update

PhD/seminar/images/wein.svg

@@ -0,0 +1,103 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="221.72084mm"
+   height="105.83334mm"
+   viewBox="0 0 221.72084 105.83334"
+   version="1.1"
+   id="svg1"
+   xml:space="preserve"
+   inkscape:version="1.3.2 (091e20ef0f, 2023-11-25, custom)"
+   sodipodi:docname="wein.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><sodipodi:namedview
+     id="namedview1"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:document-units="mm"
+     inkscape:zoom="1.0141844"
+     inkscape:cx="380.1084"
+     inkscape:cy="204.59791"
+     inkscape:window-width="1920"
+     inkscape:window-height="1011"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="layer1" /><defs
+     id="defs1"><inkscape:path-effect
+       effect="copy_rotate"
+       starting_point="0,0"
+       origin="30.41,131.0574"
+       id="path-effect5"
+       is_visible="true"
+       lpeversion="1.2"
+       lpesatellites="#path5 | #path6"
+       method="normal"
+       num_copies="3"
+       starting_angle="0"
+       rotation_angle="120"
+       gap="0.31"
+       copies_to_360="true"
+       mirror_copies="false"
+       split_items="true"
+       link_styles="false" /></defs><g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(32.628418,-98.555054)"><path
+       style="fill:#dd55ff;stroke:#660080;stroke-width:1;stroke-linecap:round;opacity:0.3427193"
+       id="path4"
+       inkscape:path-effect="#path-effect5"
+       sodipodi:type="arc"
+       sodipodi:cx="48.944355"
+       sodipodi:cy="131.0574"
+       sodipodi:rx="26.137203"
+       sodipodi:ry="26.137203"
+       d="m 75.081558,131.0574 c 0,14.43518 -11.702024,26.13721 -26.137203,26.13721 -14.435179,0 -26.137203,-11.70203 -26.137203,-26.13721 0,-14.43518 11.702024,-26.1372 26.137203,-26.1372 14.435179,0 26.137203,11.70202 26.137203,26.1372 z"
+       transform="matrix(1.0722768,-0.61907929,0.61907929,1.0722768,-35.510858,24.032246)" /><path
+       transform="matrix(-1.0722768,-0.6190793,0.6190793,-1.0722768,29.705015,305.09186)"
+       style="fill:#80b3ff;stroke:#2a7fff;stroke-width:1;stroke-linecap:round;opacity:0.45687535"
+       id="path5"
+       d="m 75.081558,131.0574 c 0,14.43518 -11.702024,26.13721 -26.137203,26.13721 -14.435179,0 -26.137203,-11.70203 -26.137203,-26.13721 0,-14.43518 11.702024,-26.1372 26.137203,-26.1372 14.435179,0 26.137203,11.70202 26.137203,26.1372 z" /><path
+       transform="matrix(0,1.2381586,-1.2381586,0,240.50185,108.08345)"
+       style="fill:#ffdd55;stroke:#ff7f2a;stroke-width:1;stroke-linecap:round;opacity:0.36954338"
+       id="path6"
+       d="m 75.081558,131.0574 c 0,14.43518 -11.702024,26.13721 -26.137203,26.13721 -14.435179,0 -26.137203,-11.70203 -26.137203,-26.13721 0,-14.43518 11.702024,-26.1372 26.137203,-26.1372 14.435179,0 26.137203,11.70202 26.137203,26.1372 z" /><text
+       xml:space="preserve"
+       style="font-size:11.4172px;font-family:Fuji;-inkscape-font-specification:Fuji;opacity:1;fill:#2a80ff;fill-opacity:1;stroke:none;stroke-width:3.59596;stroke-linecap:round"
+       x="-30.505966"
+       y="114.68162"
+       id="text6"><tspan
+         sodipodi:role="line"
+         id="tspan6"
+         style="fill:#2a80ff;fill-opacity:1;stroke:none;stroke-width:3.59596"
+         x="-30.505966"
+         y="114.68162">Independance</tspan></text><text
+       xml:space="preserve"
+       style="font-size:11.4172px;font-family:Fuji;-inkscape-font-specification:Fuji;opacity:1;fill:#670081;fill-opacity:1;stroke:none;stroke-width:3.59596;stroke-linecap:round"
+       x="127.64307"
+       y="114.68162"
+       id="text7"><tspan
+         sodipodi:role="line"
+         id="tspan7"
+         style="fill:#670081;fill-opacity:1;stroke:none;stroke-width:3.59596"
+         x="127.64307"
+         y="114.68162">Relevance</tspan></text><text
+       xml:space="preserve"
+       style="font-size:11.4172px;font-family:Fuji;-inkscape-font-specification:Fuji;opacity:1;fill:#ff802c;fill-opacity:1;stroke:none;stroke-width:3.59596;stroke-linecap:round"
+       x="103.49713"
+       y="199.66727"
+       id="text8"><tspan
+         sodipodi:role="line"
+         id="tspan8"
+         style="fill:#ff802c;fill-opacity:1;stroke:none;stroke-width:3.59596"
+         x="103.49713"
+         y="199.66727">Actionability</tspan></text></g></svg>

PhD/seminar/seminar.typ

@@ -21,13 +21,27 @@
 #slide(title: "State of the IDS")[
   // Most IDS rely on host-based information
   // Process List is a very common default info to verify
+]
+#slide(title:"State of the IDS")[
   // Process masquerading is trivialy posible and used by many attacks (Mitre AttCK list)
+
+]
+#slide(title:"State of the IDS")[
   // Countermeasure to process masquerading
+Listed by MITRE|ATT&CK:
+- Monitor OS API Calls (e.g. forks)
+- Monitor process creation source.
+Listed by Red Canary:
+- Heuristic on process properties (name, location, etc.)
+
+#uncover(2)[#align(center)[#text(fill:red, weight:"bold")[All Host-Based Methods!]]]
 ]
 
 #slide(title:"Process List Verification")[
 // We can't stop using the process list, so let's try to verify it
 // Power as a trusted source of information
+#align(center)[#image("images/wein.svg", height:100%)]
+// add wein images that shows where other solutions are and show that with the right analysis tools, power side-channel is at the center.
 ]
 
 #slide(title:"Power Side-Channel")[