1. Introduction

In recent years, the increasing number of sophisticated and targeted attacks has become a growing concern. In contrast to conventional cyber attacks, these attacks set goals for gaining access to intellectual property, retrieving personally identifiable information, and sometimes destroying information systems. To evade detection of their existence, it takes long time to complete their mission: as long as months or even years in some cases. A typical targeted cyber attack exhibits the following pattern. First, the attackers exhaustively investigate their target organization via social engineering. In order to obtain initial access to the victim's network, the attackers start with a phishing attack against the targeted company. Selected employees of the victim companies receive an email disguised as a legitimate e-mail from a trusted source. This e-mail contains illegal content such as malware and/or a link to a Web site that hosts a malicious code. If employees open the contents or click the link, thus executing the malware, their host is compromised as a front-line base of the attackers. The attackers initially install a remote administration tool (RAT) into the host to obtain its control. At the base, the attackers silently monitor the activities of the infected host and listen to the communication of the network, thereby obtaining useful information related to the relationships among employees, the workflow of their business, the service running on other hosts, and the structure of the network. Based on such reconnaissance, they move to VIP victims who have authority to access highly valued assets. Eventually, these assets are sabotaged or stolen.