Effective quarantine and recovery scheme against advanced persistent threat

IEEE Advanced persistent threat (APT) for cyber espionage poses a great threat to modern organizations. In order to mitigate the impact of APT on an organization, all the compromised systems in the organization must be quarantined and recovered in a timely and effective way. This article focuses on the problem of customizing a dynamic quarantine and recovery (QAR) scheme for an organization so that the APT impact is minimized. Based on a novel node-level epidemic model characterizing the effect of the QAR scheme on the expected state of the underlying network, we estimate the expected impact of APT under a QAR scheme. On this basis, we model the original problem as an optimal control problem. By use of optimal control theory, we derive the optimality system for the optimal control problem and thereby introduce the concept of normal potential optimal (NPO) control. Next, through comparative experiments, we find that the NPO control outperforms a set of heuristic controls. Hence, the QAR scheme associated with the NPO control is satisfactory in terms of the effectiveness of defending against APT. Finally, we examine the effect of some factors on the expected APT impact under the NPO control. This article would be helpful to the defense against APT for cyber espionage.