification, control identification, and consequence identification of losses of CIA of the assets [62]; • Risk analysis-In this step, the analysis of the risk is focused on the following: Consequence assessment (assess the potential information security incidents and their consequences that may result in the loss of CIA of an organization's assets), Incident likelihood assessment (assess the possibility of a security incident), and Risk level determination (all relevant incident scenarios should have their own risk level) [62]; 3. Risk treatment-Identify the security controls to decrease, preserve, avoid, or share risks, and define the risk treatment plan [62].

4.
Risk acceptance-Make a decision to mitigate the risks to an acceptable level. The impact of this decision should be stated [62]; 5.
Risk communication and consultation-Decision-makers and other stakeholders in the decision-making process should exchange and/or share this risk information [62]; 6.
Risk monitoring and review-Risk factors (such as the asset value, effects, threats, vulnerabilities, and incident occurrence probability) should be observed and analyzed in order to determine the changes in the environment at an early stage [62].

The Concept of Soft and Hard Trust Management
The trust concept has arisen for decades, if not centuries, in such fields as business, psychology, philosophy, and technology [63]. Trust in online social networks can be defined as users' willingness to use those sites [64]. This is because a certain level of trust is needed to make the user willing to use the sites and share their private data on them. Trust management has been used to improve the security of networks by ensuring that a high degree of trust is maintained across network communications [65]. Soft trust and hard trust are the two main types of trust management that determine whether or not someone can be trusted [66]. Social control methods and intangible information, such as reputation, experiences, and collaboration, are used to establish soft trust [63]. In general, trust has many properties, such as the following: 11. Dynamic: If any changes happen in the topology, the properties of the network, or the environment, the trust value should be updated accordingly [65].
However, soft trust is vulnerable to issues such as trust saturation: having a long history of positive experiences and cooperative efforts, a malicious entity such as an APT may accumulate high levels of trust in order to deceive the targeted entity (user and system) and successfully infiltrate the targeted system.
Hard trust, on the other hand, is generated from concrete security mechanisms and information, such as certificates and credential tokens [63]. One of the hard trust security mechanisms is zero trust. The concept of zero trust is based on the idea that organizations should never trust anything inside or outside of their perimeters [22]. Zero trust should verify anything and everything that is attempting to connect to the systems before it grants access [22]. Figure 5 depicts the abstract model of access with a policy decision point (PDP) and policy enforcement point (PEP).
Consider that when a smartphone user attempts to access a file on a network or server, the PEP describes the attributes of the user to other entities in the system. The PEP assigns to the PDP the task of determining whether or not a smartphone user should be authorized based on a description of their characteristics. The PDP analyzes policies that are stored on the system, makes its decision, and returns the decision to the PEP. The PEP then informs the smartphone user whether they have been granted access to the requested resource or not [22]. According to zero trust, the following five basic tenets are: then informs the smartphone user whether they have been granted access to the requested resource or not [22]. According to zero trust, the following five basic tenets are: 1. Access Segmentation-Each resource access needs to be properly segmented so that no single entity may access the whole/a large part of the network [67]; 2. Universal Authentication-All entities that interact with the corporate network involving users, devices, applications, and workloads must be verified regardless of their network location [67]; 3. Encrypt as Much as Possible-Zero trust considers the worst-case scenario, such as a data breach. This means that the network is constantly hostile, and thus trust cannot be automatically provided [67]; 4. Least Privilege Principle-Each entity in a zero trust should be constrained to the minimum level of privileges to carry out a specific mission [67]; 5. Continuous Monitoring and Adjusting-It is necessary to monitor each entity (internal or external) in a zero trust. This means that regardless of whether or not an access attempt is successful, all network traffic, system activities, and attempts to access the assets are observed and recorded [67].

Situational Awareness Models
Cyber security has emerged as one of the most significant issues in today's highly networked society. Situational awareness is a particularly prominent concept in the world of cyber security [68]. A cyber SA model is capable of monitoring and capturing different forms of threats, as well as analyzing and devising a plan to prevent further attacks [68]. Table 2 summarizes SA models that have been developed to provide quantitative indicators in decision-making [68]. First, Endsley's model involves the observation of environmental factors within a certain time and space volume, the understanding of their meaning, and the projection of their future status [69]. Endsley's model consists of three levels: perception, comprehension, and projection. The perception is a level that recognizes the status and attributes of related elements in the environment. The comprehension level is the step of synthesizing the elements of the perception level by analyzing and evaluating the situation. The projection level predicts how information analyzed at the comprehension level will affect the state of the future operating environment over time [70]. Beyod developed an Observe-Orient-Decide-Act (OODA) model that focuses on cognitive decision-making, as in Endsley's model. OODA is a process that supports decision-making for dynamic environments [71].

1.
Access Segmentation-Each resource access needs to be properly segmented so that no single entity may access the whole/a large part of the network [67]; 2.
Universal Authentication-All entities that interact with the corporate network involving users, devices, applications, and workloads must be verified regardless of their network location [67]; 3.
Encrypt as Much as Possible-Zero trust considers the worst-case scenario, such as a data breach. This means that the network is constantly hostile, and thus trust cannot be automatically provided [67]; 4.
Least Privilege Principle-Each entity in a zero trust should be constrained to the minimum level of privileges to carry out a specific mission [67]; 5.
Continuous Monitoring and Adjusting-It is necessary to monitor each entity (internal or external) in a zero trust. This means that regardless of whether or not an access attempt is successful, all network traffic, system activities, and attempts to access the assets are observed and recorded [67].

Situational Awareness Models
Cyber security has emerged as one of the most significant issues in today's highly networked society. Situational awareness is a particularly prominent concept in the world of cyber security [68]. A cyber SA model is capable of monitoring and capturing different forms of threats, as well as analyzing and devising a plan to prevent further attacks [68]. Table 2 summarizes SA models that have been developed to provide quantitative indicators in decision-making [68]. First, Endsley's model involves the observation of environmental factors within a certain time and space volume, the understanding of their meaning, and the projection of their future status [69]. Endsley's model consists of three levels: perception, comprehension, and projection. The perception is a level that recognizes the status and attributes of related elements in the environment. The comprehension level is the step of synthesizing the elements of the perception level by analyzing and evaluating the situation. The projection level predicts how information analyzed at the comprehension level will affect the state of the future operating environment over time [70]. Beyod developed an Observe-Orient-Decide-Act (OODA) model that focuses on cognitive decision-making, as in Endsley's model. OODA is a process that supports decision-making for dynamic environments [71]. Table 2. Situational awareness models developed to provide quantitative indicators in decision-making.  ) combining processing, data fusion, and situational awareness. The JDL DFM consists of a structure that predicts and evaluates the monitoring environment depending on the information gathered in certain contexts. This model has the advantage of handling large amounts of data, such as network traffic [72]. Okolica et al. developed a cyber situational awareness model (CSAM) that reflects the company's continuity plans. The CSAM model aims to build an automation engine that monitors the environment in real-time and predicts possible future risks based on sense, evaluation, and assessment [73]. Tadda and Salerno developed a situational awareness reference model (SARM) that combines Endsley's model with the JDL DFM to improve data understanding. An advantage of this model is that it responds to ever-changing threats in real-time [74]. Evancich et al. studied effective cyber situational awareness (ECSA), which is situational awareness through network monitoring. ECSA is divided into three stages: network awareness, threat awareness, and operational awareness. The network awareness stage is to identify the network security characteristics. The threat awareness stage is to identify possible attacks and their attack vectors. The operational awareness stage is to measure the attack's impact on the network [75].

Research Methodology
The research methodology has been utilized to explore device behavior-based APT defensive mechanisms. An SLR requires understanding, assessing, and determining the research evidence to address specific review questions [76].

Review Questions
The purpose of the research question is to assess and review the existing studies. Population, Intervention, Comparison, Outcomes, and Context (PICOC) criteria have been used to formulate these questions [77] as shown in Table 3.

Review Protocol
The search process includes selecting the digital repositories, constructing a search string, conducting an initial search, and retrieving the first primary studies collection. Five digital repositories have been utilized in many SLRs [78]: Springer Link, Science Direct, Association for Computer Machinery (ACM), Scopus, and IEEE Xplore. Following the digital repository selection, a search string was necessary to conduct a comprehensive search and choose the related primary studies. To define a search string, the following four steps should be taken: Formulate the research questions based on PICOC criteria to define the main keywords; 2.
Recognize synonyms and other spelling variations for each main keyword; 3.
Verify search keywords included in titles, abstracts, and keywords; 4.
Construct a search string using the Boolean conjunction operators.
The following search string was selected by an independent panel of experts: ("Advanced persistent threat*" OR "APT") AND ("Mobile" OR "Smartphone" OR "Internet of things" OR "Internet-of-things" OR "IoT" OR "computer*").
This search string was used to gather all available primary studies in the five digital libraries. To choose the related studies from the initial list, inclusion and exclusion criteria were created.
Inclusion criteria: • Papers are written in the English language; • Published from 2011 to 2022; • Published in a journal.
Exclusion criteria: • Articles are written in a language other than English; • Papers that do not refer to research questions or do not adequately identify the subject; • Research papers of less than three pages.
As illustrated in Figure 6, the selection process was divided into four stages, as follows: • Identification: The search string was performed on five digital libraries: Springer Link, Science Direct, Association for Computer Machinery (ACM), Scopus, and IEEE Xplore and 1652 papers were retrieved. • Screening: After eliminating duplicated papers in the last twelve years (2011-2022), non-English language papers, and non-journal papers, the authors were left with 265 papers. • Eligibility: Related papers were identified by searching title abstracts and keywords in the digital libraries. Papers with inadequate information to answer the research questions were excluded. The selected papers were further investigated by reading each one's introduction and conclusion. Papers deemed irrelevant were eliminated.
In the end, 110 journal papers were selected. Forward and backward snowballing was also used (this involves looking to see if any other relevant papers were published after the chosen one and citing the chosen one). As a result, only journal papers published between 2011 and 2022 were included in the study.

•
Included: In this criteria, two new related papers were identified, thanks to snowballing. As a result, 112 journal papers were selected.
• Eligibility: Related papers were identified by searching title abstracts and keywords in the digital libraries. Papers with inadequate information to answer the research questions were excluded. The selected papers were further investigated by reading each one's introduction and conclusion. Papers deemed irrelevant were eliminated.
In the end, 110 journal papers were selected. Forward and backward snowballing was also used (this involves looking to see if any other relevant papers were published after the chosen one and citing the chosen one). As a result, only journal papers published between 2011 and 2022 were included in the study.
These APT features have been grouped based on the APT life cycle using threat modeling approaches such as MITRE, ATT&CK, and Cyber Kill Chain [43]. Specifically, the MITRE framework is used to classify APT attacks according to their tactics and techniques. The ATT&CK-based taxonomy is shown in Figure 7, and Table 4 depicts the mapping between the collected APT features and the ATT&CK-based taxonomy. The ATT&CK matrix consists of eleven tactics (from Initial Access to Impact) as follows: niques. The ATT&CK-based taxonomy is shown in Figure 7, and Table 4 depicts the mapping between the collected APT features and the ATT&CK-based taxonomy. The ATT&CK matrix consists of eleven tactics (from Initial Access to Impact) as follows:

Initial Access
The Initial Access stage comprises malware delivery using common direct delivery methods such as social engineering [171]. In this stage, several techniques employed by APT to compromise the target system include:

Initial Access
The Initial Access stage comprises malware delivery using common direct delivery methods such as social engineering [171]. In this stage, several techniques employed by APT to compromise the target system include:

1.
Spear phishing-The attacker attempts to induce the victim to click a malicious file, application, or web link in order to successfully infiltrate the targeted system [ Attacks on Internet-facing servers-Access to the target's internal infrastructure is established through penetrating Internet-facing servers. To penetrate these servers, credentials are often obtained using brute-force attacks or exploiting known server vulnerabilities [106]; 8.
Spoofing attack-Attackers appear to be someone or something else in order to gain the confidence of the targeted user and gain access to systems [96].

Execution
This tactic involves injecting adversary-controlled code into a program, either remotely or locally. Malicious code execution techniques are frequently used with other techniques to achieve broader goals, such as network discovery or data theft [175]. Based on the literature, four types of APT attacks are utilized in this stage, as follows:

Persistence
The attackers seek to maintain their foothold through each access, action, or configuration change to the targeted devices [176]. A User to Root (U2R) attack is used to maintain the foothold by gaining root access to the target system [116].

Privilege Escalation
An attacker's ability to get more privileges is known as privilege escalation. The attacker may utilize the newly gained account privileges to potentially gain full control of the targeted system and perform lateral movement in the network [177]. One attack in the privilege escalation stage is U2R.

1.
User to Root (U2R)-U2R attacks happen when the attackers successfully compromise a normal user's account and escalate their privileges to get root access to the target system [116].

Defense Evasion
Defense evasion refers to the strategies that an attacker may use in order to circumvent defense mechanisms [122]. For example, an attacker might exploit vulnerable components of a web application to circumvent security controls and get access to a database [171]. Two examples of APT attacks that may be used are unauthorized access and buffer overflow.

1.
Unauthorized access-This type of attack occurs when a person gets access to a digital system without the consent of the user [6]; 2.
Buffer overflow-This is a coding error or vulnerability in software that attackers may take advantage of in order to obtain unauthorized access to targeted devices [108].

Credential Access
An attacker may use credential access such as passwords, tokens, cryptographic keys, or other values to gain access to resources [123]. Various attacks may be employed to steal credentials from the targeted devices, as follows:

1.
Brute-force attack-This occurs when an attacker submits a large number of passwords or passphrases in the expectation of guessing correctly eventually [28]; 2.
Pass-the-Hash (PtH)-An attacker captures a hash of a password instead of the password characters and then uses it to authenticate and possibly get access to other networked systems [28]; 3.
Man in the middle (MITM)-Communications between two parties are eavesdropped on to collect login credentials or personal information, spy on victims, disrupt communications, or cause data to be corrupted, among other purposes [79,82,83,117,118]; 4.
Password cracking-The attacker may run a password cracker or purchase a password in an underground forum [119]; 5.
Eavesdropping attack-This is also referred to as a sniffing or snooping attack. Passwords, credit card information, and other sensitive data are easily stolen during the transmission of data from one device to another [120].

Discovery
The Discovery tactic includes techniques such as social engineering and probing attacks to enable the adversary to gather information about the targeted system's features and potentially other networked systems [127].

1.
Social engineering-In order to obtain information and gain access to a system, social engineering attacks often target people as their primary target. Most APT attackers use this technique to gather information about the targeted user at the reconnaissance stage, moving laterally to other systems or figuring out the compromised systems [78,[80][81][82]85,87,97,105,107,111,[121][122][123]; 2.
Probing attack-This is a passive attack that relies on methods such as footprinting and social engineering to gather information about a particular system [124].

Lateral Movement
The attacker attempts to gain access to additional services on the target system or network [171]. The attackers aim to get authentic credentials that will enable them to remain in the system by using different techniques such as lateral spear-phishing emails [100,125].

Collection
At the collection stage, the attacker attempts to obtain the data of interest [171] using different techniques such as data leakage/cloud data leakage attacks.

1.
Data leakage-This attack happens when a source (a person or a device) within the business sends data to an unauthorized entity (the attacker) outside the organization without permission [108].

2.
Cloud data leakage-This attack happens when the attacker is trying to disclose information about an organization's customers or the services it provides without the organization's consent [108].

Command and Control
In the command and control (C&C or C2) stage, the attacker is trying to communicate with the compromised systems within a target network [129]. The adversary can establish C&C through either network protocols or removable media. Removable media-Attackers may misuse removable media, such as a USB drive or a hard disk, to transmit malicious files or exfiltrate data [126].

Impact
The attackers are attempting to manipulate, interrupt, or even damage both the devices and the data they are collecting [178]. At this stage, different techniques are used by the attacker to execute the mission objectives, as follows: 1.
Botnets-Botnets are groups of Internet-connected devices (remote sensors), each of which is running one or more bots that may be used for a variety of purposes, including DoS, information theft, and SPAM spreading [4,82,131]; 3.
Software Update Attacks-Software update attacks may be used to compromise system integrity and availability by disrupting the updating process of the installed software [108]; 4.
Data Fabrication-Data fabrication is the generation of malicious data or processes in order to exploit access granted for a different reason, such as tampering with system integrity [108].
According to the findings of RQ1, APT features can be viewed through stages using threat modeling frameworks. One of the threat modeling frameworks is MITRE, which groups APT attacks based on their tactics and techniques to describe the characteristics of the attacks. As a result, an APT utilizes sophisticated and advanced techniques to exploit the known and unknown system vulnerabilities and successfully infiltrate the targeted devices. An APT has the capability to remain stealthy by avoiding detection techniques for a long period. In addition, APT utilizes different discovery techniques to achieve its goal, whether it is espionage with data theft or disrupting the systems. Next, we will present the analysis and findings of RQ2.

RQ2: What Are the Proposed Defensive Mechanisms Available to Defend against APT?
In this section, the findings and analysis of RQ2 related to APT defense mechanisms are presented. A general insight of defense mechanisms against APTs on different platforms such as computers, IoT, and mobile devices is presented. The main purpose to do such a classification is to categorize the impact of APTs based on different platforms and to analyze the contribution of the primary studies on mobile APTs with other platforms. This means that there is a lack of contribution to defending against mobile APTs.
As illustrated in Table 5 and Figure 8, many APT security defense mechanisms have been invented to protect a system's security, such as game theory, access control, risk and trust management, artificial intelligence, and machine and deep learning techniques.
One of the most common AI detection solutions used in the literature is AI techniques. Many AI techniques involving machine learning (ML) and deep learning (DL) that have been proposed by various researchers are either network-centric [1,3,6,7,79,[82][83][84][90][91][92][93]103,107,[111][112][113]116,118,121,125,130,131,[133][134][135][136][137][139][140][141][142][143][144][145][146][147][148][149][150][151][152], device behavior-centric [105,109,138], application-centric [5,86,110,124], or network and device-centric [89,117]. However, current network-based detection systems are ineffective against APTs because APTs employ sophisticated techniques such as encrypting the payload or using a secure communication such as SSL (e.g., Cloud Atlas APT). Device behavior models [105,109,138] fail to tackle an APT issue using system behavior models because they fail to map the behavior to the unique characteristics of APT attacks [17]. Malware spreads via custom encrypted partitions on removable media (e.g., ProjectSauron APT) and exploits weak points in authentication mechanisms [117]. Furthermore, with the application-centric detection systems [5,86,110,124], the malware characteristics are generally categorized into static features (such as binary file characteristics and disassembly features) and dynamic features such as execution behavior features [179]. Static features may be difficult to extract because of APT attacks' polymorphism, distortion, and shelling. Dynamic features are often collected by monitoring the program's behavior at runtime, which may be affected via confusion technology [179]. to map the behavior to the unique characteristics of APT attacks [17]. Malware spreads via custom encrypted partitions on removable media (e.g., ProjectSauron APT) and exploits weak points in authentication mechanisms [117]. Furthermore, with the application-centric detection systems [5,86,110,124], the malware characteristics are generally categorized into static features (such as binary file characteristics and disassembly features) and dynamic features such as execution behavior features [179]. Static features may be difficult to extract because of APT attacks' polymorphism, distortion, and shelling. Dynamic features are often collected by monitoring the program's behavior at runtime, which may be affected via confusion technology [179]. In addition, APTs can be tackled using game theory. Game theory techniques have been utilized to detect or mitigate APTs on IoT [1,82], computers [98,145], and in general [135,151,152]. In addition, game theory has been used with risk management approaches to identify the APT in fog computing [111] and IoT [107]. Furthermore, it has been used with trust management techniques to protect cyber-physical systems [92] and IoT [116]. While game-theoretic models can help understand attacker behaviors and incentives, these models are founded on certain assumptions, such as unbounded rationality on the part of players, which may not be realistic or have a limited input data [180].
Furthermore, risk management approaches are a second solution to manage the risk caused by APT. The primary studies have focused on identifying APTs using risk management [93,132,146]. However, according to [61], there are endemic deficiencies in managing risk: (1) The identification of information security risks is often a tedious task; (2) Information security risks are often calculated with little reference to the actual situation of the organization; and (3) Risk assessments for information security are often conducted on an intermittent and non-historical basis. As a result, risk management approaches inevitably lead to poor decision-making and inadequate or inappropriate security strategies to protect the user's data.
In addition, trust management approaches are a third solution to authenticate the resource requested by the user. Trust management approaches have been proposed to protect cloud computing [91]. However, soft trust is vulnerable to issues such as trust saturation: having a long history of positive experience and cooperative efforts, a malicious entity such as an APT may accumulate high levels of trust in order to deceive the targeted entity (user and system) and successfully infiltrate the targeted system. Two primary studies have used access control approaches to protect APTs on mobiles [102] and IoT [4]. However, these models are mathematical models and are not implemented in realworld deployments. In addition, APTs can be tackled using game theory. Game theory techniques have been utilized to detect or mitigate APTs on IoT [1,82], computers [98,145], and in general [135,151,152]. In addition, game theory has been used with risk management approaches to identify the APT in fog computing [111] and IoT [107]. Furthermore, it has been used with trust management techniques to protect cyber-physical systems [92] and IoT [116]. While game-theoretic models can help understand attacker behaviors and incentives, these models are founded on certain assumptions, such as unbounded rationality on the part of players, which may not be realistic or have a limited input data [180].
Furthermore, risk management approaches are a second solution to manage the risk caused by APT. The primary studies have focused on identifying APTs using risk management [93,132,146]. However, according to [61], there are endemic deficiencies in managing risk: (1) The identification of information security risks is often a tedious task; (2) Information security risks are often calculated with little reference to the actual situation of the organization; and (3) Risk assessments for information security are often conducted on an intermittent and non-historical basis. As a result, risk management approaches inevitably lead to poor decision-making and inadequate or inappropriate security strategies to protect the user's data.
In addition, trust management approaches are a third solution to authenticate the resource requested by the user. Trust management approaches have been proposed to protect cloud computing [91]. However, soft trust is vulnerable to issues such as trust saturation: having a long history of positive experience and cooperative efforts, a malicious entity such as an APT may accumulate high levels of trust in order to deceive the targeted entity (user and system) and successfully infiltrate the targeted system. Two primary studies have used access control approaches to protect APTs on mobiles [102] and IoT [4]. However, these models are mathematical models and are not implemented in real-world deployments.
Finally, decision-making models are the other solutions that have been proposed to monitor and capture different kinds of threats, and analyze and create a plan to mitigate further threats. The Endsley situational awareness model has been used to detect APT attacks on IoT [113,141]. However, these primary studies introduced only one stage of the three stages of the SA model (perception, comprehension, and projection).
According to the findings of RQ2, the authors classify the APT defense mechanisms into five techniques that include situational awareness, risk management, trust management, access control, and artificial intelligence. Based on the literature, most APT defense solutions are AI techniques, most of which are network-centric while the others are devicecentric. The finding and analysis of RQ3 will be presented next.
attacks on IoT [113,141]. However, these primary studies introduced only one stage of the three stages of the SA model (perception, comprehension, and projection).
According to the findings of RQ2, the authors classify the APT defense mechanisms into five techniques that include situational awareness, risk management, trust management, access control, and artificial intelligence. Based on the literature, most APT defense solutions are AI techniques, most of which are network-centric while the others are device-centric. The finding and analysis of RQ3 will be presented next.
In addition, risk management can be used with other approaches such as access control, SA, and game theory to support the decision-making process. Based on the work done by [153,164], the authors proposed risk management with access control to support  Many researchers have proposed different risk management approaches to minimize the threats and risks to IoT [158,181], computers [170], cyber-physical systems (CPS) [168,169], the 5G edge-cloud ecosystem [167], connected and autonomous vehicles (CAV) [159], and others [89,156,160,169]. Other researchers [154][155][156] have proposed guided frameworks that aim to support practitioners to formulate or reframe their IoT security risk management strategies.
In addition, risk management can be used with other approaches such as access control, SA, and game theory to support the decision-making process. Based on the work done by [153,164], the authors proposed risk management with access control to support the decision-making process to recognize the risks and their attributes from the monitored environment. Furthermore, a conceptual situation-aware ISRM (SA-ISRM) model complements information security risk management to address an enterprise-wide collection, analysis, and reporting of risk-related information [61]. On the other hand, risk management could be used with game theories to minimize cyber risks. The authors proposed a game theory for cyber risk management to design cyber insurance contracts to transfer the cyber risk from either fog computing [111,160,162] or IoT [107].
Based on the findings of RQ3, the authors classify primary studies into four categories: risk management with access control, situational awareness, game theory, and risk management. Of these, most of the primary studies have focused on traditional attacks, while only three primary studies have focused on APT. Furthermore, many existing studies have focused on qualitative approaches due to their simplicity, risk appetite, and ability to evaluate risk. The problem with qualitative methods is that they are subjective and imprecise. Next, the research discussion will be presented.

Research Discussion
In this SLR, the authors have reviewed 109 journal papers on APT attack-defense mechanisms that were published from 2012 to 2022. All available journal papers have been collected from various digital libraries such as Springer Link, Science Direct, Association for Computer Machinery (ACM), Scopus, and IEEE Xplore. The authors have provided a summary of APT features, APT defense mechanisms, and a general overview of the risk management approaches that have been proposed to identify these APT features. Next, the research gap and recommendations for future investigations will be presented in Sections 5.1 and 5.2, respectively.

Research Gaps
This section presents the research gaps in the existing APT defense solutions. Following the existing APT defense solutions defined above in Section 4.2, the authors present the following research gaps:

Solution Techniques Are Ineffective and Not Fully Bullet-Proof
Most of the APT defense solutions [1,[3][4][5][6][7]28,76,[86][87][88]94,97,98,[100][101][102][103]106,108,111,115,117,121,124,127,[133][134][135][136][140][141][142][143]145,147,172,173,176,178] being investigated have loopholes and limitations. Based on the literature, the APT defense solutions have focused on identifying, protecting, detecting, and responding to APT attacks. The most widely used techniques to detect APT attacks are machine and deep learning [3,5,7,28,[79][80][81][82][84][85][86]97,111,115,[124][125][126][127][128][129]134,136,138,172,173,176]. However, these techniques are not capable of detecting an improved or unknown APT malware due to the ever-increasing and changing threat scenarios posed by it, e.g., ZooPark [9]. This ever-changing threat landscape leads to a lack of a clear and comprehensive understanding of the TTP of APTs [23]. Other solutions proposed risk management approaches that focused on APTs [93,132,146] or traditional attacks [93,111,[161][162][163][164][165][166][167][168][169][170]. Most of the existing studies have focused on qualitative approaches due to their simplicity, risk appetite, and ability to evaluate risk. The problem with qualitative methods is that they are subjective and imprecise [168]. Furthermore, risk management solutions have endemic deficiencies in managing risk: (1) The identification of information security risks is often a tedious task; (2) information security risks are often calculated with little reference to the actual situation of the organization; and (3) risk assessments for information security are often conducted on an intermittent and a non-historical basis [124]. As a consequence, poor decision-making and insufficient or incorrect security techniques to safeguard the user's data are the outcomes [61]. Other solutions include protecting digital systems against APTs using trust management [91] or access control [4,102]. The trust management solution is ineffective in detecting APTs as a soft trust and is vulnerable to issues such as trust saturation: having a long history of positive experience and cooperative efforts, a malicious entity such as an APT may accumulate high levels of trust in order to deceive the targeted entity (user and system) and successfully infiltrate the targeted system. The limitations of the access control solutions are a lack of exploration of the human behavioral context in terms of their intention, device usage, and tasks done with a smartphone. Finally, mitigating malicious network traffic as a response to incidents is another solution [116]. However, this solution is not effectively designed to detect and prevent only known attacks, as APTs use sophisticated methods such as encrypting the payload or using a secure channel via the SSL protocol (e.g., Cloud Atlas APT), and exploiting vulnerabilities in authentication mechanisms [111].

Solution Techniques Are Unable to Detect APTs in a Timeframe
Some of the APT defense solutions [3,5,7,28,[80][81][82][84][85][86]97,111,115,[124][125][126][127][128][129]134,136,138,[171][172][173]176] may not be capable of the early detection of APTs. APTs have the ability to easily avoid digital-signature-based and anomaly-based defense techniques and attempt to gain long-term access to the targeted systems. The detection of such APTs could take months or even years. The prime example, Stuxnet, which has targeted programmable logic controllers (PLCs) of sensitive industrial systems, was active for at least three years until its discovery [15]. The other example is ZooPark, a cyberespionage toolkit that targeted Android devices in 2015 and was active for three years until its discovery in 2018 [9].

Attack Paths Are Unclear and Proprietary to Models
An APT attack is hard to mitigate due to its non-deterministic fingerprint or TTP. Various frameworks such as Cyber Kill Chain and MITRE collect different TTPs for the same APT attack. For example, the APT 28 life cycle in the Cyber Kill Chain consists of seven stages [182], while the APT 28 life cycle in the MITRE framework consists of 14 stages [183]. In addition, APT groups have evolved and are continuing to extend their existing targets, necessitating the implementation of new TTPs [3]. These attack groups are capable of developing malware and data exfiltration techniques that are well suited for their intended goal [3], as shown in Figure 10.
APT may accumulate high levels of trust in order to deceive the targeted entity (user and system) and successfully infiltrate the targeted system. The limitations of the access control solutions are a lack of exploration of the human behavioral context in terms of their intention, device usage, and tasks done with a smartphone. Finally, mitigating malicious network traffic as a response to incidents is another solution [116]. However, this solution is not effectively designed to detect and prevent only known attacks, as APTs use sophisticated methods such as encrypting the payload or using a secure channel via the SSL protocol (e.g., Cloud Atlas APT), and exploiting vulnerabilities in authentication mechanisms [111].

Solution Techniques Are Unable to Detect APTs in a Timeframe
Some of the APT defense solutions [3,5,7,28,[80][81][82][84][85][86]97,111,115,[124][125][126][127][128][129]134,136,138,[171][172][173]176] may not be capable of the early detection of APTs. APTs have the ability to easily avoid digital-signature-based and anomaly-based defense techniques and attempt to gain long-term access to the targeted systems. The detection of such APTs could take months or even years. The prime example, Stuxnet, which has targeted programmable logic controllers (PLCs) of sensitive industrial systems, was active for at least three years until its discovery [15]. The other example is ZooPark, a cyberespionage toolkit that targeted Android devices in 2015 and was active for three years until its discovery in 2018 [9].

Attack Paths Are Unclear and Proprietary to Models
An APT attack is hard to mitigate due to its non-deterministic fingerprint or TTP. Various frameworks such as Cyber Kill Chain and MITRE collect different TTPs for the same APT attack. For example, the APT 28 life cycle in the Cyber Kill Chain consists of seven stages [182], while the APT 28 life cycle in the MITRE framework consists of 14 stages [183]. In addition, APT groups have evolved and are continuing to extend their existing targets, necessitating the implementation of new TTPs [3]. These attack groups are capable of developing malware and data exfiltration techniques that are well suited for their intended goal [3], as shown in Figure 10. Currently, ZooPark is still active [9] and ZooPark malware has been found in four variants by security experts. In the original ZooPark attack, only a small amount of sensitive information was acquired from the targeted systems. However, as the attack evolved, the malware's capabilities grew and the attackers were able to collect almost any information they wanted.

Existing APT Device Behavior Solutions Fail to Solve the APT Issue
Based on previous studies, most of the solutions [13][14][15][16][17] have failed to tackle an APT issue using system behavior models because the existing detection studies fail to map the behavior to the unique characteristics of APT attacks for the following reasons: Some of Currently, ZooPark is still active [9] and ZooPark malware has been found in four variants by security experts. In the original ZooPark attack, only a small amount of sensitive information was acquired from the targeted systems. However, as the attack evolved, the malware's capabilities grew and the attackers were able to collect almost any information they wanted.

Existing APT Device Behavior Solutions Fail to Solve the APT Issue
Based on previous studies, most of the solutions [13][14][15][16][17] have failed to tackle an APT issue using system behavior models because the existing detection studies fail to map the behavior to the unique characteristics of APT attacks for the following reasons: Some of the APT solutions are lacking APT detection for every stage of the attack life cycle. Work done by Mohammad and Belaton [13] focused on the credential dumping technique through monitoring CPU, RAM, windows registry, and file systems in order to detect APT. However, the authors only focused on one stage of the APT (the credential access stage) and did not provide a comprehensive solution to detect APTs in all stages of the APT life cycle. Other APT detection solutions such as [15][16][17] proposed IDS to model the device behavior in order to detect APTs using system events. However, these techniques may raise false-positive alarms when normal system behavior changes, or may not be able of the early detection of APT.

Recommendations for Future Investigations
In this section we provide recommendations for future investigations to design a model that has the capability to overcome these research gaps in Section 5.1.

To Design an Effective Solution That Follows a Cyber-Security Framework Such as NIST or ISO
A cyber security framework is a risk-based approach to managing cybersecurity risk [186]. Based on Clark Nuber PS [187], one of the cyber security frameworks to implement and improve the cyber security Program is NIST [20,187]. NIST categorizes the cybersecurity capabilities into five core functions (Identify, Protect, Detect, Respond, and Recovery) [20]. One of the identification solutions is risk assessment. Skipping this step tends to over-secure the environment, resulting in lost resources [187]. Risk assessment includes identifying the asset in order to secure personally identifiable information (PII) and cyber threats to these assets such as APT. In the protection stage, the authors recommend utilizing the zero trust model. This model is used to prevent the increasingly severe risk of data leakage [21] and lateral movement [22]. One of the core tenants of the zero trust model is universal authentication. This means that all entities, including users, devices, applications, and workloads, having any form of interaction with the corporate network, need to be authenticated regardless of their network location [73]. In addition, a Host Intrusion Detection System (HIDS) is recommended at the detection stage to detect any suspicious activity. At this stage, risk assessment is used to assess the likelihood and impact of the risk by quantifying the device's behavior and its components such as (CPU, memory, battery, network (sent and received data)) and user activity. For the response stage, the authors recommend utilizing risk mitigation approaches. Risk mitigation is the second process of risk management that is used to reduce mission risks such as risk assumption, risk avoidance, risk limitation, risk planning, research and acknowledgment, or risk transference [186]. Finally, at the recovery stage, data backup and recovery techniques have been used for APT incident recovery [188].

To Design an Efficient Solution That Has a Decision-Making Model Using Cyber SA
According to Andrade and Yoo [189], there is a need for a cognitive security model that integrates technological solutions such as big data, AI, and support decision systems with the cognitive processes of security analysts used to generate knowledge, understanding, and execution of security response actions. A cognitive security model can help security analysts to make precise decisions in detecting suspicious incidents in less time and more efficiently. A cognitive security model such as Cyber-Cognitive Situation Awareness (CCSA) is self-aware and is capable of acquiring the following three properties at execution time: (1) Auto-reflective: It is aware of its software architecture, hardware infrastructure, and execution environment in order to meet its operational goals, (2) Auto-predictive: It is capable of predicting the effects of a dynamic change caused by potential adaptive actions, and (3) Self-adaptive: It has the ability to meet its operating goals despite changes in the environment [189].
CCSA has the ability to monitor and capture different kinds of threats, as well as analyze and devise a strategy to prevent further threats [68]. One of the SA models is the Observe-Orient-Decide-Act (OODA) model. OODA's goal is to overcome the APT detection issue and raise surrounding environmental awareness. Figure 11 shows the four phases of the decision-making cycle [190]. In an OODA loop, each phase represents a process that is in constant communication with its environment. Observation is the process of monitoring and gathering environmental data [190].
ing, and execution of security response actions. A cognitive security model can he rity analysts to make precise decisions in detecting suspicious incidents in less t more efficiently. A cognitive security model such as Cyber-Cognitive Situation Aw (CCSA) is self-aware and is capable of acquiring the following three properties a tion time: (1) Auto-reflective: It is aware of its software architecture, hardware inf ture, and execution environment in order to meet its operational goals, (2) Auto tive: It is capable of predicting the effects of a dynamic change caused by potenti tive actions, and (3) Self-adaptive: It has the ability to meet its operating goals changes in the environment [189].
CCSA has the ability to monitor and capture different kinds of threats, as analyze and devise a strategy to prevent further threats [68]. One of the SA mode Observe-Orient-Decide-Act (OODA) model. OODA's goal is to overcome the A tection issue and raise surrounding environmental awareness. Figure 11 shows phases of the decision-making cycle [190]. In an OODA loop, each phase represen cess that is in constant communication with its environment. Observation is the of monitoring and gathering environmental data [190]. It is guided and controlled by the Orient phase while receiving feedback f Decide and Act phases. The Orient phase is the process of analyzing the data gat the Observation phase, taking into consideration the potential Orient phases from ous loops [190]. It is possible to eliminate unnecessary data by looking for correlati dependencies that may be employed in the decision-making process. The Decid determines which hypothesis will be performed depending on the environment [190]. It is guided by the Orient phase's input and provides feedback to the Observ Finally, in the Act phase, the specified hypotheses are put to the test by interacti the surrounding environment [190]. It is guided and controlled by the Orient ph ceives feedback from the Decide phase, and provides feedback to the Observe ph

To Design Attack Paths Using Threat Modeling Approaches
Based on Sanchez et al. [12], one of the most promising approaches to deali APT issues is device behavior fingerprinting. The design of the attack path or fin of APTs using threat modeling approaches has as its goal as the exploration of at a system and discovering the system vulnerabilities. It helps security analysts and It is guided and controlled by the Orient phase while receiving feedback from the Decide and Act phases. The Orient phase is the process of analyzing the data gathered in the Observation phase, taking into consideration the potential Orient phases from previous loops [190]. It is possible to eliminate unnecessary data by looking for correlations and dependencies that may be employed in the decision-making process. The Decide phase determines which hypothesis will be performed depending on the environment context [190]. It is guided by the Orient phase's input and provides feedback to the Observe phase. Finally, in the Act phase, the specified hypotheses are put to the test by interacting with the surrounding environment [190]. It is guided and controlled by the Orient phase, receives feedback from the Decide phase, and provides feedback to the Observe phase.

To Design Attack Paths Using Threat Modeling Approaches
Based on Sanchez et al. [12], one of the most promising approaches to dealing with APT issues is device behavior fingerprinting. The design of the attack path or fingerprint of APTs using threat modeling approaches has as its goal as the exploration of attacks on a system and discovering the system vulnerabilities. It helps security analysts and system specialists to analyze the design from the attackers' perspective in order to better understand APT's TTP [191]. Fingerprinting is a collection of information about a cyberthreat that identifies the Tactic, Technique, and Procedure (TTP) utilized to perpetrate the attack [8]. These fingerprints can be handled from different sources such as mobile device resource usage (such as CPU, memory, etc.) and user activity [12]. A generalized attack path or fingerprint is required to simplify the TTP of the APT. For example, different mobile APT malware such as Android/Chuli.A and Riltok [183] have initiated using spear-phishing attacks. A generalized fingerprint is required for these malwares as they have different TTPs in order to simplify the training process for the learning model.

To Manipulate Mobile Device Behavior through Resource Usage and User Activity
There is a need for a risk and trust management model that identifies assets and threats to these assets and quantifies the likelihood and impact of the APT. This proposed model first continuously monitors and quantifies the device's behavioral sources (such as CPU, memory, etc.) and user activity [12], then compares the quantified results with the generalized attack paths in order to detect mobile APT and prevent the increasingly severe risk of data leakage [21] and lateral movement [22].
One example is when an APT attacker attempts to compromise the targeted system, the zero trust model is utilized to authenticate the only legitimate user to access the asset. If the APT attacker successfully infiltrates the device and tries to obtain user credentials by targeting file systems and registries, this is reflected in the CPU utilization and triggers the risk. By using the risk assessment approach, mobile APTs can be detected by quantifying the CPU utilization and comparing it with the generalized attack paths, and responding to the APT activity.

To Design an APT Solution That Is personalized Based on Mobile Users
The purpose of this solution is to determine the risk faced by each mobile user as the risk of each device's behavior varies according to the user's behavior [18]. User behavior may be described as the actions of a mobile user, whether malicious or not, that contribute to APT attacks [8]. One example is users A and B using the same mobile application. Although they both utilize the same application, each user faces different security risks. This is because of how the user is using the application, not how the application works [18].

Proposed Conceptual APT Mitigation Framework
As discussed in Section 5.1, most of the APT defense solutions have failed to tackle an APT issue. In this section, the authors propose a conceptual framework of a mobile device behavior fingerprint for APT mitigation. This framework is a novel and most promising [12] in the fight against APT, which helps the security analysts to make a precise decision in detecting any suspicious incidents related to APT. It is a multilayered/multiphase comprehensive APT detection and protection framework that follows the NIST cyber security framework. Within this framework, Cyber-Cognitive Situation Awareness (CCSA) is used. CCSA is self-awareness that is capable of acquiring the following three properties at execution time: (1) Auto-reflective: It is aware of its software architecture, hardware infrastructure, and execution environment in order to meet its operational goals, (2) Autopredictive: It is capable of predicting the effects of a dynamic change caused by potential adaptive actions, and (3) Self-adaptive: It has the ability to meet its operating goals despite changes in the environment.
OODA loop is a CCSA model that has the ability to monitor and capture different types of threats, analyze them, and devise a plan to mitigate further threats [190]. Its purpose is to resolve the APT issue and increase awareness about the surrounding environment.
As shown in Figure 12, the OODA loop has four phases, Observe-Orient-Decide-Act [190]. Each phase in an OODA loop is a process that interacts with its environment. Sensors 2022, 22, x FOR PEER REVIEW 31 of 39 Figure 12. Conceptual framework of mobile device behavior fingerprint for APT mitigation.

Observe
In this phase, after collecting the behavioral source data, such as the external and indevice behavior sources for each smartphone user, such as resource usage (CPU, memory, battery, and network), design the generalized attack paths or fingerprints using threat modeling approaches from the collected behavioral source data. These generalized attack paths are used to train the risk and trust assessment model in order to detect unknown mobile APTs during the testing process. For example, different mobile APT malware such as Android/Chuli.A and Riltok [183] have initiated using spear-phishing attacks. A generalized fingerprint is required for these malwares as they have different TTP in order to simplify the training process for the learning model.

Orient
In this phase, the risk and trust assessment model is used. The risk assessment model is used to continually monitor and quantify the behavioral source data such as the CPU, memory, battery, and network. These quantified behavioral data are compared with the generalized attack paths in the training process to detect and respond to any suspicious activity. While the zero trust model is used to allow only authorized users to access their resources regardless of their location, this model is used to prevent the increasingly severe risk of data leakage [21] and lateral movement [22].
One example is when an APT attacker attempts to compromise the targeted system, where the zero trust model is utilized to authenticate the only legitimate users to access the asset. If the APT attacker successfully infiltrates the device and tries to obtain user credentials by targeting file systems and registries. This is reflected in the CPU utilization and triggers the risk. By using the risk assessment approach, mobile APT can be detected by quantifying the CPU utilization and comparing it with the generalized attack paths and responding to the APT activity.

Observe
In this phase, after collecting the behavioral source data, such as the external and indevice behavior sources for each smartphone user, such as resource usage (CPU, memory, battery, and network), design the generalized attack paths or fingerprints using threat modeling approaches from the collected behavioral source data. These generalized attack paths are used to train the risk and trust assessment model in order to detect unknown mobile APTs during the testing process. For example, different mobile APT malware such as Android/Chuli.A and Riltok [183] have initiated using spear-phishing attacks. A generalized fingerprint is required for these malwares as they have different TTP in order to simplify the training process for the learning model.

Orient
In this phase, the risk and trust assessment model is used. The risk assessment model is used to continually monitor and quantify the behavioral source data such as the CPU, memory, battery, and network. These quantified behavioral data are compared with the generalized attack paths in the training process to detect and respond to any suspicious activity. While the zero trust model is used to allow only authorized users to access their resources regardless of their location, this model is used to prevent the increasingly severe risk of data leakage [21] and lateral movement [22].
One example is when an APT attacker attempts to compromise the targeted system, where the zero trust model is utilized to authenticate the only legitimate users to access the asset. If the APT attacker successfully infiltrates the device and tries to obtain user credentials by targeting file systems and registries. This is reflected in the CPU utilization and triggers the risk. By using the risk assessment approach, mobile APT can be detected by quantifying the CPU utilization and comparing it with the generalized attack paths and responding to the APT activity.

Decide
The most justified and appropriate measure for the current situation is chosen for implementation to achieve the Confidentiality, Integrity, and Availability (CIA) of the asset.

Act
Implementing the action in the decide phases such as preventing the APT lateral movement and data leakage. After the Act phase, the loop continues back to the Observation phase to observe and detect the APT on the device's behavior. Finally, the APT mitigation framework will be evaluated regarding effectiveness, security mechanisms, and usability.

Study Limitations
This review has several limitations. First, this study is constrained by the search keywords and the publication date (2011-2022). Second, we used a small number of electronic sources such as SCOPUS, Science Direct, IEEE Xplore, ACM, and Springer. In addition, our research included only English language journal articles, and we cannot ensure that we included all relevant studies in our review.

Conclusions
This study delved into the cybersecurity APT defense solutions using different mechanisms such as situational awareness, risk management, trust management, and artificial intelligence by implementing a systematic literature review. Due to the rapid growth of mobile devices in a variety of fields, massive volumes of data are constantly generated, necessitating a greater emphasis on privacy and security. APT features can be viewed through stages using threat modeling frameworks such as MITRE. If these attacks succeed, the attacker could manipulate the device's behavior, applications, and services based on its goal, be it data theft or sabotage. Such manipulations lead to signifying a deviation from a known behavioral baseline that can then be utilized for the detection of suspicious incidents. With the rapid expansion of cyber threats such as APT, conventional methods for improving mobile security have become outmoded. An alternative solution is device behavior fingerprinting, which can be considered one of the most promising approaches to mitigate mobile APT.
The authors summarized, categorized, and mapped the existing literature on APT features, APT defense mechanisms, and risk management models using formulated research questions. For the survey, 112 papers from (2011 to 2022) were carefully selected and evaluated using the PRISMA approach. In addition, the authors proposed a conceptual framework of mobile device behavior fingerprinting for APT mitigation. This framework is auto-reflective, auto-predictive, and self-adaptive. Finally, the SLR validates device behavior fingerprinting as a potential technique for ensuring security and privacy in mobile environments.