diff --git a/EET1/MLCS_conference/acronyms.tex b/EET1/MLCS_conference/acronyms.tex new file mode 100644 index 0000000..2dedccc --- /dev/null +++ b/EET1/MLCS_conference/acronyms.tex @@ -0,0 +1,64 @@ +% \newacronym{psu}{PSU}{Power Supply Unit} +% \newacronym{eet}{EET}{Electromechanical Emissions Tripwire} +% \newacronym{eets}{EETs}{Electromechanical Emissions Tripwires} +% \newacronym{ids}{IDS}{Intrusion Detection System} +% \newacronym{ac}{AC}{Alternating Current} +% \newacronym{dc}{DC}{Direct Current} +% \newacronym{adc}{ADC}{Analog to Digital Converter} +% \newacronym{srl}{SRL}{Solution Readiness Level} +% \newacronym{apts}{APTs}{Advanced Persistent Threats} +% \newacronym{apt}{APT}{Advanced Persistent Threat} +% \newacronym{dsp}{DSP}{Digital Signal Processing} +% \newacronym{ml}{ML}{Machine Learning} +% \newacronym{psd}{PSD}{Power Spectral Density} +% \newacronym{redis}{Redis}{REmote DIctionary Server} + +\newabbreviation{dsp}{DSP}{Digital Signal Processing} +\newabbreviation{adc}{ADC}{Analog to Digital Converter} +\newabbreviation{ietf}{IETF}{Internet Engineering Task Force} +\newabbreviation{psu}{PSU}{Power Supply Unit} +\newabbreviation{eet}{EET}{Electromechanical Emissions Tripwire} +% \newabbreviation{dee}{DEE}{Déclencheur à émissions électromécaniques} +\newabbreviation{ids}{IDS}{Intrusion Detection System} +\newabbreviation{sdi}{SDI}{Système de détection d'intrusion} +\newabbreviation{ac}{AC}{Alternating Current} +\newabbreviation{dc}{DC}{Direct Current} +\newabbreviation{dtw}{DTW}{Dynamic Time Warping} +\newabbreviation{srl}{SRL}{Solution Readiness Level} +\newabbreviation{nms}{NMS}{Niveau de Maturité de la Solution} +\newabbreviation{apt}{APT}{Advanced Persistent Threat} +\newabbreviation{ml}{ML}{Machine Learning} +\newabbreviation{psd}{PSD}{Power Spectral Density} +\newabbreviation{pcb}{PCB}{Printed Circuit Board} +\newabbreviation{mfcc}{MFCC}{Mel-Frequency Cepstrum Coefficients} +\newabbreviation{redis}{Redis}{REmote DIctionary Server} +\newabbreviation{ssh}{SSH}{Secure Shell} +\newabbreviation{fnr}{FNR}{False Negative Rate} +\newabbreviation{fpr}{FPR}{False Positive Rate} +\newabbreviation{dft}{DFT}{Discrete Fourier Transform} +\newabbreviation{svm}{SVM}{Support Vector Machine} +\newabbreviation{rfc}{RFC}{Random Forest Classifier} +\newabbreviation{knn}{KNN}{K-Nnearest Neighbors} +\newabbreviation{fft}{FFT}{Fast Fourier Transform} +\newabbreviation{hids}{HIDS}{Host-based Intrusion Detection System} +\newabbreviation{nids}{NIDS}{Network Intrusion Detection System} +\newabbreviation{ist}{IST}{Information Systems \& Technology} +\newabbreviation{cve}{CVE}{Common Vulnerabilities and Exposures} + + +\newabbreviation{opamp}{OpAmp}{Operational Amplifier} +\newabbreviation{drdc}{DRDC}{Defence Research and Development Canada} +\newabbreviation{msps}{MSPS}{Mega Samples Per Second} +\newabbreviation{1dcnn}{1D CNN}{1D Convolutional Neural Network} + +\newabbreviation{nsa}{NSA}{National Security Agency} +\newabbreviation{plc}{PLC}{Programmable Logic Controller} +\newabbreviation{rf}{RF}{Radio Frequency} +\newabbreviation{aes}{AES}{Advanced Encryption Standard} +\newabbreviation{rsa}{RSA}{Rivest–Shamir–Adleman} +\newabbreviation{em}{EM}{Electromagnetic} +\newabbreviation{nist}{NIST}{National Institute of Standards and Technology} +\newabbreviation{csf}{CSF}{Cybersecurity Framework} +\newabbreviation{sut}{SUT}{System Under Test} +\newabbreviation{scp}{SCP}{Side-Channel Profile} +\newabbreviation{snr}{SNR}{signal-to-noise ratio} diff --git a/EET1/MLCS_conference/bibliography.bib b/EET1/MLCS_conference/bibliography.bib new file mode 100644 index 0000000..346e30c --- /dev/null +++ b/EET1/MLCS_conference/bibliography.bib @@ -0,0 +1,1736 @@ +@INPROCEEDINGS{7163050, +author={F. {Liu} and Y. {Yarom} and Q. {Ge} and G. {Heiser} and R. B. {Lee}}, +booktitle={2015 IEEE Symposium on Security and Privacy}, +title={Last-Level Cache Side-Channel Attacks are Practical}, +year={2015}, +volume={}, +number={}, +pages={605-622}, +keywords={cache storage;cloud computing;security of data;virtual machines;last-level cache side-channel attacks;Prime+Probe side-channel attack;covert channel;cross-core attack;cross-VM attack;GnuPG;virtual machine monitor;IaaS cloud computing;Probes;Indexes;Multicore processing;Monitoring;Cryptography;Virtual machine monitors;Memory management;side-channel attack;cross-VM side channel;covert channel;last-level cache;ElGamal}, +doi={10.1109/SP.2015.43}, +ISSN={2375-1207}, +month={May},} + +@inproceedings{10.1145/2976749.2978299, +author = {Liu, Yannan and Wei, Lingxiao and Zhou, Zhe and Zhang, Kehuan and Xu, Wenyuan and Xu, Qiang}, +title = {On Code Execution Tracking via Power Side-Channel}, +year = {2016}, +isbn = {9781450341394}, +publisher = {Association for Computing Machinery}, +address = {New York, NY, USA}, +url = {https://doi.org/10.1145/2976749.2978299}, +doi = {10.1145/2976749.2978299}, +booktitle = {Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security}, +pages = {1019–1031}, +numpages = {13}, +keywords = {embedded system, hardware security, power side-channel, code execution tracking}, +location = {Vienna, Austria}, +series = {CCS ’16} +} + +@Article{Moreno2018, + author="Moreno, Carlos and Fischmeister, Sebastian", + title="Non-intrusive runtime monitoring through power consumption to enforce safety and security properties in embedded systems", + journal="Formal Methods in System Design", + year="2018", + month="Aug", + day="01", + volume="53", + number="1", + pages="113--137", + issn="1572-8102", + doi="10.1007/s10703-017-0298-3", + url="https://doi.org/10.1007/s10703-017-0298-3" +} + +@inproceedings {cisco_trust, + author = {Jatin Kataria and Rick Housley and Joseph Pantoga and Ang Cui}, + title = {Defeating Cisco Trust Anchor: A Case-Study of Recent Advancements in Direct {FPGA} Bitstream Manipulation}, + booktitle = {13th {USENIX} Workshop on Offensive Technologies ({WOOT} 19)}, + year = {2019}, + address = {Santa Clara, CA}, + url = {https://www.usenix.org/conference/woot19/presentation/kataria}, + publisher = {{USENIX} Association}, + month = aug +} + +@inproceedings{Cui2013WhenFM, + title={When Firmware Modifications Attack: A Case Study of Embedded Exploitation}, + author={Ang Cui and Michael Costello and Salvatore J. Stolfo}, + booktitle={NDSS}, + url={http://ids.cs.columbia.edu/sites/default/files/ndss-2013.pdf}, + year={2013} +} + +@misc{thomson_2019, + title={It's 2019 so now security vulnerabilities are branded using emojis: Meet Thrangrycat, a Cisco router secure boot flaw}, + url={https://www.theregister.co.uk/2019/05/13/cisco_thrangrycat_vulnerability/}, + journal={The Register}, + publisher={The Register}, + author={Thomson, Iain}, + year={2019}, + month={May} +} + +@misc{hau_2015, + title="{SYNful Knock -- A Cisco router implant -- Part I}", + url = {https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html}, + publisher={FireEye}, + author={Hau, Bill}, + year={2015}, + month={Sep} +} + +@InProceedings{10.1007/3-540-36400-5_4, +author="Agrawal, Dakshi +and Archambeault, Bruce +and Rao, Josyula R. +and Rohatgi, Pankaj", +editor="Kaliski, Burton S. +and Ko{\c{c}}, {\c{c}}etin K. +and Paar, Christof", +title="The EM Side---Channel(s)", +booktitle="Cryptographic Hardware and Embedded Systems - CHES 2002", +year="2003", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="29--45", +} + +@article{printers, +title = {Acoustic Side-Channel Attacks on Printers}, +author = {Michael Backes, Markus Dürmuth, Sebastian Gerling, Manfred Pinkal, Caroline Sporleder}, +year = {2010}, +publisher = {https://www.usenix.org/legacy/event/sec10/tech/full_papers/Backes.pdf}, +} + +@article{10.1145/1609956.1609959, +author = {Zhuang, Li and Zhou, Feng and Tygar, J. D.}, +title = {Keyboard Acoustic Emanations Revisited}, +year = {2009}, +issue_date = {October 2009}, +publisher = {Association for Computing Machinery}, +address = {New York, NY, USA}, +volume = {13}, +number = {1}, +issn = {1094-9224}, +url = {https://doi.org/10.1145/1609956.1609959}, +doi = {10.1145/1609956.1609959}, +journal = {ACM Trans. Inf. Syst. Secur.}, +month = nov, +articleno = {Article 3}, +numpages = {26}, +keywords = {privacy, cepstrum, learning theory, signal analysis, acoustic manations, Computer security, HMM, human factors, keyboards, hidden markov models, electronic eavesdropping} +} + +@InProceedings{10.1007/3-540-68697-5_9, +author="Kocher, Paul C.", +editor="Koblitz, Neal", +title="Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems", +booktitle="Advances in Cryptology --- CRYPTO '96", +year="1996", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="104--113", +} + + +@article{osti_1372902, +title = {{United States} Data Center Energy Usage Report}, +author = {Shehabi, Arman and Smith, Sarah and Sartor, Dale and Brown, Richard and Herrlin, Magnus and Koomey, Jonathan and Masanet, Eric and Horner, Nathaniel and Azevedo, Inês and Lintner, William}, +doi = {10.2172/1372902}, +place = {United States}, +year = {2016}, +month = {6} +} + +@ARTICLE{6848725, +author={K. {Bilal} and S. U. R. {Malik} and S. U. {Khan} and A. Y. {Zomaya}}, +journal={IEEE Cloud Computing}, +title={Trends and challenges in cloud datacenters}, +year={2014}, +volume={1}, +number={1}, +pages={10-20}, +keywords={cloud computing;computer centres;quality of service;virtualisation;reliability;cloud DCs;quality of service;cloud computing paradigm;virtualization technology;next-generation data centers;cloud data centers;Computer architecture;Cloud computing;Data centers;Bandwidth allocation;Next generation networking;Virtualization;Resource allocation;cloud;cloud computing;cloud data center;thermal awareness;resource utilization;resources consolidation techniques;virtualization}, +doi={10.1109/MCC.2014.26}, +ISSN={2372-2568}, +month={May},} + +@article{VINCENT201577, +title = "Trojan Detection and Side-channel Analyses for Cyber-security in Cyber-physical Manufacturing Systems", +journal = "Procedia Manufacturing", +volume = "1", +pages = "77 - 85", +year = "2015", +note = "43rd North American Manufacturing Research Conference, NAMRC 43, 8-12 June 2015, UNC Charlotte, North Carolina, United States", +issn = "2351-9789", +doi = "https://doi.org/10.1016/j.promfg.2015.09.065", +url = "http://www.sciencedirect.com/science/article/pii/S2351978915010653", +author = "Hannah Vincent and Lee Wells and Pablo Tarazaga and Jaime Camelio", +keywords = "Cyber-Attack detection, Cyber-Physical manufacturing systems, Quality control, Side-Channel analyses, Structural Health Monitoring, Trojans", +} + +@inproceedings{quisquater2001electromagnetic, + title={Electromagnetic analysis (ema): Measures and counter-measures for smart cards}, + author={Quisquater, Jean-Jacques and Samyde, David}, + booktitle={International Conference on Research in Smart Cards}, + pages={200--210}, + year={2001}, + organization={Springer} +} + +@inproceedings{fuller2018exploiting, + title={Exploiting side-channel emissions to detect changes in FPGA firmware}, + author={Fuller, Ryan M and Riley, Ronald A and Graham, James T}, + booktitle={Cyber Sensing 2018}, + volume={10630}, + pages={106300A}, + year={2018}, + organization={International Society for Optics and Photonics} +} + +@ARTICLE{1456237, author={R. E. {Crochiere} and L. R. {Rabiner}}, journal={Proceedings of the IEEE}, title={Interpolation and decimation of digital signals—A tutorial review}, year={1981}, volume={69}, number={3}, pages={300-331},} +@article{hospodar2011machine, + title={Machine learning in side-channel analysis: a first study}, + author={Hospodar, Gabriel and Gierlichs, Benedikt and De Mulder, Elke and Verbauwhede, Ingrid and Vandewalle, Joos}, + journal={Journal of Cryptographic Engineering}, + volume={1}, + number={4}, + pages={293}, + year={2011}, + publisher={Springer} +} + +@inproceedings{moreno2016non, + title={Non-intrusive runtime monitoring through power consumption: a signals and system analysis approach to reconstruct the trace}, + author={Moreno, Carlos and Fischmeister, Sebastian}, + booktitle={International Conference on Runtime Verification}, + pages={268--284}, + year={2016}, + organization={Springer} +} + +@book{mangard2008power, + title={Power analysis attacks: Revealing the secrets of smart cards}, + author={Mangard, Stefan and Oswald, Elisabeth and Popp, Thomas}, + volume={31}, + year={2008}, + publisher={Springer Science \& Business Media} +} + +@inproceedings{kocher1996timing, + title={Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems}, + author={Kocher, Paul C}, + booktitle={Annual International Cryptology Conference}, + pages={104--113}, + year={1996}, + organization={Springer} +} + +@article{goldack2008side, + title={Side-channel based reverse engineering for microcontrollers}, + author={Goldack, Martin and Paar, Ing Christof}, + journal={Master's thesis, Ruhr-Universit{\"a}t Bochum, Germany}, + year={2008} +} + +@article{khan2019malware, + title={Malware Detection in Embedded Systems Using Neural Network Model for Electromagnetic Side-Channel Signals}, + author={Khan, Haider Adnan and Sehatbakhsh, Nader and Nguyen, Luong N and Prvulovic, Milos and Zaji{\'c}, Alenka}, + journal={Journal of Hardware and Systems Security}, + volume={3}, + number={4}, + pages={305--318}, + year={2019}, + publisher={Springer} +} + +@incollection{eisenbarth2010building, + title={Building a side channel based disassembler}, + author={Eisenbarth, Thomas and Paar, Christof and Weghenkel, Bj{\"o}rn}, + booktitle={Transactions on Computational Science X}, + pages={78--99}, + year={2010}, + publisher={Springer} +} + +@inproceedings{kocher1999differential, + title={Differential power analysis}, + author={Kocher, Paul and Jaffe, Joshua and Jun, Benjamin}, + booktitle={Annual International Cryptology Conference}, + pages={388--397}, + year={1999}, + organization={Springer} +} + +@inproceedings{picek2017climbing, + title={Climbing down the hierarchy: hierarchical classification for machine learning side-channel attacks}, + author={Picek, Stjepan and Heuser, Annelie and Jovic, Alan and Legay, Axel}, + booktitle={International Conference on Cryptology in Africa}, + pages={61--78}, + year={2017}, + organization={Springer} +} + +@inproceedings{picek2018performance, + title={On the performance of convolutional neural networks for side-channel analysis}, + author={Picek, Stjepan and Samiotis, Ioannis Petros and Kim, Jaehun and Heuser, Annelie and Bhasin, Shivam and Legay, Axel}, + booktitle={International Conference on Security, Privacy, and Applied Cryptography Engineering}, + pages={157--176}, + year={2018}, + organization={Springer} +} + +@article{picek2019theory, + title={When theory meets practice: A framework for robust profiled side-channel analysis}, + author={Picek, Stjepan and Heuser, Annelie and Alippi, Cesare and Regazzoni, Francesco}, + year={2019} +} + +@inproceedings{brier2004correlation, + title={Correlation power analysis with a leakage model}, + author={Brier, Eric and Clavier, Christophe and Olivier, Francis}, + booktitle={International Workshop on Cryptographic Hardware and Embedded Systems}, + pages={16--29}, + year={2004}, + organization={Springer} +} + + + +@inproceedings{shumov2010side, + title={Side channel leakage profiling in software}, + author={Shumov, D and Montgomery, Peter L}, + booktitle={COSADE 2010}, + year={2010}, + organization={Citeseer} +} + +@inproceedings{blanco2017framework, + title={A framework for acquiring and analyzing traces from cryptographic devices}, + author={Blanco, Alfonso Blanco and de Fuentes, Jose Mar{\'\i}a and Gonz{\'a}lez-Manzano, Lorena and Encinas, Luis Hern{\'a}ndez and Mu{\~n}oz, Agust{\'\i}n Mart{\'\i}n and Oliva, Jos{\'e} Luis Rodrigo and Garc{\'\i}a, J Ignacio S{\'a}nchez}, + booktitle={International Conference on Security and Privacy in Communication Systems}, + pages={283--300}, + year={2017}, + organization={Springer} +} + +@misc{NationalInstrumentsHIL, + author = {National Instruments}, + title = {{Hardware In The Loop Test System}}, + howpublished = "\url{https://www.ni.com/en-ca/innovations/white-papers/09/hardware-in-the-loop--hil--test-system-architectures.html#section--650933511}" +} + +@misc{DSpace, + author = {DSpace}, + title = {{Hardware In The Loop Test System}}, + howpublished = "\url{https://www.dspace.com/shared/data/pdf/2019/dSPACE-Hardware-in-the-Loop-Systems_Business-field-brochure_01-2019_English.pdf}" +} + +@misc{Labview, + author = {National Instruments}, + title = {{LabVIEW DAQ}}, + howpublished = "\url{https://www.ni.com/academic/students/learn-daq/}" +} + +% Impact of human error: + +@article{BARCHARD20131917, +title = "Improving data accuracy: Selecting the best data checking technique", +journal = "Computers in Human Behavior", +volume = "29", +number = "5", +pages = "1917 - 1922", +year = "2013", +issn = "0747-5632", +doi = "https://doi.org/10.1016/j.chb.2013.02.021", +url = "http://www.sciencedirect.com/science/article/pii/S0747563213000873", +author = "Kimberly A. Barchard and Yevgeniya Verenikina", +keywords = "Data checking, Double entry, Read aloud, Visual checking", +} + +@article{BARCHARD20111834, +title = "Preventing human error: The impact of data entry methods on data accuracy and statistical results", +journal = "Computers in Human Behavior", +volume = "27", +number = "5", +pages = "1834 - 1839", +year = "2011", +note = "2009 Fifth International Conference on Intelligent Computing", +issn = "0747-5632", +doi = "https://doi.org/10.1016/j.chb.2011.04.004", +url = "http://www.sciencedirect.com/science/article/pii/S0747563211000707", +author = "Kimberly A. Barchard and Larry A. Pace", +keywords = "Data entry, Double entry, Visual checking, Outliers, Data cleaning", +} + +@article{kozak2015, +author = {Marcin Kozak and Wojtek Krzanowski and Izabela Cichocka and James Hartley}, +title = {The effects of data input errors on subsequent statistical inference}, +journal = {Journal of Applied Statistics}, +volume = {42}, +number = {9}, +pages = {2030-2037}, +year = {2015}, +publisher = {Taylor & Francis}, +doi = {10.1080/02664763.2015.1016410}, +URL = {https://doi.org/10.1080/02664763.2015.1016410}, +eprint = {https://doi.org/10.1080/02664763.2015.1016410} +} + +@article{tu2015, + author = {Tu, Huawei and Oladimeji, Patrick and Wiseman, Sarah and Thimbleby, Harold and Cairns, Paul and Niezen, Gerrit}, + title = "{Employing Number-Based Graphical Representations to Enhance the Effects of Visual Check on Entry Error Detection}", + journal = {Interacting with Computers}, + volume = {28}, + number = {2}, + pages = {194-207}, + year = {2015}, + month = {07}, + issn = {0953-5438}, + doi = {10.1093/iwc/iwv020}, + url = {https://doi.org/10.1093/iwc/iwv020}, + eprint = {https://academic.oup.com/iwc/article-pdf/28/2/194/6956430/iwv020.pdf}, +} + +@article{patel2011impact, + title={Impact of outlier removal and normalization approach in modified k-means clustering algorithm}, + author={Patel, Vaishali R and Mehta, Rupa G}, + journal={International Journal of Computer Science Issues (IJCSI)}, + volume={8}, + number={5}, + pages={331}, + year={2011}, + publisher={Citeseer} +} + + + +@inproceedings{koch2010security, + title={{Security system for encrypted environments (S2E2)}}, + author={Koch, Robert and Rodosek, Gabi Dreo}, + booktitle={International Workshop on Recent Advances in Intrusion Detection}, + pages={505--507}, + year={2010}, + organization={Springer} +} + +@inproceedings{moreno2016non, + title={Non-intrusive runtime monitoring through power consumption: a signals and system analysis approach to reconstruct the trace}, + author={Moreno, Carlos and Fischmeister, Sebastian}, + booktitle={International Conference on Runtime Verification}, + pages={268--284}, + year={2016}, + organization={Springer} +} + + + + + +@article{VINCENT201577, +title = "Trojan Detection and Side-channel Analyses for Cyber-security in Cyber-physical Manufacturing Systems", +journal = "Procedia Manufacturing", +volume = "1", +pages = "77 - 85", +year = "2015", +note = "43rd North American Manufacturing Research Conference, NAMRC 43, 8-12 June 2015, UNC Charlotte, North Carolina, United States", +issn = "2351-9789", +doi = "https://doi.org/10.1016/j.promfg.2015.09.065", +url = "http://www.sciencedirect.com/science/article/pii/S2351978915010653", +author = "Hannah Vincent and Lee Wells and Pablo Tarazaga and Jaime Camelio", +keywords = "Cyber-Attack detection, Cyber-Physical manufacturing systems, Quality control, Side-Channel analyses, Structural Health Monitoring, Trojans", +} + + + +@inproceedings{fuller2018exploiting, + title={Exploiting side-channel emissions to detect changes in FPGA firmware}, + author={Fuller, Ryan M and Riley, Ronald A and Graham, James T}, + booktitle={Cyber Sensing 2018}, + volume={10630}, + pages={106300A}, + year={2018}, + organization={International Society for Optics and Photonics} +} + +@article{hospodar2011machine, + title={Machine learning in side-channel analysis: a first study}, + author={Hospodar, Gabriel and Gierlichs, Benedikt and De Mulder, Elke and Verbauwhede, Ingrid and Vandewalle, Joos}, + journal={Journal of Cryptographic Engineering}, + volume={1}, + number={4}, + pages={293}, + year={2011}, + publisher={Springer} +} + +@inproceedings{moreno2016non, + title={Non-intrusive runtime monitoring through power consumption: a signals and system analysis approach to reconstruct the trace}, + author={Moreno, Carlos and Fischmeister, Sebastian}, + booktitle={International Conference on Runtime Verification}, + pages={268--284}, + year={2016}, + organization={Springer} +} + + + + +@inproceedings{picek2017climbing, + title={Climbing down the hierarchy: hierarchical classification for machine learning side-channel attacks}, + author={Picek, Stjepan and Heuser, Annelie and Jovic, Alan and Legay, Axel}, + booktitle={International Conference on Cryptology in Africa}, + pages={61--78}, + year={2017}, + organization={Springer} +} + +@inproceedings{picek2018performance, + title={On the performance of convolutional neural networks for side-channel analysis}, + author={Picek, Stjepan and Samiotis, Ioannis Petros and Kim, Jaehun and Heuser, Annelie and Bhasin, Shivam and Legay, Axel}, + booktitle={International Conference on Security, Privacy, and Applied Cryptography Engineering}, + pages={157--176}, + year={2018}, + organization={Springer} +} + +@article{picek2019theory, + title={When theory meets practice: A framework for robust profiled side-channel analysis}, + author={Picek, Stjepan and Heuser, Annelie and Alippi, Cesare and Regazzoni, Francesco}, + year={2019} +} + + + +@inproceedings{shumov2010side, + title={Side channel leakage profiling in software}, + author={Shumov, D and Montgomery, Peter L}, + booktitle={COSADE 2010}, + year={2010}, + organization={Citeseer} +} + +@inproceedings{blanco2017framework, + title={A framework for acquiring and analyzing traces from cryptographic devices}, + author={Blanco, Alfonso Blanco and de Fuentes, Jose Mar{\'\i}a and Gonz{\'a}lez-Manzano, Lorena and Encinas, Luis Hern{\'a}ndez and Mu{\~n}oz, Agust{\'\i}n Mart{\'\i}n and Oliva, Jos{\'e} Luis Rodrigo and Garc{\'\i}a, J Ignacio S{\'a}nchez}, + booktitle={International Conference on Security and Privacy in Communication Systems}, + pages={283--300}, + year={2017}, + organization={Springer} +} + +@misc{NationalInstrumentsHIL, + author = {National Instruments}, + title = {{Hardware In The Loop Test System}}, + howpublished = "\url{https://www.ni.com/en-ca/innovations/white-papers/09/hardware-in-the-loop--hil--test-system-architectures.html#section--650933511}" +} + +@misc{DSpace, + author = {DSpace}, + title = {{Hardware In The Loop Test System}}, + howpublished = "\url{https://www.dspace.com/shared/data/pdf/2019/dSPACE-Hardware-in-the-Loop-Systems_Business-field-brochure_01-2019_English.pdf}" +} + +@misc{Labview, + author = {National Instruments}, + title = {{LabVIEW DAQ}}, + howpublished = "\url{https://www.ni.com/academic/students/learn-daq/}" +} + +% Impact of human error: + + + + + +@article{patel2011impact, + title={Impact of outlier removal and normalization approach in modified k-means clustering algorithm}, + author={Patel, Vaishali R and Mehta, Rupa G}, + journal={International Journal of Computer Science Issues (IJCSI)}, + volume={8}, + number={5}, + pages={331}, + year={2011}, + publisher={Citeseer} +} + + + +@misc{cve-2018-15439, + key = {CVE-2018-15439}, + title = {{CVE-2018-15439}}, + howpublished = {National Vulnerability Database}, + institution = {NIST}, + day = 08, + month = {November}, + year = 2018, + note = {\url{https://nvd.nist.gov/vuln/detail/CVE-2018-15439}}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2018-15439} +} + +@misc{cve-2018-0329, + key = {CVE-2018-0329}, + title = {{CVE-2018-0329}}, + howpublished = {National Vulnerability Database}, + institution = {NIST}, + day = 08, + month = {November}, + year = 2018, + note = {\url{https://nvd.nist.gov/vuln/detail/CVE-2018-0329}}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2018-0329} +} + +@misc{cve-2018-0222, + key = {CVE-2018-0222}, + title = {{CVE-2018-0222}}, + howpublished = {National Vulnerability Database}, + institution = {NIST}, + day = 16, + month = {May}, + year = 2018, + note = {\url{https://nvd.nist.gov/vuln/detail/CVE-2018-0222}}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2018-0222} +} + +@misc{cve-2018-0151, + key = {CVE-2018-0151}, + title = {{CVE-2018-0151}}, + howpublished = {National Vulnerability Database}, + institution = {NIST}, + day = 28, + month = {March}, + year = 2018, + note = {\url{https://nvd.nist.gov/vuln/detail/CVE-2018-0151}}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2018-0151} +} + +@misc{cve-2018-0150, + key = {CVE-2018-0150}, + title = {{CVE-2018-0150}}, + howpublished = {National Vulnerability Database}, + institution = {NIST}, + day = 28, + month = {March}, + year = 2018, + note = {\url{https://nvd.nist.gov/vuln/detail/CVE-2018-0150}}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2018-0150} +} + +@misc{CVE-2019-12649, + key = {CVE-2019-12649}, + title = {{CVE-2019-12649}}, + howpublished = {National Vulnerability Database}, + institution = {NIST}, + day = 25, + month = {September}, + year = 2019, + note = {\url{https://nvd.nist.gov/vuln/detail/CVE-2019-12649}}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2019-12649} +} + +@misc{CVE-2019-12651, + key = {CVE-2019-12651}, + title = {{CVE-2019-12651}}, + howpublished = {National Vulnerability Database}, + institution = {NIST}, + day = 25, + month = {September}, + year = 2019, + note = {\url{https://nvd.nist.gov/vuln/detail/CVE-2019-12651}}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2019-12651} +} + +@MISC {citrix2020, + author = "William Ballenthin and Josh Madeley", + title = {{"404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor"}}, + month = jan, + year = "2020", + note = "https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html" +} + +@MISC {kimwillsher2009, + author = "Kim Willsher", + title = "French fighter planes grounded by computer virus", + month = feb, + year = "2009", + note = "https://www.telegraph.co.uk/news/worldnews/europe/france/4547649/French-fighter-planes-grounded-by-computer-virus.html" +} + +@article{chaplain2018weapon, + title={{Weapon Systems Cybersecurity: DoD just beginning to grapple with scale of vulnerabilities}}, + author={Chaplain, Christina}, + journal={Washington, DC, USA, GAO Report No. GAO-19-128}, + year={2018} +} + + +@MISC {mitre2020, + author = "MITRE", + title = "Common Vulnerabilities and Exposures", + month = jan, + year = "2020", + note = "Data aggregated from https://cve.mitre.org/" +} + +@MISC {uscert2014, + author = "US CERT", + title = {{"ICS Alert (ICS-ALERT-14-281-01E): Ongoing Sophisticated Malware Campaign Compromising ICS"}}, + month = dec, + year = "2014", + note = "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" +} + +@MISC {uscert2016, + author = "US CERT", + title = {{"ICS Alert (IR-ALERT-H-16-056-01): Cyber-Attack Against Ukrainian Critical Infrastructure"}}, + month = feb, + year = "2016", + note = "https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01" +} + +@MISC {uscert2017, + author = "US CERT", + title = {{"Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors"}}, + month = oct, + year = "2017", + note = "https://www.us-cert.gov/ncas/alerts/TA17-293A" +} + +@MISC {alexandercampbellvickramsingh2019, + author = "Alexander Campbell, Vickram Singh", + title = "Lessons from the cyberattack on {I}ndia’s largest nuclear power plant", + month = nov, + year = "2019", + note = "https://thebulletin.org/2019/11/lessons-from-the-cyberattack-on-indias-largest-nuclear-power-plant/" +} + +@article{langner2011stuxnet, + title={{Stuxnet: Dissecting a cyberwarfare weapon}}, + author={Langner, Ralph}, + journal={IEEE Security \& Privacy}, + volume={9}, + number={3}, + pages={49--51}, + year={2011}, + publisher={IEEE} +} + + +@MISC {charlesarthur2011, + author = "Charles Arthur", + title = "Chinese hackers suspected of interfering with {US} satellites", + month = oct, + year = "2011", + note = "https://www.theguardian.com/technology/2011/oct/27/chinese-hacking-us-satellites-suspected" +} + +@MISC {thierrynoisette2009, + author = "Thierry Noisette", + title = "S\'ecurit\'e : la Marine victime du virus Conficker-Downadup", + month = feb, + year = "2009", + note = "https://www.zdnet.fr/actualites/securite-la-marine-victime-du-virus-conficker-downadup-39387036.htm" +} + +@misc{cve, + title = {CVE Cisco}, + author = {The MITRE Corporation}, + howpublished = {\url{https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+}}, + note = {Search Results for: Cisco, Juniper, HPE. Retrieved December 17, 2019.}, +} + +@misc{cost_outage, + title = {Cost of Data Center Outages.}, + howpublished = {\url{https://www.vertiv.com/globalassets/documents/reports/2016-cost-of-data-center-outages-11-11_51190_1.pdf}}, + author = {Ponemon Institute LLC.}, + month = {January}, + year = {2016}, +} + +@misc{cost_downtime, + title = {The real cost of downtime.}, + howpublished = {\url{https://devops.com/real-cost-downtime/}}, + author = {Shimel, A.}, + year = {2015}, + month = {February}, +} + +@misc{shadowhammer, + title = {Shadowhammer Backdoor}, + author = {Dellinger, AJ}, + howpublished = {\url{https://www.engadget.com/2019/03/25/asus-hack-shadowhammer-backdoor/}}, +} + +@inproceedings{UCRDTW, + author = {Rakthanmanon, Thanawin and Campana, Bilson and Mueen, Abdullah and Batista, Gustavo and Westover, Brandon and Zhu, Qiang and Zakaria, Jesin and Keogh, Eamonn}, + title = {Searching and Mining Trillions of Time Series Subsequences under Dynamic Time Warping}, + year = {2012}, + isbn = {9781450314626}, + publisher = {Association for Computing Machinery}, + address = {New York, NY, USA}, + url = {https://doi.org/10.1145/2339530.2339576}, + doi = {10.1145/2339530.2339576}, + booktitle = {Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining}, + pages = {262–270}, + numpages = {9}, + series = {KDD ’12} +} + +@inproceedings {ICISSP2017, + title = {On the Security of Safety-Critical Embedded Systems: Who Watches the Watchers? Who Reprograms the Watchers?}, + booktitle = {International Conference on Information Systems Security and Privacy (ICISSP)}, + year = {2017}, + author = {Carlos Moreno and Sebastian Fischmeister} +} + + + + + +% Surveys of IDS +@article{Khraisat2019, + author="Khraisat, Ansam + and Gondal, Iqbal + and Vamplew, Peter + and Kamruzzaman, Joarder", + title="Survey of intrusion detection systems: techniques, datasets and challenges", + journal="Cybersecurity", + year="2019", + month="Jul", + day="17", + volume="2", + number="1", + pages="20", + issn="2523-3246", + doi="10.1186/s42400-019-0038-7", + url="https://doi.org/10.1186/s42400-019-0038-7" +} + +%cited +@Inbook{Hamed2018, + author="Hamed, Tarfa + and Ernst, Jason B. + and Kremer, Stefan C.", + title="A Survey and Taxonomy on Data and Pre-processing Techniques of Intrusion Detection Systems", + bookTitle="Computer and Network Security Essentials", + year="2018", + publisher="Springer International Publishing", + address="Cham", + pages="113--134", + isbn="978-3-319-58424-9", + doi="10.1007/978-3-319-58424-9_7", + url="https://doi.org/10.1007/978-3-319-58424-9_7" +} + +@article{dolphin, + title={DolphinAttack}, + ISBN={9781450349468}, + url={http://dx.doi.org/10.1145/3133956.3134052}, + DOI={10.1145/3133956.3134052}, + journal={Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS ’17}, + publisher={ACM Press}, + author={Zhang, Guoming and Yan, Chen and Ji, Xiaoyu and Zhang, Tianchen and Zhang, Taimin and Xu, Wenyuan}, + year={2017} +} + + +% Survey of classic intrusion detection techniques. + +%cited +@INPROCEEDINGS{7210351, + author={L. {Dali} and A. {Bentajer} and E. {Abdelmajid} and K. {Abouelmehdi} and H. {Elsayed} and E. {Fatiha} and B. {Abderahim}}, + booktitle={2015 2nd World Symposium on Web Applications and Networking (WSWAN)}, + title={A survey of intrusion detection system}, + year={2015}, + pages={1-6}, + doi={10.1109/WSWAN.2015.7210351}, + ISSN={null}, + month={March} +} + +%cited +@article{LIAO201316, + title = "Intrusion detection system: A comprehensive review", + journal = "Journal of Network and Computer Applications", + volume = "36", + number = "1", + pages = "16 - 24", + year = "2013", + issn = "1084-8045", + doi = "https://doi.org/10.1016/j.jnca.2012.09.004", + url = "http://www.sciencedirect.com/science/article/pii/S1084804512001944", + author = "Hung-Jen Liao and Chun-Hung Richard Lin and Ying-Chih Lin and Kuang-Yuan Tung" +} + +%cited +@article{LUNT1993405, + title = "A survey of intrusion detection techniques", + journal = "Computers \& Security", + volume = "12", + number = "4", + pages = "405 - 418", + year = "1993", + issn = "0167-4048", + doi = "https://doi.org/10.1016/0167-4048(93)90029-5", + url = "http://www.sciencedirect.com/science/article/pii/0167404893900295", + author = "Teresa F. Lunt" +} + +%cited +@article{10.1145/2542049, + author = {Mitchell, Robert and Chen, Ing-Ray}, + title = {A Survey of Intrusion Detection Techniques for Cyber-Physical Systems}, + year = {2014}, + issue_date = {April 2014}, + publisher = {Association for Computing Machinery}, + address = {New York, NY, USA}, + volume = {46}, + number = {4}, + issn = {0360-0300}, + url = {https://doi.org/10.1145/2542049}, + doi = {10.1145/2542049}, + journal = {ACM Comput. Surv.}, + month = mar, + articleno = {Article 55}, + numpages = {29}, +} + +%cited +@article{AGRAWAL2015708, + title = "Survey on Anomaly Detection using Data Mining Techniques", + journal = "Procedia Computer Science", + volume = "60", + pages = "708 - 713", + year = "2015", + note = "Knowledge-Based and Intelligent Information \& Engineering Systems 19th Annual Conference, KES-2015, Singapore, September 2015 Proceedings", + issn = "1877-0509", + doi = "https://doi.org/10.1016/j.procs.2015.08.220", + url = "http://www.sciencedirect.com/science/article/pii/S1877050915023479", + author = "Shikha Agrawal and Jitendra Agrawal" +} + +%cited +@article{KOLIAS2011625, + title = "Swarm intelligence in intrusion detection: A survey", + journal = "Computers \& Security", + volume = "30", + number = "8", + pages = "625 - 642", + year = "2011", + issn = "0167-4048", + doi = "https://doi.org/10.1016/j.cose.2011.08.009", + url = "http://www.sciencedirect.com/science/article/pii/S016740481100109X", + author = "C. Kolias and G. Kambourakis and M. Maragoudakis" +} + +%cited +@INPROCEEDINGS{1598592, + author={A. {Murali} and M. {Rao}}, + booktitle={2005 International Conference on Information and Communication Technologies}, + title={A Survey on Intrusion Detection Approaches}, + year={2005}, + volume={}, + number={}, + pages={233-240}, + doi={10.1109/ICICT.2005.1598592}, + ISSN={null}, + month={Aug}, +} + +%cited +@INPROCEEDINGS{6158822, + author={D. K. {Denatious} and A. {John}}, + booktitle={2012 International Conference on Computer Communication and Informatics}, + title={Survey on data mining techniques to enhance intrusion detection}, + year={2012}, + volume={}, + number={}, + pages={1-5}, + doi={10.1109/ICCCI.2012.6158822}, + ISSN={null}, + month={Jan} +} + +%cited +@ARTICLE{7307098, + author={A. L. {Buczak} and E. {Guven}}, + journal={IEEE Communications Surveys Tutorials}, + title={A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection}, + year={2016}, + volume={18}, + number={2}, + pages={1153-1176}, + doi={10.1109/COMST.2015.2494502}, + ISSN={2373-745X}, + month={Secondquarter} +} + +%cited +@INPROCEEDINGS{143785, + author={N. {McAuliffe} and D. {Wolcott} and L. {Schaefer} and N. {Kelem} and B. {Hubbard} and T. {Haley}}, + booktitle={[1990] Proceedings of the Sixth Annual Computer Security Applications Conference}, + title={Is your computer being misused? A survey of current intrusion detection system technology}, + year={1990}, + volume={}, + number={}, + pages={260-272}, + doi={10.1109/CSAC.1990.143785}, + ISSN={null}, + month={Dec} +} + +%cited +@article{2808691, + author = {Milenkoski, Aleksandar and Vieira, Marco and Kounev, Samuel and Avritzer, Alberto and Payne, Bryan D.}, + title = {Evaluating Computer Intrusion Detection Systems: A Survey of Common Practices}, + year = {2015}, + issue_date = {September 2015}, + publisher = {Association for Computing Machinery}, + address = {New York, NY, USA}, + volume = {48}, + number = {1}, + issn = {0360-0300}, + url = {https://doi.org/10.1145/2808691}, + doi = {10.1145/2808691}, + journal = {ACM Comput. Surv.}, + month = sep, + articleno = {Article 12}, + numpages = {41}, +} + +%cited +@ARTICLE{7935369, + author={J. {Giraldo} and E. {Sarkar} and A. A. {Cardenas} and M. {Maniatakos} and M. {Kantarcioglu}}, + journal={IEEE Design Test}, + title={Security and Privacy in Cyber-Physical Systems: A Survey of Surveys}, + year={2017}, + volume={34}, + number={4}, + pages={7-17}, + doi={10.1109/MDAT.2017.2709310}, + ISSN={2168-2364}, + month={Aug} +} + + +%cited +@INPROCEEDINGS{4557881, + author={S. {Owais} and V. {Snasel} and P. {Kromer} and A. {Abraham}}, + booktitle={2008 7th Computer Information Systems and Industrial Management Applications}, + title={Survey: Using Genetic Algorithm Approach in Intrusion Detection Systems Techniques}, + year={2008}, + pages={300-307}, + doi={10.1109/CISIM.2008.49}, + ISSN={null}, + month={June} +} + +@article{Hernandez2014SmartNT, + title={Smart nest thermostat: A smart spy in your home}, + author={Hernandez, Grant and Arias, Orlando and Buentello, Daniel and Jin, Yier}, + journal={Black Hat USA}, + pages={1--8}, + year={2014} +} + +%%!!DUPLICATE!! +@misc{greenberg_2018, + title={Router-Hacking "Slingshot" Spy Operation Compromised More Than 100 Targets}, + url={https://www.wired.com/story/router-hacking-slingshot-spy-operation-compromised-more-than-100-targets/}, + journal={Wired}, + publisher={Conde Nast}, + author={Greenberg, Andy}, + year={2018}, + month={Mar} +} + +@misc{kovacs_2019, + title={Cisco Firewall Exploited in Attack on {U.S.} Renewable Energy Firm}, + note={\\ + \href{https://www.securityweek.com/cisco-firewall-vulnerability-exploited-attack-us-renewable-energy-provider} + {\nolinkurl{https://www.securityweek.com/cisco-firewall-vulnerability-exploited}} + \\ + \href{https://www.securityweek.com/cisco-firewall-vulnerability-exploited-attack-us-renewable-energy-provider} + {\nolinkurl{-attack-us-renewable-energy-provider}} + }, + journal={SecurityWeek}, + author={Kovacs, Eduard}, + year={2019}, + month={Nov} +} + +@INPROCEEDINGS {liuacoustic, +author = {A. X. Liu and L. Xiao and K. Pongaliur and L. Kempel and Z. Abraham}, +booktitle = {2008 IEEE 11th High-Assurance Systems Engineering Symposium}, +title = {Securing Sensor Nodes Against Side Channel Attacks}, +year = {2008}, +volume = {}, +issn = {1530-2059}, +pages = {353-361}, +keywords = {sensor;network;security;side-channel}, +doi = {10.1109/HASE.2008.26}, +url = {https://doi.ieeecomputersociety.org/10.1109/HASE.2008.26}, +publisher = {IEEE Computer Society}, +address = {Los Alamitos, CA, USA}, +month = {dec} +} + +@article{hanilci2011recognition, + title={Recognition of brand and models of cell-phones from recorded speech signals}, + author={Hanilci, Cemal and Ertas, Figen and Ertas, Tuncay and Eskidere, {\"O}mer}, + journal={IEEE Transactions on Information Forensics and Security}, + volume={7}, + number={2}, + pages={625--634}, + year={2011}, + publisher={IEEE} +} + +@INPROCEEDINGS{4488501, + author={H. {Zhengbing} and S. {Jun} and V. P. {Shirochin}}, + booktitle={2007 4th IEEE Workshop on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications}, + title={An Intelligent Lightweight Intrusion Detection System with Forensics Technique}, + year={2007}, + volume={}, + number={}, + pages={647-651},} + +@article{zhai2015method, + title={A method for detecting abnormal program behavior on embedded devices}, + author={Zhai, Xiaojun and Appiah, Kofi and Ehsan, Shoaib and Howells, Gareth and Hu, Huosheng and Gu, Dongbing and McDonald-Maier, Klaus D}, + journal={IEEE Transactions on Information Forensics and Security}, + volume={10}, + number={8}, + pages={1692--1704}, + year={2015}, + publisher={IEEE} +} + +@INPROCEEDINGS{7479068, + author={M. A. {Al Faruque} and S. R. {Chhetri} and A. {Canedo} and J. {Wan}}, + booktitle={2016 ACM/IEEE 7th International Conference on Cyber-Physical Systems (ICCPS)}, + title={Acoustic Side-Channel Attacks on Additive Manufacturing Systems}, + year={2016}, + volume={}, + number={}, + pages={1-10},} + + +@article{vcagalj2014timing, + title={Timing attacks on cognitive authentication schemes}, + author={{\v{C}}agalj, Mario and Perkovi{\'c}, Toni and Bugari{\'c}, Marin}, + journal={IEEE Transactions on Information Forensics and Security}, + volume={10}, + number={3}, + pages={584--596}, + year={2014}, + publisher={IEEE} +} + + +@INPROCEEDINGS {, +author = {A. X. Liu and L. Xiao and K. Pongaliur and L. Kempel and Z. Abraham}, +booktitle = {2008 IEEE 11th High-Assurance Systems Engineering Symposium}, +title = {Securing Sensor Nodes Against Side Channel Attacks}, +year = {2008}, +volume = {}, +issn = {1530-2059}, +pages = {353-361}, +keywords = {sensor;network;security;side-channel}, +doi = {10.1109/HASE.2008.26}, +url = {https://doi.ieeecomputersociety.org/10.1109/HASE.2008.26}, +publisher = {IEEE Computer Society}, +address = {Los Alamitos, CA, USA}, +month = {dec} +} + + +@misc{symantec_security_response, + key={sym}, + title={Thousands of Ubiquiti AirOS routers hit with worm attacks}, + note={\\ + \href{https://www.symantec.com/connect/fr/blogs/thousands-ubiquiti-airos-routers-hit-worm-attacks-airos-routers} + {\nolinkurl{https://www.symantec.com/connect/fr/blogs/thousands-ubiquiti-airos-routers} + \\ + \nolinkurl{-hit-worm-attacks-airos-routers} + } + }, + author={Symantec Security Response}, + publisher={Symantec Security Response}, + year={2016}, + month={May}, + day={9} +} + + + +%Side channel IDS +@inproceedings{Aubel, + title={Side-channel based intrusion detection for industrial control systems}, + author={Van Aubel, Pol and Papagiannopoulos, Kostas and Chmielewski, {\L}ukasz and Doerr, Christian}, + booktitle={International Conference on Critical Information Infrastructures Security}, + pages={207--224}, + year={2017}, + organization={Springer} +} + +@Article{Zantout, + author="Zantout, Salam and Al Faruque, Mohammad", + title="Hardware Trojan Detection in FPGA through Side-Channel Power Analysis and Machine Learning", + year="2018", +} + +%Classic side channel +@inproceedings{Kocher, + title={Differential power analysis}, + author={Kocher, Paul and Jaffe, Joshua and Jun, Benjamin}, + booktitle={Annual International Cryptology Conference}, + pages={388--397}, + year={1999}, + organization={Springer} +} + +@inproceedings{Camurati, + title={Screaming channels: When electromagnetic side channels meet radio transceivers}, + author={Camurati, Giovanni and Poeplau, Sebastian and Muench, Marius and Hayes, Tom and Francillon, Aur{\'e}lien}, + booktitle={Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security}, + pages={163--177}, + year={2018} +} + +@ARTICLE{8509150, + author={C. {Luo} and Y. {Fei} and A. A. {Ding} and P. {Closas}}, + journal={IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems}, + title={Comprehensive Side-Channel Power Analysis of XTS-AES}, + year={2019}, + volume={38}, + number={12}, + pages={2191-2200}, + doi={10.1109/TCAD.2018.2878171}, + ISSN={1937-4151}, + month={Dec} +} + +% Cool / interesting + +@INPROCEEDINGS{8590946, + author={R. {Matsumura} and T. {Sugawara} and K. {Sakiyama}}, + booktitle={2018 Sixth International Symposium on Computing and Networking Workshops (CANDARW)}, + title={A Secure LiDAR with AES-Based Side-Channel Fingerprinting}, + year={2018}, + volume={}, + number={}, + pages={479-482}, + doi={10.1109/CANDARW.2018.00092}, + ISSN={null}, + month={Nov} +} + +% Also: +%% Removed Duplicate Moreno2018 (JD) + +@inproceedings{10.1145/2465554.2465570, + author = {Moreno, Carlos and Fischmeister, Sebastian and Hasan, M. Anwar}, + title = {Non-Intrusive Program Tracing and Debugging of Deployed Embedded Systems through Side-Channel Analysis}, + year = {2013}, + isbn = {9781450320856}, + publisher = {Association for Computing Machinery}, + address = {New York, NY, USA}, + url = {https://doi.org/10.1145/2465554.2465570}, + doi = {10.1145/2465554.2465570}, + booktitle = {Proceedings of the 14th ACM SIGPLAN/SIGBED Conference on Languages, Compilers and Tools for Embedded Systems}, + pages = {77–88}, + numpages = {12}, + location = {Seattle, Washington, USA}, + series = {LCTES ’13} +} + +@INPROCEEDINGS{8342184, + author={K. {Lamichhane} and C. {Moreno} and S. {Fischmeister}}, + booktitle={2018 Design, Automation Test in Europe Conference Exhibition (DATE)}, + title={Non-intrusive program tracing of non-preemptive multitasking systems using power consumption}, + year={2018}, + volume={}, + number={}, + pages={1147-1150}, + doi={10.23919/DATE.2018.8342184}, + ISSN={1558-1101}, + month={March} +} + +@InProceedings{10.1007/978-3-319-04283-1_18, + author="Msgna, Mehari and Markantonakis, Konstantinos and Mayes, Keith", + editor="Zia, Tanveer and Zomaya, Albert and Varadharajan, Vijay and Mao, Morley", + title = "{The B-Side of Side Channel Leakage: Control Flow Security in Embedded Systems}", + booktitle="Security and Privacy in Communication Networks", + year="2013", + publisher="Springer International Publishing", + address="Cham", + pages="288--304", +} + +@INPROCEEDINGS{8192483, + author={A. {Nazari} and N. {Sehatbakhsh} and M. {Alam} and A. {Zajic} and M. {Prvulovic}}, + booktitle={2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA)}, + title="{EDDIE: EM-based detection of deviations in program execution}", + year={2017}, + volume={}, + number={}, + pages={333-346}, + doi={10.1145/3079856.3080223}, + ISSN={null}, + month={June} +} + +@article{sehatbakhsh2019remote, + title={REMOTE: Robust External Malware Detection Framework by Using Electromagnetic Signals}, + author={Sehatbakhsh, Nader and Nazari, Alireza and Alam, Monjur and Werner, Frank and Zhu, Yuanda and Zajic, Alenka and Prvulovic, Milos}, + journal={IEEE Transactions on Computers}, + year={2019}, + publisher={IEEE} +} + +@inproceedings{xie2017aggregated, + title={Aggregated Residual Transformations for Deep Neural Networks}, + author={Xie, Saining and Girshick, Ross and Doll{\'a}r, Piotr and Tu, Zhuowen and He, Kaiming}, + booktitle={Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition}, + pages={1492--1500}, + year={2017} +} + +@inproceedings{yilmaz2019detecting, + title={Detecting Cellphone Camera Status at Distance by Exploiting Electromagnetic Emanations}, + author={Yilmaz, Baki Berkay and Ugurlu, Elvan Mert and Prvulovic, Milos and Zajic, Alenka}, + booktitle={MILCOM 2019-2019 IEEE Military Communications Conference (MILCOM)}, + pages={1--6}, + year={2019}, + organization={IEEE} +} + +@inproceedings {179223, +author = {Shane S. Clark and Benjamin Ransford and Amir Rahmati and Shane Guineau and Jacob Sorber and Wenyuan Xu and Kevin Fu}, +title = "{WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices}", +booktitle = "2013 {USENIX} Workshop on Health Information Technologies", +year = {2013}, +address = {Washington, D.C.}, +url = {https://www.usenix.org/conference/healthtech13/workshop-program/presentation/Clark}, +publisher = "{USENIX}", +} + +@InProceedings{Acoustic_Cryptanalysis, + author="Genkin, Daniel and Shamir, Adi and Tromer, Eran", + editor="Garay, Juan A. and Gennaro, Rosario", + title="{RSA} Key Extraction via Low-Bandwidth Acoustic Cryptanalysis", + booktitle="Advances in Cryptology -- CRYPTO 2014", + year="2014", + publisher="Springer Berlin Heidelberg", + address="Berlin, Heidelberg", + pages="444--461", + isbn="978-3-662-44371-2" +} + +@inbook{Eisenbarth, + title = "{Building a Side Channel Based Disassembler}", + publisher={Springer Berlin Heidelberg}, + author={Eisenbarth, Thomas and Paar, Christof and Weghenkel, Bj\"{o}rn}, + booktitle="{Transactions on Computational Science X: Special Issue on Security in Computing, Part I}", + pages={78-99}, + year = 2010 +} + +@misc{router_hacking_slingshot, + title = {Router-Hacking ``Slingshot'' Spy Operation Compromised More Than 100 Targets}, + note={\\ + \href{https://www.wired.com/story/router-hacking-slingshot-spy-operation-compromised-more-than-100-targets/} + {\nolinkurl{https://www.wired.com/story/router-hacking-slingshot-spy-operation}} + \\ + \href{https://www.wired.com/story/router-hacking-slingshot-spy-operation-compromised-more-than-100-targets/} + {\nolinkurl{-compromised-more-than-100-targets/}} + }, + journal = {Wired}, + author = {Greenberg, Andy}, + year = {2018}, + month = {March}, +} + +@misc{nsa_prefers_hacking_routers, + title = "{NSA} Laughs at {PCs}, Prefers Hacking Routers and Switches", + howpublished = {\url{https://www.wired.com/2013/09/nsa-router-hacking/}}, + author = {Zetter, Kim}, + year = {2013}, + month = {September}, +} + +@misc{unpatched_routers_prox_yarmy, + title = {Unpatched routers being used to build vast proxy army, spy on networks}, + howpublished = {\url{https://arstechnica.com/information-technology/2018/09/unpatched-routers-being-used-to-build-vast-proxy-army-spy-on-networks/}}, + author = {Gallagher, Sean}, + year = {2018}, + month = {September}, +} + + + + + + + + + +@InProceedings{10.1007/3-540-36400-5_4, +author="Agrawal, Dakshi +and Archambeault, Bruce +and Rao, Josyula R. +and Rohatgi, Pankaj", +editor="Kaliski, Burton S. +and Ko{\c{c}}, {\c{c}}etin K. +and Paar, Christof", +title="The EM Side---Channel(s)", +booktitle="Cryptographic Hardware and Embedded Systems - CHES 2002", +year="2003", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="29--45", +} + +@article{printers, +title = {Acoustic Side-Channel Attacks on Printers}, +author = {Michael Backes, Markus Dürmuth, Sebastian Gerling, Manfred Pinkal, Caroline Sporleder}, +year = {2010}, +publisher = {https://www.usenix.org/legacy/event/sec10/tech/full_papers/Backes.pdf}, +} + +@article{10.1145/1609956.1609959, +author = {Zhuang, Li and Zhou, Feng and Tygar, J. D.}, +title = {Keyboard Acoustic Emanations Revisited}, +year = {2009}, +issue_date = {October 2009}, +publisher = {Association for Computing Machinery}, +address = {New York, NY, USA}, +volume = {13}, +number = {1}, +issn = {1094-9224}, +url = {https://doi.org/10.1145/1609956.1609959}, +doi = {10.1145/1609956.1609959}, +journal = {ACM Trans. Inf. Syst. Secur.}, +month = nov, +articleno = {Article 3}, +numpages = {26}, +keywords = {privacy, cepstrum, learning theory, signal analysis, acoustic manations, Computer security, HMM, human factors, keyboards, hidden markov models, electronic eavesdropping} +} + +@InProceedings{10.1007/3-540-68697-5_9, +author="Kocher, Paul C.", +editor="Koblitz, Neal", +title="Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems", +booktitle="Advances in Cryptology --- CRYPTO '96", +year="1996", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="104--113", +} + + + + + + +@article{VINCENT201577, +title = "Trojan Detection and Side-channel Analyses for Cyber-security in Cyber-physical Manufacturing Systems", +journal = "Procedia Manufacturing", +volume = "1", +pages = "77 - 85", +year = "2015", +note = "43rd North American Manufacturing Research Conference, NAMRC 43, 8-12 June 2015, UNC Charlotte, North Carolina, United States", +issn = "2351-9789", +doi = "https://doi.org/10.1016/j.promfg.2015.09.065", +url = "http://www.sciencedirect.com/science/article/pii/S2351978915010653", +author = "Hannah Vincent and Lee Wells and Pablo Tarazaga and Jaime Camelio", +keywords = "Cyber-Attack detection, Cyber-Physical manufacturing systems, Quality control, Side-Channel analyses, Structural Health Monitoring, Trojans", +} + + +@inproceedings{fuller2018exploiting, + title={Exploiting side-channel emissions to detect changes in FPGA firmware}, + author={Fuller, Ryan M and Riley, Ronald A and Graham, James T}, + booktitle={Cyber Sensing 2018}, + volume={10630}, + pages={106300A}, + year={2018}, + organization={International Society for Optics and Photonics} +} + +@article{hospodar2011machine, + title={Machine learning in side-channel analysis: a first study}, + author={Hospodar, Gabriel and Gierlichs, Benedikt and De Mulder, Elke and Verbauwhede, Ingrid and Vandewalle, Joos}, + journal={Journal of Cryptographic Engineering}, + volume={1}, + number={4}, + pages={293}, + year={2011}, + publisher={Springer} +} + +@inproceedings{moreno2016non, + title={Non-intrusive runtime monitoring through power consumption: a signals and system analysis approach to reconstruct the trace}, + author={Moreno, Carlos and Fischmeister, Sebastian}, + booktitle={International Conference on Runtime Verification}, + pages={268--284}, + year={2016}, + organization={Springer} +} + + + + +@inproceedings{picek2017climbing, + title={Climbing down the hierarchy: hierarchical classification for machine learning side-channel attacks}, + author={Picek, Stjepan and Heuser, Annelie and Jovic, Alan and Legay, Axel}, + booktitle={International Conference on Cryptology in Africa}, + pages={61--78}, + year={2017}, + organization={Springer} +} + +@inproceedings{picek2018performance, + title={On the performance of convolutional neural networks for side-channel analysis}, + author={Picek, Stjepan and Samiotis, Ioannis Petros and Kim, Jaehun and Heuser, Annelie and Bhasin, Shivam and Legay, Axel}, + booktitle={International Conference on Security, Privacy, and Applied Cryptography Engineering}, + pages={157--176}, + year={2018}, + organization={Springer} +} + +@article{picek2019theory, + title={When theory meets practice: A framework for robust profiled side-channel analysis}, + author={Picek, Stjepan and Heuser, Annelie and Alippi, Cesare and Regazzoni, Francesco}, + year={2019} +} + + + + +@inproceedings{shumov2010side, + title={Side channel leakage profiling in software}, + author={Shumov, D and Montgomery, Peter L}, + booktitle={COSADE 2010}, + year={2010}, + organization={Citeseer} +} + +@inproceedings{blanco2017framework, + title={A framework for acquiring and analyzing traces from cryptographic devices}, + author={Blanco, Alfonso Blanco and de Fuentes, Jose Mar{\'\i}a and Gonz{\'a}lez-Manzano, Lorena and Encinas, Luis Hern{\'a}ndez and Mu{\~n}oz, Agust{\'\i}n Mart{\'\i}n and Oliva, Jos{\'e} Luis Rodrigo and Garc{\'\i}a, J Ignacio S{\'a}nchez}, + booktitle={International Conference on Security and Privacy in Communication Systems}, + pages={283--300}, + year={2017}, + organization={Springer} +} + +@misc{NationalInstrumentsHIL, + author = {National Instruments}, + title = {{Hardware In The Loop Test System}}, + howpublished = "\url{https://www.ni.com/en-ca/innovations/white-papers/09/hardware-in-the-loop--hil--test-system-architectures.html#section--650933511}" +} + +@misc{DSpace, + author = {DSpace}, + title = {{Hardware In The Loop Test System}}, + howpublished = "\url{https://www.dspace.com/shared/data/pdf/2019/dSPACE-Hardware-in-the-Loop-Systems_Business-field-brochure_01-2019_English.pdf}" +} + +@misc{Labview, + author = {National Instruments}, + title = {{LabVIEW DAQ}}, + howpublished = "\url{https://www.ni.com/academic/students/learn-daq/}" +} + +% Impact of human error: + + + + + + + +@article{patel2011impact, + title={Impact of outlier removal and normalization approach in modified k-means clustering algorithm}, + author={Patel, Vaishali R and Mehta, Rupa G}, + journal={International Journal of Computer Science Issues (IJCSI)}, + volume={8}, + number={5}, + pages={331}, + year={2011}, + publisher={Citeseer} +} + +@inproceedings{kazman1994saam, + title={SAAM: A method for analyzing the properties of software architectures}, + author={Kazman, Rick and Bass, Len and Abowd, Gregory and Webb, Mike}, + booktitle={Proceedings of 16th International Conference on Software Engineering}, + pages={81--90}, + year={1994}, + organization={IEEE} +} + +@inproceedings{msgna2014verifying, + title={Verifying software integrity in embedded systems: A side channel approach}, + author={Msgna, Mehari and Markantonakis, Konstantinos and Naccache, David and Mayes, Keith}, + booktitle={International Workshop on Constructive Side-Channel Analysis and Secure Design}, + pages={261--280}, + year={2014}, + organization={Springer} +} + +@article{hochreiter1997long, + title={Long short-term memory}, + author={Hochreiter, Sepp and Schmidhuber, J{\"u}rgen}, + journal={Neural computation}, + volume={9}, + number={8}, + pages={1735--1780}, + year={1997}, + publisher={MIT Press} +} + +@phdthesis{calvi2019runtime, + title={Runtime Monitoring of Cyber-Physical Systems Using Data-driven Models}, + author={Calvi, Michele Giovanni}, + year={2019}, + school={University of Illinois at Chicago} +} + +@inproceedings{moreno2013non, + title={Non-intrusive program tracing and debugging of deployed embedded systems through side-channel analysis}, + author={Moreno, Carlos and Fischmeister, Sebastian and Hasan, M Anwar}, + booktitle={Proceedings of the 14th ACM SIGPLAN/SIGBED conference on Languages, compilers and tools for embedded systems}, + pages={77--88}, + year={2013} +} + +@inproceedings{quisquater2002automatic, + title={{Automatic Code Recognition for Smartcards Using a Kohonen Neural Network}}, + author={Quisquater, Jean-Jacques and Samyde, David}, + booktitle={CARDIS}, + volume={2}, + pages={6}, + year={2002} +} + +@manual{datacenterbreach, + title = "Cost of a Data Breach Full Report 2022", + author = "IBM", + url = "https://www.ibm.com/downloads/cas/3R8N1DZJ", + year = "2023-04-26" + } + +@article{kur2009improving, + title={Improving resiliency of {J}ava card code against power analysis}, + author={Kur, Jir{\i} and Smolka, Tobi{\'a}{\v{s}} and Svenda, P}, + journal={Mikulaska kryptobesidka, Sbornik prispevku}, + pages={29--39}, + year={2009} +} +@article{paliwal, + title={A MODIFICATION OVER SAKOE AND CHIBA'S DYNAMIC TIME +WARPING ALGORITHM FOR ISOLATED WORD RECOGNITION*}, + author={K.K. PALIWAL, Anant AGARWAL and Sarvajit S. SINHA}, + year={1981} +} + +@inproceedings{deng2009imagenet, + title={{Imagenet: A Large-Scale Hierarchical Image Database}}, + author={Deng, Jia and Dong, Wei and Socher, Richard and Li, Li-Jia and Li, Kai and Fei-Fei, Li}, + booktitle={2009 IEEE Conference on Computer Vision and Pattern Recognition}, + pages={248--255}, + year={2009}, + organization={IEEE} +} + +@inproceedings{szegedy2017inception, + title={Inception-v4, inception-resnet and the impact of residual connections on learning}, + author={Szegedy, Christian and Ioffe, Sergey and Vanhoucke, Vincent and Alemi, Alexander A}, + booktitle={Thirty-first AAAI conference on artificial intelligence}, + year={2017} +} + + + +@inproceedings{chollet2017xception, + title={Xception: Deep learning with depthwise separable convolutions}, + author={Chollet, Fran{\c{c}}ois}, + booktitle={Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition}, + pages={1251--1258}, + year={2017} +} + +@INPROCEEDINGS{1536928, author={D. {Halford} and J. H. {Shoaf} and A. S. {Risley}}, booktitle={27th Annual Symposium on Frequency Control}, title={Spectral Density Analysis: Frequency Domain Specification and Measurement of Signal Stability}, year={1973}, volume={}, number={}, pages={421-431},} + +@inproceedings{10.5555/645803.669511, +author = {Keogh, Eamonn J. and Pazzani, Michael J.}, +title = {Scaling up Dynamic Time Warping to Massive Dataset}, +year = {1999}, +isbn = {3540664904}, +publisher = {Springer-Verlag}, +address = {Berlin, Heidelberg}, +booktitle = {Proceedings of the Third European Conference on Principles of Data Mining and Knowledge Discovery}, +pages = {1–11}, +numpages = {11}, +series = {PKDD ’99} +} + +@article{theodoridis2009pattern, + title={Pattern recognition. 2003}, + author={Theodoridis, Sergios and Koutroumbas, Konstantinos}, + journal={Google Scholar Digital Library}, + year={2009} +} +@inproceedings{hutter2013temperature, + title={The temperature side channel and heating fault attacks}, + author={Hutter, Michael and Schmidt, J{\"o}rn-Marc}, + booktitle={International Conference on Smart Card Research and Advanced Applications}, + pages={219--235}, + year={2013}, + organization={Springer} +} +@inproceedings{masti2015thermal, + title={Thermal covert channels on multi-core platforms}, + author={Masti, Ramya Jayaram and Rai, Devendra and Ranganathan, Aanjhan and M{\"u}ller, Christian and Thiele, Lothar and Capkun, Srdjan}, + booktitle={24th {USENIX} Security Symposium ({USENIX} Security '15)}, + pages={865--880}, + year={2015} +} + +@ARTICLE{4766926, author={G. V. {Trunk}}, journal={{IEEE Transactions on Pattern Analysis and Machine Intelligence}}, title={A Problem of Dimensionality: A Simple Example}, year={1979}, volume={PAMI-1}, number={3}, pages={306-307}} + +@inproceedings{genkin2014rsa, + title="{RSA} key extraction via low-bandwidth acoustic cryptanalysis", + author={Genkin, Daniel and Shamir, Adi and Tromer, Eran}, + booktitle={Annual Cryptology Conference}, + pages={444--461}, + year={2014}, + organization={Springer} +} + +@INPROCEEDINGS{7130435, author={R. {Daş} and A. {Karabade} and G. {Tuna}}, booktitle={2015 23nd Signal Processing and Communications Applications Conference (SIU)}, title={Common network attack types and defense mechanisms}, year={2015}, volume={}, number={}, pages={2658-2661},} + +@INPROCEEDINGS{727070, +author={J. T. {Russell} and M. F. {Jacome}}, +booktitle={Proceedings International Conference on Computer Design. VLSI in Computers and Processors (Cat. No.98CB36273)}, +title={Software power estimation and optimization for high performance, 32-bit embedded processors}, +year={1998}, +volume={}, +number={}, +pages={328-333},} + +@inproceedings{grisel2022work, + title={Work-in-Progress: Boot Sequence Integrity Verification with Power Analysis}, + author={Grisel-Davy, Arthur and Bhogayata, Amrita Milan and Pabbi, Srijan and Narayan, Apurva and Fischmeister, Sebastian}, + booktitle={2022 International Conference on Embedded Software (EMSOFT)}, + pages={3--4}, + year={2022}, + organization={IEEE} +} + diff --git a/EET1/MLCS_conference/images/Firmware_Comparison_TD_direct.pdf b/EET1/MLCS_conference/images/Firmware_Comparison_TD_direct.pdf new file mode 100644 index 0000000..526c7ac Binary files /dev/null and b/EET1/MLCS_conference/images/Firmware_Comparison_TD_direct.pdf differ diff --git a/EET1/MLCS_conference/images/cluster_dc.pdf b/EET1/MLCS_conference/images/cluster_dc.pdf new file mode 100644 index 0000000..5e02d3d Binary files /dev/null and b/EET1/MLCS_conference/images/cluster_dc.pdf differ diff --git a/EET1/MLCS_conference/images/detect_change.pdf b/EET1/MLCS_conference/images/detect_change.pdf new file mode 100644 index 0000000..1317165 Binary files /dev/null and b/EET1/MLCS_conference/images/detect_change.pdf differ diff --git a/EET1/MLCS_conference/images/overview_eet_v3.pdf b/EET1/MLCS_conference/images/overview_eet_v3.pdf new file mode 100644 index 0000000..95ba7da Binary files /dev/null and b/EET1/MLCS_conference/images/overview_eet_v3.pdf differ diff --git a/EET1/MLCS_conference/images/preview_ids.pdf b/EET1/MLCS_conference/images/preview_ids.pdf new file mode 100644 index 0000000..6d14559 Binary files /dev/null and b/EET1/MLCS_conference/images/preview_ids.pdf differ diff --git a/EET1/MLCS_conference/images/psd.pdf b/EET1/MLCS_conference/images/psd.pdf new file mode 100644 index 0000000..3347b0d Binary files /dev/null and b/EET1/MLCS_conference/images/psd.pdf differ diff --git a/EET1/MLCS_conference/images/ssh_class.pdf b/EET1/MLCS_conference/images/ssh_class.pdf new file mode 100644 index 0000000..da2efbd Binary files /dev/null and b/EET1/MLCS_conference/images/ssh_class.pdf differ diff --git a/EET1/MLCS_conference/images/ssh_class_2.pdf b/EET1/MLCS_conference/images/ssh_class_2.pdf new file mode 100644 index 0000000..5fd4592 Binary files /dev/null and b/EET1/MLCS_conference/images/ssh_class_2.pdf differ diff --git a/EET1/MLCS_conference/images/ssh_fft.pdf b/EET1/MLCS_conference/images/ssh_fft.pdf new file mode 100644 index 0000000..deaba5e Binary files /dev/null and b/EET1/MLCS_conference/images/ssh_fft.pdf differ diff --git a/EET1/MLCS_conference/images/time_domain_ssh.pdf b/EET1/MLCS_conference/images/time_domain_ssh.pdf new file mode 100644 index 0000000..8910a12 Binary files /dev/null and b/EET1/MLCS_conference/images/time_domain_ssh.pdf differ diff --git a/EET1/MLCS_conference/images/time_domain_ssh_labels.pdf b/EET1/MLCS_conference/images/time_domain_ssh_labels.pdf new file mode 100644 index 0000000..af6813d Binary files /dev/null and b/EET1/MLCS_conference/images/time_domain_ssh_labels.pdf differ diff --git a/EET1/MLCS_conference/llncs.cls b/EET1/MLCS_conference/llncs.cls new file mode 100644 index 0000000..58bd0e3 --- /dev/null +++ b/EET1/MLCS_conference/llncs.cls @@ -0,0 +1,1218 @@ +% LLNCS DOCUMENT CLASS -- version 2.22 (05-Sep-2022) +% Springer Verlag LaTeX2e support for Lecture Notes in Computer Science +% +%% +%% \CharacterTable +%% {Upper-case \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z +%% Lower-case \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z +%% Digits \0\1\2\3\4\5\6\7\8\9 +%% Exclamation \! Double quote \" Hash (number) \# +%% Dollar \$ Percent \% Ampersand \& +%% Acute accent \' Left paren \( Right paren \) +%% Asterisk \* Plus \+ Comma \, +%% Minus \- Point \. Solidus \/ +%% Colon \: Semicolon \; Less than \< +%% Equals \= Greater than \> Question mark \? +%% Commercial at \@ Left bracket \[ Backslash \\ +%% Right bracket \] Circumflex \^ Underscore \_ +%% Grave accent \` Left brace \{ Vertical bar \| +%% Right brace \} Tilde \~} +%% +\NeedsTeXFormat{LaTeX2e}[1995/12/01] +\ProvidesClass{llncs}[2022/09/05 v2.22 +^^J LaTeX document class for Lecture Notes in Computer Science] +% Options +\let\if@envcntreset\iffalse +\DeclareOption{envcountreset}{\let\if@envcntreset\iftrue} +\DeclareOption{citeauthoryear}{\let\citeauthoryear=Y} +\DeclareOption{oribibl}{\let\oribibl=Y} +\let\if@custvec\iftrue +\DeclareOption{orivec}{\let\if@custvec\iffalse} +\let\if@envcntsame\iffalse +\DeclareOption{envcountsame}{\let\if@envcntsame\iftrue} +\let\if@envcntsect\iffalse +\DeclareOption{envcountsect}{\let\if@envcntsect\iftrue} +\let\if@runhead\iffalse +\DeclareOption{runningheads}{\let\if@runhead\iftrue} + +\let\if@openright\iftrue +\let\if@openbib\iffalse +\DeclareOption{openbib}{\let\if@openbib\iftrue} + +% languages +\let\switcht@@therlang\relax +\def\ds@deutsch{\def\switcht@@therlang{\switcht@deutsch}} +\def\ds@francais{\def\switcht@@therlang{\switcht@francais}} + +\DeclareOption*{\PassOptionsToClass{\CurrentOption}{article}} + +\ProcessOptions + +\LoadClass[twoside]{article} +\RequirePackage{multicol} % needed for the list of participants, index +\RequirePackage{aliascnt} + +\setlength{\textwidth}{12.2cm} +\setlength{\textheight}{19.3cm} +\renewcommand\@pnumwidth{2em} +\renewcommand\@tocrmarg{3.5em} +% +\def\@dottedtocline#1#2#3#4#5{% + \ifnum #1>\c@tocdepth \else + \vskip \z@ \@plus.2\p@ + {\leftskip #2\relax \rightskip \@tocrmarg \advance\rightskip by 0pt plus 2cm + \parfillskip -\rightskip \pretolerance=10000 + \parindent #2\relax\@afterindenttrue + \interlinepenalty\@M + \leavevmode + \@tempdima #3\relax + \advance\leftskip \@tempdima \null\nobreak\hskip -\leftskip + {#4}\nobreak + \leaders\hbox{$\m@th + \mkern \@dotsep mu\hbox{.}\mkern \@dotsep + mu$}\hfill + \nobreak + \hb@xt@\@pnumwidth{\hfil\normalfont \normalcolor #5}% + \par}% + \fi} +% +\def\switcht@albion{% +\def\abstractname{Abstract.} +\def\ackname{Acknowledgement.} +\def\andname{and} +\def\lastandname{\unskip, and} +\def\appendixname{Appendix} +\def\chaptername{Chapter} +\def\claimname{Claim} +\def\conjecturename{Conjecture} +\def\contentsname{Table of Contents} +\def\corollaryname{Corollary} +\def\definitionname{Definition} +\def\examplename{Example} +\def\exercisename{Exercise} +\def\figurename{Fig.} +\def\keywordname{{\bf Keywords:}} +\def\indexname{Index} +\def\lemmaname{Lemma} +\def\contriblistname{List of Contributors} +\def\listfigurename{List of Figures} +\def\listtablename{List of Tables} +\def\mailname{{\it Correspondence to\/}:} +\def\noteaddname{Note added in proof} +\def\notename{Note} +\def\partname{Part} +\def\problemname{Problem} +\def\proofname{Proof} +\def\propertyname{Property} +\def\propositionname{Proposition} +\def\questionname{Question} +\def\remarkname{Remark} +\def\seename{see} +\def\solutionname{Solution} +\def\subclassname{{\it Subject Classifications\/}:} +\def\tablename{Table} +\def\theoremname{Theorem}} +\switcht@albion +% Names of theorem like environments are already defined +% but must be translated if another language is chosen +% +% French section +\def\switcht@francais{%\typeout{On parle francais.}% + \def\abstractname{R\'esum\'e.}% + \def\ackname{Remerciements.}% + \def\andname{et}% + \def\lastandname{ et}% + \def\appendixname{Appendice}% + \def\chaptername{Chapitre}% + \def\claimname{Pr\'etention}% + \def\conjecturename{Hypoth\`ese}% + \def\contentsname{Table des mati\`eres}% + \def\corollaryname{Corollaire}% + \def\definitionname{D\'efinition}% + \def\examplename{Exemple}% + \def\exercisename{Exercice}% + \def\figurename{Fig.}% + \def\keywordname{{\bf Mots-cl\'e:}}% + \def\indexname{Index}% + \def\lemmaname{Lemme}% + \def\contriblistname{Liste des contributeurs}% + \def\listfigurename{Liste des figures}% + \def\listtablename{Liste des tables}% + \def\mailname{{\it Correspondence to\/}:}% + \def\noteaddname{Note ajout\'ee \`a l'\'epreuve}% + \def\notename{Remarque}% + \def\partname{Partie}% + \def\problemname{Probl\`eme}% + \def\proofname{Preuve}% + \def\propertyname{Caract\'eristique}% +%\def\propositionname{Proposition}% + \def\questionname{Question}% + \def\remarkname{Remarque}% + \def\seename{voir}% + \def\solutionname{Solution}% + \def\subclassname{{\it Subject Classifications\/}:}% + \def\tablename{Tableau}% + \def\theoremname{Th\'eor\`eme}% +} +% +% German section +\def\switcht@deutsch{%\typeout{Man spricht deutsch.}% + \def\abstractname{Zusammenfassung.}% + \def\ackname{Danksagung.}% + \def\andname{und}% + \def\lastandname{ und}% + \def\appendixname{Anhang}% + \def\chaptername{Kapitel}% + \def\claimname{Behauptung}% + \def\conjecturename{Hypothese}% + \def\contentsname{Inhaltsverzeichnis}% + \def\corollaryname{Korollar}% +%\def\definitionname{Definition}% + \def\examplename{Beispiel}% + \def\exercisename{\"Ubung}% + \def\figurename{Abb.}% + \def\keywordname{{\bf Schl\"usselw\"orter:}}% + \def\indexname{Index}% +%\def\lemmaname{Lemma}% + \def\contriblistname{Mitarbeiter}% + \def\listfigurename{Abbildungsverzeichnis}% + \def\listtablename{Tabellenverzeichnis}% + \def\mailname{{\it Correspondence to\/}:}% + \def\noteaddname{Nachtrag}% + \def\notename{Anmerkung}% + \def\partname{Teil}% +%\def\problemname{Problem}% + \def\proofname{Beweis}% + \def\propertyname{Eigenschaft}% +%\def\propositionname{Proposition}% + \def\questionname{Frage}% + \def\remarkname{Anmerkung}% + \def\seename{siehe}% + \def\solutionname{L\"osung}% + \def\subclassname{{\it Subject Classifications\/}:}% + \def\tablename{Tabelle}% +%\def\theoremname{Theorem}% +} + +% Ragged bottom for the actual page +\def\thisbottomragged{\def\@textbottom{\vskip\z@ plus.0001fil +\global\let\@textbottom\relax}} + +\renewcommand\small{% + \@setfontsize\small\@ixpt{11}% + \abovedisplayskip 8.5\p@ \@plus3\p@ \@minus4\p@ + \abovedisplayshortskip \z@ \@plus2\p@ + \belowdisplayshortskip 4\p@ \@plus2\p@ \@minus2\p@ + \def\@listi{\leftmargin\leftmargini + \parsep 0\p@ \@plus1\p@ \@minus\p@ + \topsep 8\p@ \@plus2\p@ \@minus4\p@ + \itemsep0\p@}% + \belowdisplayskip \abovedisplayskip +} + +\frenchspacing +\widowpenalty=10000 +\clubpenalty=10000 + +\setlength\oddsidemargin {63\p@} +\setlength\evensidemargin {63\p@} +\setlength\marginparwidth {90\p@} + +\setlength\headsep {16\p@} + +\setlength\footnotesep{7.7\p@} +\setlength\textfloatsep{8mm\@plus 2\p@ \@minus 4\p@} +\setlength\intextsep {8mm\@plus 2\p@ \@minus 2\p@} + +\setcounter{secnumdepth}{2} + +\newcounter {chapter} +\renewcommand\thechapter {\@arabic\c@chapter} + +\newif\if@mainmatter \@mainmattertrue +\newcommand\frontmatter{\cleardoublepage + \@mainmatterfalse\pagenumbering{Roman}} +\newcommand\mainmatter{\cleardoublepage + \@mainmattertrue\pagenumbering{arabic}} +\newcommand\backmatter{\if@openright\cleardoublepage\else\clearpage\fi + \@mainmatterfalse} + +\renewcommand\part{\cleardoublepage + \thispagestyle{empty}% + \if@twocolumn + \onecolumn + \@tempswatrue + \else + \@tempswafalse + \fi + \null\vfil + \secdef\@part\@spart} + +\def\@part[#1]#2{% + \ifnum \c@secnumdepth >-2\relax + \refstepcounter{part}% + \addcontentsline{toc}{part}{\thepart\hspace{1em}#1}% + \else + \addcontentsline{toc}{part}{#1}% + \fi + \markboth{}{}% + {\centering + \interlinepenalty \@M + \normalfont + \ifnum \c@secnumdepth >-2\relax + \huge\bfseries \partname~\thepart + \par + \vskip 20\p@ + \fi + \Huge \bfseries #2\par}% + \@endpart} +\def\@spart#1{% + {\centering + \interlinepenalty \@M + \normalfont + \Huge \bfseries #1\par}% + \@endpart} +\def\@endpart{\vfil\newpage + \if@twoside + \null + \thispagestyle{empty}% + \newpage + \fi + \if@tempswa + \twocolumn + \fi} + +\newcommand\chapter{\clearpage + \thispagestyle{empty}% + \global\@topnum\z@ + \@afterindentfalse + \secdef\@chapter\@schapter} +\def\@chapter[#1]#2{\ifnum \c@secnumdepth >\m@ne + \if@mainmatter + \refstepcounter{chapter}% + \typeout{\@chapapp\space\thechapter.}% + \addcontentsline{toc}{chapter}% + {\protect\numberline{\thechapter}#1}% + \else + \addcontentsline{toc}{chapter}{#1}% + \fi + \else + \addcontentsline{toc}{chapter}{#1}% + \fi + \chaptermark{#1}% + \addtocontents{lof}{\protect\addvspace{10\p@}}% + \addtocontents{lot}{\protect\addvspace{10\p@}}% + \if@twocolumn + \@topnewpage[\@makechapterhead{#2}]% + \else + \@makechapterhead{#2}% + \@afterheading + \fi} +\def\@makechapterhead#1{% +% \vspace*{50\p@}% + {\centering + \ifnum \c@secnumdepth >\m@ne + \if@mainmatter + \large\bfseries \@chapapp{} \thechapter + \par\nobreak + \vskip 20\p@ + \fi + \fi + \interlinepenalty\@M + \Large \bfseries #1\par\nobreak + \vskip 40\p@ + }} +\def\@schapter#1{\if@twocolumn + \@topnewpage[\@makeschapterhead{#1}]% + \else + \@makeschapterhead{#1}% + \@afterheading + \fi} +\def\@makeschapterhead#1{% +% \vspace*{50\p@}% + {\centering + \normalfont + \interlinepenalty\@M + \Large \bfseries #1\par\nobreak + \vskip 40\p@ + }} + +\renewcommand\section{\@startsection{section}{1}{\z@}% + {-18\p@ \@plus -4\p@ \@minus -4\p@}% + {12\p@ \@plus 4\p@ \@minus 4\p@}% + {\normalfont\large\bfseries\boldmath + \rightskip=\z@ \@plus 8em\pretolerance=10000 }} +\renewcommand\subsection{\@startsection{subsection}{2}{\z@}% + {-18\p@ \@plus -4\p@ \@minus -4\p@}% + {8\p@ \@plus 4\p@ \@minus 4\p@}% + {\normalfont\normalsize\bfseries\boldmath + \rightskip=\z@ \@plus 8em\pretolerance=10000 }} +\renewcommand\subsubsection{\@startsection{subsubsection}{3}{\z@}% + {-18\p@ \@plus -4\p@ \@minus -4\p@}% + {-0.5em \@plus -0.22em \@minus -0.1em}% + {\normalfont\normalsize\bfseries\boldmath}} +\renewcommand\paragraph{\@startsection{paragraph}{4}{\z@}% + {-12\p@ \@plus -4\p@ \@minus -4\p@}% + {-0.5em \@plus -0.22em \@minus -0.1em}% + {\normalfont\normalsize\itshape}} +\renewcommand\subparagraph[1]{\typeout{LLNCS warning: You should not use + \string\subparagraph\space with this class}\vskip0.5cm +You should not use \verb|\subparagraph| with this class.\vskip0.5cm} + +\DeclareMathSymbol{\Gamma}{\mathalpha}{letters}{"00} +\DeclareMathSymbol{\Delta}{\mathalpha}{letters}{"01} +\DeclareMathSymbol{\Theta}{\mathalpha}{letters}{"02} +\DeclareMathSymbol{\Lambda}{\mathalpha}{letters}{"03} +\DeclareMathSymbol{\Xi}{\mathalpha}{letters}{"04} +\DeclareMathSymbol{\Pi}{\mathalpha}{letters}{"05} +\DeclareMathSymbol{\Sigma}{\mathalpha}{letters}{"06} +\DeclareMathSymbol{\Upsilon}{\mathalpha}{letters}{"07} +\DeclareMathSymbol{\Phi}{\mathalpha}{letters}{"08} +\DeclareMathSymbol{\Psi}{\mathalpha}{letters}{"09} +\DeclareMathSymbol{\Omega}{\mathalpha}{letters}{"0A} + +\let\footnotesize\small + +\if@custvec +\DeclareRobustCommand\vec[1]{\mathchoice{\mbox{\boldmath$\displaystyle#1$}} +{\mbox{\boldmath$\textstyle#1$}} +{\mbox{\boldmath$\scriptstyle#1$}} +{\mbox{\boldmath$\scriptscriptstyle#1$}}} +\fi + +\def\squareforqed{\hbox{\rlap{$\sqcap$}$\sqcup$}} +\def\qed{\ifmmode\squareforqed\else{\unskip\nobreak\hfil +\penalty50\hskip1em\null\nobreak\hfil\squareforqed +\parfillskip=0pt\finalhyphendemerits=0\endgraf}\fi} + +\def\getsto{\mathrel{\mathchoice {\vcenter{\offinterlineskip +\halign{\hfil +$\displaystyle##$\hfil\cr\gets\cr\to\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr\gets +\cr\to\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr\gets +\cr\to\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +\gets\cr\to\cr}}}}} +\def\lid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil +$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr +\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr +\noalign{\vskip1pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +<\cr +\noalign{\vskip0.9pt}=\cr}}}}} +\def\gid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil +$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr +\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr +\noalign{\vskip1pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +>\cr +\noalign{\vskip0.9pt}=\cr}}}}} +\def\grole{\mathrel{\mathchoice {\vcenter{\offinterlineskip +\halign{\hfil +$\displaystyle##$\hfil\cr>\cr\noalign{\vskip-1pt}<\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr +>\cr\noalign{\vskip-1pt}<\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr +>\cr\noalign{\vskip-0.8pt}<\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +>\cr\noalign{\vskip-0.3pt}<\cr}}}}} +\def\bbbr{{\rm I\!R}} %reelle Zahlen +\def\bbbm{{\rm I\!M}} +\def\bbbn{{\rm I\!N}} %natuerliche Zahlen +\def\bbbf{{\rm I\!F}} +\def\bbbh{{\rm I\!H}} +\def\bbbk{{\rm I\!K}} +\def\bbbp{{\rm I\!P}} +\def\bbbone{{\mathchoice {\rm 1\mskip-4mu l} {\rm 1\mskip-4mu l} +{\rm 1\mskip-4.5mu l} {\rm 1\mskip-5mu l}}} +\def\bbbc{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}}} +\def\bbbq{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm +Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle\rm Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle\rm Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}}}} +\def\bbbt{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm +T$}\hbox{\hbox to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle\rm T$}\hbox{\hbox +to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle\rm T$}\hbox{\hbox +to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm T$}\hbox{\hbox +to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}}} +\def\bbbs{{\mathchoice +{\setbox0=\hbox{$\displaystyle \rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox +to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle \rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox +to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle \rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox +to0pt{\kern0.5\wd0\vrule height0.45\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.4\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox +to0pt{\kern0.55\wd0\vrule height0.45\ht0\hss}\box0}}}} +\def\bbbz{{\mathchoice {\hbox{$\mathsf\textstyle Z\kern-0.4em Z$}} +{\hbox{$\mathsf\textstyle Z\kern-0.4em Z$}} +{\hbox{$\mathsf\scriptstyle Z\kern-0.3em Z$}} +{\hbox{$\mathsf\scriptscriptstyle Z\kern-0.2em Z$}}}} + +\let\ts\, + +\setlength\leftmargini {17\p@} +\setlength\leftmargin {\leftmargini} +\setlength\leftmarginii {\leftmargini} +\setlength\leftmarginiii {\leftmargini} +\setlength\leftmarginiv {\leftmargini} +\setlength \labelsep {.5em} +\setlength \labelwidth{\leftmargini} +\addtolength\labelwidth{-\labelsep} + +\def\@listI{\leftmargin\leftmargini + \parsep 0\p@ \@plus1\p@ \@minus\p@ + \topsep 8\p@ \@plus2\p@ \@minus4\p@ + \itemsep0\p@} +\let\@listi\@listI +\@listi +\def\@listii {\leftmargin\leftmarginii + \labelwidth\leftmarginii + \advance\labelwidth-\labelsep + \topsep 0\p@ \@plus2\p@ \@minus\p@} +\def\@listiii{\leftmargin\leftmarginiii + \labelwidth\leftmarginiii + \advance\labelwidth-\labelsep + \topsep 0\p@ \@plus\p@\@minus\p@ + \parsep \z@ + \partopsep \p@ \@plus\z@ \@minus\p@} + +\renewcommand\labelitemi{\normalfont\bfseries --} +\renewcommand\labelitemii{$\m@th\bullet$} + +\setlength\arraycolsep{1.4\p@} +\setlength\tabcolsep{1.4\p@} + +\def\tableofcontents{\chapter*{\contentsname\@mkboth{{\contentsname}}% + {{\contentsname}}} + \def\authcount##1{\setcounter{auco}{##1}\setcounter{@auth}{1}} + \def\lastand{\ifnum\value{auco}=2\relax + \unskip{} \andname\ + \else + \unskip \lastandname\ + \fi}% + \def\and{\stepcounter{@auth}\relax + \ifnum\value{@auth}=\value{auco}% + \lastand + \else + \unskip, + \fi}% + \@starttoc{toc}\if@restonecol\twocolumn\fi} + +\def\l@part#1#2{\addpenalty{\@secpenalty}% + \addvspace{2em plus\p@}% % space above part line + \begingroup + \parindent \z@ + \rightskip \z@ plus 5em + \hrule\vskip5pt + \large % same size as for a contribution heading + \bfseries\boldmath % set line in boldface + \leavevmode % TeX command to enter horizontal mode. + #1\par + \vskip5pt + \hrule + \vskip1pt + \nobreak % Never break after part entry + \endgroup} + +\def\@dotsep{2} + +\let\phantomsection=\relax + +\def\hyperhrefextend{\ifx\hyper@anchor\@undefined\else +{}\fi} + +\def\addnumcontentsmark#1#2#3{% +\addtocontents{#1}{\protect\contentsline{#2}{\protect\numberline + {\thechapter}#3}{\thepage}\hyperhrefextend}}% +\def\addcontentsmark#1#2#3{% +\addtocontents{#1}{\protect\contentsline{#2}{#3}{\thepage}\hyperhrefextend}}% +\def\addcontentsmarkwop#1#2#3{% +\addtocontents{#1}{\protect\contentsline{#2}{#3}{0}\hyperhrefextend}}% + +\def\@adcmk[#1]{\ifcase #1 \or +\def\@gtempa{\addnumcontentsmark}% + \or \def\@gtempa{\addcontentsmark}% + \or \def\@gtempa{\addcontentsmarkwop}% + \fi\@gtempa{toc}{chapter}% +} +\def\addtocmark{% +\phantomsection +\@ifnextchar[{\@adcmk}{\@adcmk[3]}% +} + +\def\l@chapter#1#2{\addpenalty{-\@highpenalty} + \vskip 1.0em plus 1pt \@tempdima 1.5em \begingroup + \parindent \z@ \rightskip \@tocrmarg + \advance\rightskip by 0pt plus 2cm + \parfillskip -\rightskip \pretolerance=10000 + \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip + {\large\bfseries\boldmath#1}\ifx0#2\hfil\null + \else + \nobreak + \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern + \@dotsep mu$}\hfill + \nobreak\hbox to\@pnumwidth{\hss #2}% + \fi\par + \penalty\@highpenalty \endgroup} + +\def\l@title#1#2{\addpenalty{-\@highpenalty} + \addvspace{8pt plus 1pt} + \@tempdima \z@ + \begingroup + \parindent \z@ \rightskip \@tocrmarg + \advance\rightskip by 0pt plus 2cm + \parfillskip -\rightskip \pretolerance=10000 + \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip + #1\nobreak + \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern + \@dotsep mu$}\hfill + \nobreak\hbox to\@pnumwidth{\hss #2}\par + \penalty\@highpenalty \endgroup} + +\def\l@author#1#2{\addpenalty{\@highpenalty} + \@tempdima=15\p@ %\z@ + \begingroup + \parindent \z@ \rightskip \@tocrmarg + \advance\rightskip by 0pt plus 2cm + \pretolerance=10000 + \leavevmode \advance\leftskip\@tempdima %\hskip -\leftskip + \textit{#1}\par + \penalty\@highpenalty \endgroup} + +\setcounter{tocdepth}{0} +\newdimen\tocchpnum +\newdimen\tocsecnum +\newdimen\tocsectotal +\newdimen\tocsubsecnum +\newdimen\tocsubsectotal +\newdimen\tocsubsubsecnum +\newdimen\tocsubsubsectotal +\newdimen\tocparanum +\newdimen\tocparatotal +\newdimen\tocsubparanum +\tocchpnum=\z@ % no chapter numbers +\tocsecnum=15\p@ % section 88. plus 2.222pt +\tocsubsecnum=23\p@ % subsection 88.8 plus 2.222pt +\tocsubsubsecnum=27\p@ % subsubsection 88.8.8 plus 1.444pt +\tocparanum=35\p@ % paragraph 88.8.8.8 plus 1.666pt +\tocsubparanum=43\p@ % subparagraph 88.8.8.8.8 plus 1.888pt +\def\calctocindent{% +\tocsectotal=\tocchpnum +\advance\tocsectotal by\tocsecnum +\tocsubsectotal=\tocsectotal +\advance\tocsubsectotal by\tocsubsecnum +\tocsubsubsectotal=\tocsubsectotal +\advance\tocsubsubsectotal by\tocsubsubsecnum +\tocparatotal=\tocsubsubsectotal +\advance\tocparatotal by\tocparanum} +\calctocindent + +\def\l@section{\@dottedtocline{1}{\tocchpnum}{\tocsecnum}} +\def\l@subsection{\@dottedtocline{2}{\tocsectotal}{\tocsubsecnum}} +\def\l@subsubsection{\@dottedtocline{3}{\tocsubsectotal}{\tocsubsubsecnum}} +\def\l@paragraph{\@dottedtocline{4}{\tocsubsubsectotal}{\tocparanum}} +\def\l@subparagraph{\@dottedtocline{5}{\tocparatotal}{\tocsubparanum}} + +\def\listoffigures{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn + \fi\section*{\listfigurename\@mkboth{{\listfigurename}}{{\listfigurename}}} + \@starttoc{lof}\if@restonecol\twocolumn\fi} +\def\l@figure{\@dottedtocline{1}{0em}{1.5em}} + +\def\listoftables{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn + \fi\section*{\listtablename\@mkboth{{\listtablename}}{{\listtablename}}} + \@starttoc{lot}\if@restonecol\twocolumn\fi} +\let\l@table\l@figure + +\renewcommand\listoffigures{% + \section*{\listfigurename + \@mkboth{\listfigurename}{\listfigurename}}% + \@starttoc{lof}% + } + +\renewcommand\listoftables{% + \section*{\listtablename + \@mkboth{\listtablename}{\listtablename}}% + \@starttoc{lot}% + } + +\ifx\oribibl\undefined +\ifx\citeauthoryear\undefined +\renewenvironment{thebibliography}[1] + {\section*{\refname} + \def\@biblabel##1{##1.} + \small + \list{\@biblabel{\@arabic\c@enumiv}}% + {\settowidth\labelwidth{\@biblabel{#1}}% + \leftmargin\labelwidth + \advance\leftmargin\labelsep + \if@openbib + \advance\leftmargin\bibindent + \itemindent -\bibindent + \listparindent \itemindent + \parsep \z@ + \fi + \usecounter{enumiv}% + \let\p@enumiv\@empty + \renewcommand\theenumiv{\@arabic\c@enumiv}}% + \if@openbib + \renewcommand\newblock{\par}% + \else + \renewcommand\newblock{\hskip .11em \@plus.33em \@minus.07em}% + \fi + \sloppy\clubpenalty4000\widowpenalty4000% + \sfcode`\.=\@m} + {\def\@noitemerr + {\@latex@warning{Empty `thebibliography' environment}}% + \endlist} +\def\@lbibitem[#1]#2{\item[{[#1]}\hfill]\if@filesw + {\let\protect\noexpand\immediate + \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces} +\newcount\@tempcntc +\def\@citex[#1]#2{\if@filesw\immediate\write\@auxout{\string\citation{#2}}\fi + \@tempcnta\z@\@tempcntb\m@ne\def\@citea{}\@cite{\@for\@citeb:=#2\do + {\@ifundefined + {b@\@citeb}{\@citeo\@tempcntb\m@ne\@citea\def\@citea{,}{\bfseries + ?}\@warning + {Citation `\@citeb' on page \thepage \space undefined}}% + {\setbox\z@\hbox{\global\@tempcntc0\csname b@\@citeb\endcsname\relax}% + \ifnum\@tempcntc=\z@ \@citeo\@tempcntb\m@ne + \@citea\def\@citea{,}\hbox{\csname b@\@citeb\endcsname}% + \else + \advance\@tempcntb\@ne + \ifnum\@tempcntb=\@tempcntc + \else\advance\@tempcntb\m@ne\@citeo + \@tempcnta\@tempcntc\@tempcntb\@tempcntc\fi\fi}}\@citeo}{#1}} +\def\@citeo{\ifnum\@tempcnta>\@tempcntb\else + \@citea\def\@citea{,\,\hskip\z@skip}% + \ifnum\@tempcnta=\@tempcntb\the\@tempcnta\else + {\advance\@tempcnta\@ne\ifnum\@tempcnta=\@tempcntb \else + \def\@citea{--}\fi + \advance\@tempcnta\m@ne\the\@tempcnta\@citea\the\@tempcntb}\fi\fi} +\else +\renewenvironment{thebibliography}[1] + {\section*{\refname} + \small + \list{}% + {\settowidth\labelwidth{}% + \leftmargin\parindent + \itemindent=-\parindent + \labelsep=\z@ + \if@openbib + \advance\leftmargin\bibindent + \itemindent -\bibindent + \listparindent \itemindent + \parsep \z@ + \fi + \usecounter{enumiv}% + \let\p@enumiv\@empty + \renewcommand\theenumiv{}}% + \if@openbib + \renewcommand\newblock{\par}% + \else + \renewcommand\newblock{\hskip .11em \@plus.33em \@minus.07em}% + \fi + \sloppy\clubpenalty4000\widowpenalty4000% + \sfcode`\.=\@m} + {\def\@noitemerr + {\@latex@warning{Empty `thebibliography' environment}}% + \endlist} + \def\@cite#1{#1}% + \def\@lbibitem[#1]#2{\item[]\if@filesw + {\def\protect##1{\string ##1\space}\immediate + \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces} + \fi +\else +\@cons\@openbib@code{\noexpand\small} +\fi + +\def\idxquad{\hskip 10\p@}% space that divides entry from number + +\def\@idxitem{\par\hangindent 10\p@} + +\def\subitem{\par\setbox0=\hbox{--\enspace}% second order + \noindent\hangindent\wd0\box0}% index entry + +\def\subsubitem{\par\setbox0=\hbox{--\,--\enspace}% third + \noindent\hangindent\wd0\box0}% order index entry + +\def\indexspace{\par \vskip 10\p@ plus5\p@ minus3\p@\relax} + +\renewenvironment{theindex} + {\@mkboth{\indexname}{\indexname}% + \thispagestyle{empty}\parindent\z@ + \parskip\z@ \@plus .3\p@\relax + \let\item\par + \def\,{\relax\ifmmode\mskip\thinmuskip + \else\hskip0.2em\ignorespaces\fi}% + \normalfont\small + \begin{multicols}{2}[\@makeschapterhead{\indexname}]% + } + {\end{multicols}} + +\renewcommand\footnoterule{% + \kern-3\p@ + \hrule\@width 2truecm + \kern2.6\p@} + \newdimen\fnindent + \fnindent1em +\long\def\@makefntext#1{% + \parindent \fnindent% + \leftskip \fnindent% + \noindent + \llap{\hb@xt@1em{\hss\@makefnmark\ }}\ignorespaces#1} + +\long\def\@makecaption#1#2{% + \small + \vskip\abovecaptionskip + \sbox\@tempboxa{{\bfseries #1.} #2}% + \ifdim \wd\@tempboxa >\hsize + {\bfseries #1.} #2\par + \else + \global \@minipagefalse + \hb@xt@\hsize{\hfil\box\@tempboxa\hfil}% + \fi + \vskip\belowcaptionskip} + +\def\fps@figure{htbp} +\def\fnum@figure{\figurename\thinspace\thefigure} +\def \@floatboxreset {% + \reset@font + \small + \@setnobreak + \@setminipage +} +\def\fps@table{htbp} +\def\fnum@table{\tablename~\thetable} +\renewenvironment{table} + {\setlength\abovecaptionskip{0\p@}% + \setlength\belowcaptionskip{10\p@}% + \@float{table}} + {\end@float} +\renewenvironment{table*} + {\setlength\abovecaptionskip{0\p@}% + \setlength\belowcaptionskip{10\p@}% + \@dblfloat{table}} + {\end@dblfloat} + +\long\def\@caption#1[#2]#3{\par\addcontentsline{\csname + ext@#1\endcsname}{#1}{\protect\numberline{\csname + the#1\endcsname}{\ignorespaces #2}}\begingroup + \@parboxrestore + \@makecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par + \endgroup} + +% LaTeX does not provide a command to enter the authors institute +% addresses. The \institute command is defined here. + +\newcounter{@inst} +\newcounter{@auth} +\newcounter{auco} +\newdimen\instindent +\newbox\authrun +\newtoks\authorrunning +\newtoks\tocauthor +\newbox\titrun +\newtoks\titlerunning +\newtoks\toctitle + +\def\clearheadinfo{\gdef\@author{No Author Given}% + \gdef\@title{No Title Given}% + \gdef\@subtitle{}% + \gdef\@institute{No Institute Given}% + \gdef\@thanks{}% + \global\titlerunning={}\global\authorrunning={}% + \global\toctitle={}\global\tocauthor={}} + +\def\institute#1{\gdef\@institute{#1}} + +\def\institutename{\par + \begingroup + \parskip=\z@ + \parindent=\z@ + \setcounter{@inst}{1}% + \def\and{\par\stepcounter{@inst}% + \noindent$^{\the@inst}$\enspace\ignorespaces}% + \setbox0=\vbox{\def\thanks##1{}\@institute}% + \ifnum\c@@inst=1\relax + \gdef\fnnstart{0}% + \else + \xdef\fnnstart{\c@@inst}% + \setcounter{@inst}{1}% + \noindent$^{\the@inst}$\enspace + \fi + \ignorespaces + \@institute\par + \endgroup} + +\def\@fnsymbol#1{\ensuremath{\ifcase#1\or\star\or{\star\star}\or + {\star\star\star}\or \dagger\or \ddagger\or + \mathchar "278\or \mathchar "27B\or \|\or **\or \dagger\dagger + \or \ddagger\ddagger \else\@ctrerr\fi}} + +\def\inst#1{\unskip$^{#1}$} +\def\orcidID#1{\unskip$^{[#1]}$} % added MR 2018-03-10 +\def\fnmsep{\unskip$^,$} +\def\email#1{{\tt#1}} + +\AtBeginDocument{\@ifundefined{url}{\def\url#1{#1}}{}% +\@ifpackageloaded{babel}{% +\@ifundefined{extrasenglish}{}{\addto\extrasenglish{\switcht@albion}}% +\@ifundefined{extrasfrenchb}{}{\addto\extrasfrenchb{\switcht@francais}}% +\@ifundefined{extrasgerman}{}{\addto\extrasgerman{\switcht@deutsch}}% +\@ifundefined{extrasngerman}{}{\addto\extrasngerman{\switcht@deutsch}}% +}{\switcht@@therlang}% +\providecommand{\keywords}[1]{\def\and{{\textperiodcentered} }% +\par\addvspace\baselineskip +\noindent\keywordname\enspace\ignorespaces#1}% +\@ifpackageloaded{hyperref}{% +\def\doi#1{\href{https://doi.org/\detokenize{#1}}{\url{https://doi.org/#1}}}}{ +\def\doi#1{https://doi.org/\detokenize{#1}}} +} +\def\homedir{\~{ }} + +\def\subtitle#1{\gdef\@subtitle{#1}} +\clearheadinfo +% +%%% to avoid hyperref warnings +\providecommand*{\toclevel@author}{999} +%%% to make title-entry parent of section-entries +\providecommand*{\toclevel@title}{0} +% +\renewcommand\maketitle{\newpage +\phantomsection + \refstepcounter{chapter}% + \stepcounter{section}% + \setcounter{section}{0}% + \setcounter{subsection}{0}% + \setcounter{figure}{0} + \setcounter{table}{0} + \setcounter{equation}{0} + \setcounter{footnote}{0}% + \begingroup + \parindent=\z@ + \renewcommand\thefootnote{\@fnsymbol\c@footnote}% + \if@twocolumn + \ifnum \col@number=\@ne + \@maketitle + \else + \twocolumn[\@maketitle]% + \fi + \else + \newpage + \global\@topnum\z@ % Prevents figures from going at top of page. + \@maketitle + \fi + \thispagestyle{empty}\@thanks +% + \def\\{\unskip\ \ignorespaces}\def\inst##1{\unskip{}}% + \def\thanks##1{\unskip{}}\def\fnmsep{\unskip}% + \instindent=\hsize + \advance\instindent by-\headlineindent + \if!\the\toctitle!\addcontentsline{toc}{title}{\@title}\else + \addcontentsline{toc}{title}{\the\toctitle}\fi + \if@runhead + \if!\the\titlerunning!\else + \edef\@title{\the\titlerunning}% + \fi + \global\setbox\titrun=\hbox{\small\rm\unboldmath\ignorespaces\@title}% + \ifdim\wd\titrun>\instindent + \typeout{Title too long for running head. Please supply}% + \typeout{a shorter form with \string\titlerunning\space prior to + \string\maketitle}% + \global\setbox\titrun=\hbox{\small\rm + Title Suppressed Due to Excessive Length}% + \fi + \xdef\@title{\copy\titrun}% + \fi +% + \if!\the\tocauthor!\relax + {\def\and{\noexpand\protect\noexpand\and}% + \def\inst##1{}% added MR 2017-09-20 to remove inst numbers from the TOC + \def\orcidID##1{}% added MR 2017-09-20 to remove ORCID ids from the TOC + \protected@xdef\toc@uthor{\@author}}% + \else + \def\\{\noexpand\protect\noexpand\newline}% + \protected@xdef\scratch{\the\tocauthor}% + \protected@xdef\toc@uthor{\scratch}% + \fi + \addtocontents{toc}{\noexpand\protect\noexpand\authcount{\the\c@auco}}% + \addcontentsline{toc}{author}{\toc@uthor}% + \if@runhead + \if!\the\authorrunning! + \value{@inst}=\value{@auth}% + \setcounter{@auth}{1}% + \else + \edef\@author{\the\authorrunning}% + \fi + \global\setbox\authrun=\hbox{\def\inst##1{}% added MR 2017-09-20 to remove inst numbers from the runninghead + \def\orcidID##1{}% added MR 2017-09-20 to remove ORCID ids from the runninghead + \small\unboldmath\@author\unskip}% + \ifdim\wd\authrun>\instindent + \typeout{Names of authors too long for running head. Please supply}% + \typeout{a shorter form with \string\authorrunning\space prior to + \string\maketitle}% + \global\setbox\authrun=\hbox{\small\rm + Authors Suppressed Due to Excessive Length}% + \fi + \xdef\@author{\copy\authrun}% + \markboth{\@author}{\@title}% + \fi + \endgroup + \setcounter{footnote}{\fnnstart}% + \clearheadinfo} +% +\def\@maketitle{\newpage + \markboth{}{}% + \def\lastand{\ifnum\value{@inst}=2\relax + \unskip{} \andname\ + \else + \unskip \lastandname\ + \fi}% + \def\and{\stepcounter{@auth}\relax + \ifnum\value{@auth}=\value{@inst}% + \lastand + \else + \unskip, + \fi}% + \begin{center}% + \let\newline\\ + {\Large \bfseries\boldmath + \pretolerance=10000 + \@title \par}\vskip .8cm +\if!\@subtitle!\else {\large \bfseries\boldmath + \vskip -.65cm + \pretolerance=10000 + \@subtitle \par}\vskip .8cm\fi + \setbox0=\vbox{\setcounter{@auth}{1}\def\and{\stepcounter{@auth}}% + \def\thanks##1{}\@author}% + \global\value{@inst}=\value{@auth}% + \global\value{auco}=\value{@auth}% + \setcounter{@auth}{1}% +{\lineskip .5em +\noindent\ignorespaces +\@author\vskip.35cm} + {\small\institutename} + \end{center}% + } + +% definition of the "\spnewtheorem" command. +% +% Usage: +% +% \spnewtheorem{env_nam}{caption}[within]{cap_font}{body_font} +% or \spnewtheorem{env_nam}[numbered_like]{caption}{cap_font}{body_font} +% or \spnewtheorem*{env_nam}{caption}{cap_font}{body_font} +% +% New is "cap_font" and "body_font". It stands for +% fontdefinition of the caption and the text itself. +% +% "\spnewtheorem*" gives a theorem without number. +% +% A defined spnewthoerem environment is used as described +% by Lamport. +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\def\@thmcountersep{} +\def\@thmcounterend{.} + +\def\spnewtheorem{\@ifstar{\@sthm}{\@Sthm}} + +% definition of \spnewtheorem with number + +\def\@spnthm#1#2{% + \@ifnextchar[{\@spxnthm{#1}{#2}}{\@spynthm{#1}{#2}}} +\def\@Sthm#1{\@ifnextchar[{\@spothm{#1}}{\@spnthm{#1}}} + +\def\@spxnthm#1#2[#3]#4#5{\expandafter\@ifdefinable\csname #1\endcsname + {\@definecounter{#1}\@addtoreset{#1}{#3}% + \expandafter\xdef\csname the#1\endcsname{\expandafter\noexpand + \csname the#3\endcsname \noexpand\@thmcountersep \@thmcounter{#1}}% + \expandafter\xdef\csname #1name\endcsname{#2}% + \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}% + \global\@namedef{end#1}{\@endtheorem}}} + +\def\@spynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname + {\@definecounter{#1}% + \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}% + \expandafter\xdef\csname #1name\endcsname{#2}% + \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#3}{#4}}% + \global\@namedef{end#1}{\@endtheorem}}} + +\def\@spothm#1[#2]#3#4#5{% + \@ifundefined{c@#2}{\@latexerr{No theorem environment `#2' defined}\@eha}% + {\expandafter\@ifdefinable\csname #1\endcsname + {\newaliascnt{#1}{#2}% + \expandafter\xdef\csname #1name\endcsname{#3}% + \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}% + \global\@namedef{end#1}{\@endtheorem}}}} + +\def\@spthm#1#2#3#4{\topsep 7\p@ \@plus2\p@ \@minus4\p@ +\refstepcounter{#1}% +\@ifnextchar[{\@spythm{#1}{#2}{#3}{#4}}{\@spxthm{#1}{#2}{#3}{#4}}} + +\def\@spxthm#1#2#3#4{\@spbegintheorem{#2}{\csname the#1\endcsname}{#3}{#4}% + \ignorespaces} + +\def\@spythm#1#2#3#4[#5]{\@spopargbegintheorem{#2}{\csname + the#1\endcsname}{#5}{#3}{#4}\ignorespaces} + +\def\@spbegintheorem#1#2#3#4{\trivlist + \item[\hskip\labelsep{#3#1\ #2\@thmcounterend}]#4} + +\def\@spopargbegintheorem#1#2#3#4#5{\trivlist + \item[\hskip\labelsep{#4#1\ #2}]{#4(#3)\@thmcounterend\ }#5} + +% definition of \spnewtheorem* without number + +\def\@sthm#1#2{\@Ynthm{#1}{#2}} + +\def\@Ynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname + {\global\@namedef{#1}{\@Thm{\csname #1name\endcsname}{#3}{#4}}% + \expandafter\xdef\csname #1name\endcsname{#2}% + \global\@namedef{end#1}{\@endtheorem}}} + +\def\@Thm#1#2#3{\topsep 7\p@ \@plus2\p@ \@minus4\p@ +\@ifnextchar[{\@Ythm{#1}{#2}{#3}}{\@Xthm{#1}{#2}{#3}}} + +\def\@Xthm#1#2#3{\@Begintheorem{#1}{#2}{#3}\ignorespaces} + +\def\@Ythm#1#2#3[#4]{\@Opargbegintheorem{#1} + {#4}{#2}{#3}\ignorespaces} + +\def\@Begintheorem#1#2#3{#3\trivlist + \item[\hskip\labelsep{#2#1\@thmcounterend}]} + +\def\@Opargbegintheorem#1#2#3#4{#4\trivlist + \item[\hskip\labelsep{#3#1}]{#3(#2)\@thmcounterend\ }} + +\if@envcntsect + \def\@thmcountersep{.} + \spnewtheorem{theorem}{Theorem}[section]{\bfseries}{\itshape} +\else + \spnewtheorem{theorem}{Theorem}{\bfseries}{\itshape} + \if@envcntreset + \@addtoreset{theorem}{section} + \else + \@addtoreset{theorem}{chapter} + \fi +\fi + +%definition of divers theorem environments +\spnewtheorem*{claim}{Claim}{\itshape}{\rmfamily} +\spnewtheorem*{proof}{Proof}{\itshape}{\rmfamily} +\if@envcntsame % alle Umgebungen wie Theorem. + \def\spn@wtheorem#1#2#3#4{\@spothm{#1}[theorem]{#2}{#3}{#4}} +\else % alle Umgebungen mit eigenem Zaehler + \if@envcntsect % mit section numeriert + \def\spn@wtheorem#1#2#3#4{\@spxnthm{#1}{#2}[section]{#3}{#4}} + \else % nicht mit section numeriert + \if@envcntreset + \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4} + \@addtoreset{#1}{section}} + \else + \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4} + \@addtoreset{#1}{chapter}}% + \fi + \fi +\fi +\spn@wtheorem{case}{Case}{\itshape}{\rmfamily} +\spn@wtheorem{conjecture}{Conjecture}{\itshape}{\rmfamily} +\spn@wtheorem{corollary}{Corollary}{\bfseries}{\itshape} +\spn@wtheorem{definition}{Definition}{\bfseries}{\itshape} +\spn@wtheorem{example}{Example}{\itshape}{\rmfamily} +\spn@wtheorem{exercise}{Exercise}{\itshape}{\rmfamily} +\spn@wtheorem{lemma}{Lemma}{\bfseries}{\itshape} +\spn@wtheorem{note}{Note}{\itshape}{\rmfamily} +\spn@wtheorem{problem}{Problem}{\itshape}{\rmfamily} +\spn@wtheorem{property}{Property}{\itshape}{\rmfamily} +\spn@wtheorem{proposition}{Proposition}{\bfseries}{\itshape} +\spn@wtheorem{question}{Question}{\itshape}{\rmfamily} +\spn@wtheorem{solution}{Solution}{\itshape}{\rmfamily} +\spn@wtheorem{remark}{Remark}{\itshape}{\rmfamily} + +\def\@takefromreset#1#2{% + \def\@tempa{#1}% + \let\@tempd\@elt + \def\@elt##1{% + \def\@tempb{##1}% + \ifx\@tempa\@tempb\else + \@addtoreset{##1}{#2}% + \fi}% + \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname + \expandafter\def\csname cl@#2\endcsname{}% + \@tempc + \let\@elt\@tempd} + +\def\theopargself{\def\@spopargbegintheorem##1##2##3##4##5{\trivlist + \item[\hskip\labelsep{##4##1\ ##2}]{##4##3\@thmcounterend\ }##5} + \def\@Opargbegintheorem##1##2##3##4{##4\trivlist + \item[\hskip\labelsep{##3##1}]{##3##2\@thmcounterend\ }} + } + +\renewenvironment{abstract}{% + \list{}{\advance\topsep by0.35cm\relax\small + \leftmargin=1cm + \labelwidth=\z@ + \listparindent=\z@ + \itemindent\listparindent + \rightmargin\leftmargin}\item[\hskip\labelsep + \bfseries\abstractname]} + {\endlist} + +\newdimen\headlineindent % dimension for space between +\headlineindent=1.166cm % number and text of headings. + +\def\ps@headings{\let\@mkboth\@gobbletwo + \let\@oddfoot\@empty\let\@evenfoot\@empty + \def\@evenhead{\normalfont\small\rlap{\thepage}\hspace{\headlineindent}% + \leftmark\hfil} + \def\@oddhead{\normalfont\small\hfil\rightmark\hspace{\headlineindent}% + \llap{\thepage}} + \def\chaptermark##1{}% + \def\sectionmark##1{}% + \def\subsectionmark##1{}} + +\def\ps@titlepage{\let\@mkboth\@gobbletwo + \let\@oddfoot\@empty\let\@evenfoot\@empty + \def\@evenhead{\normalfont\small\rlap{\thepage}\hspace{\headlineindent}% + \hfil} + \def\@oddhead{\normalfont\small\hfil\hspace{\headlineindent}% + \llap{\thepage}} + \def\chaptermark##1{}% + \def\sectionmark##1{}% + \def\subsectionmark##1{}} + +\if@runhead\ps@headings\else +\ps@empty\fi + +\setlength\arraycolsep{1.4\p@} +\setlength\tabcolsep{1.4\p@} + +\endinput +%end of file llncs.cls diff --git a/EET1/MLCS_conference/main.tex b/EET1/MLCS_conference/main.tex new file mode 100644 index 0000000..3566cd8 --- /dev/null +++ b/EET1/MLCS_conference/main.tex @@ -0,0 +1,606 @@ +% This is samplepaper.tex, a sample chapter demonstrating the +% LLNCS macro package for Springer Computer Science proceedings; +% Version 2.21 of 2022/01/12 +% +\documentclass[runningheads]{llncs} +% +\usepackage[T1]{fontenc} +% T1 fonts will be used to generate the final print and online PDFs, +% so please use T1 fonts in your manuscript whenever possible. +% Other font encondings may result in incorrect characters. +% +%\usepackage{graphicx} +% Used for displaying a sample figure. If possible, figure files should +% be included in EPS format. +% +\usepackage[toc,acronym,abbreviations,nonumberlist,nogroupskip]{glossaries-extra} +\usepackage{numprint} +\usepackage{tabularx} +\usepackage{booktabs} +\usepackage{cite} +\usepackage{amsmath,amssymb,amstext} +\usepackage{xcolor} +\usepackage{textcomp}% http://ctan.org/pkg/amssymb +\usepackage{pifont}% http://ctan.org/pkg/pifont +\newcommand{\cmark}{\ding{51}}% +\newcommand{\xmark}{\textbullet}% +\usepackage[hidelinks]{hyperref} +%\usepackage{flushend} +\usepackage[pdftex]{graphicx} +\usepackage{subcaption} +\usepackage{multirow} +%\usepackage{adjustbox} + +% If you use the hyperref package, please uncomment the following two lines +% to display URLs in blue roman font according to Springer's eBook style: +%\usepackage{color} +%\renewcommand\UrlFont{\color{blue}\rmfamily} + +\input{acronyms} + +\newcommand\agd[1]{{\color{red}$\bigstar$}\footnote{agd: #1}} +\newcommand\cn[0]{{\color{purple}$^\texttt{[citation needed]}$}} +\begin{document} +% +\title{Side-channel Based Runtime Intrusion Detection for Network Equipment} +% REAL AUTHORS and CONTACT ============================== +%\author{Arthur Grisel-Davy\and +%Julian Dickert\and +%Sebastian Fischmeister\and +%Goksen U. Guler\and +%Waleed Khan\and +%Carlos Moreno\and +%Jack Morgan\and +%Shikhar Sakhuja\and +%Philippe Vibien. +%} +%\authorrunning{Grisel-Davy et al.} +% +%\institute{University of Waterloo, Canada. \\ +%agriseld@uwaterloo.ca} + +% FAKES/ANONYMOUS +% +\author{ +Anon. Anonymous\and +Anon. Anonymous\and +Anon. Anonymous\and +Anon. Anonymous\and +Anon. Anonymous\and +Anon. Anonymous\and +Anon. Anonymous\and +Anon. Anonymous\and +Anon. Anonymous +} +\authorrunning{Anon. et al.} + +\institute{University of Anonymous, Nowhere. \\ +anon@anonymous.nw} +% +\maketitle % typeset the header of the contribution +% +\begin{abstract} + Current security protection mechanisms for embedded systems often include running a \gls{hids} on the system itself. + \glspl{hids} cover a wide attack surface but still present some blind side and vulnerabilities. + In the case of a compromized device, the detection capability of its \gls{hids} becomes untrustworthy. + In this context, embedded systems such as network equipment remain vulnerable to firmware and hardware tampering, as well as log manipulation. + + Side-channel emissions provide an independent and extrinsic source of information at the about the system, purely based on the physical by-product of its activities. + Leveraging side-channel information, we propose a physics-based \gls{ids} as an aditional layer of protection for embedded systems. + The physic-based \gls{ids} uses machine-learning-based power analysis to monitor and assess the behaviour and integrity of network switches. + %The proposed \gls{ids} offers complementary intrusion detection for an HP Procurve Network Switch 5406zl, using its power consumption as side-channel emissions. + + The \gls{ids} successfully detect three different classes of attacks on an HP Procurve Network Switch 5406zl: (i)~firmware manipulation with \numprint[\%]{99} accuracy, (ii)~brute-force SSH login attempts with \numprint[\%]{98}, and (iii)~hardware tampering with \numprint[\%]{100}. + The machine-learning models require a small number of power traces for training and still achieve a high accuracy for attack detection. + The concepts and techniques discussed in the paper can also extend to offer intrusion detection for embedded systems in general. + +\keywords{side-channel\and power analysis\and intrusion detection.} +\end{abstract} +% +% +% +\glsresetall % reset all acronyms to be expanded on first use. + +\section{Introduction} +Data centers are experiencing unprecedented growth~\cite{osti_1372902} because of the increased reliance on cloud services with cloud-based attacks representing \numprint[\%]{45} of data breaches in 2022~\cite{datacenterbreach}. +The downtime of data centers costs companies hundreds of thousands of dollars per hour~\cite{6848725}. + +All data centers use network equipment such as network switches and routers. +A successful attack on a network switch can have devastating effects on the integrity of the data center. +To deter cases of cyberattacks, data centers often use \gls{ids}. +Current \glspl{ids} use different approaches to detect intrusions. +\glspl{hids} are implemented directly on the monitored device and leverage information provided by the system to detect intrusions. +\glspl{nids} leverage network information to detect intrusions at the network level. +Although \glspl{hids} and \glspl{nids} offer intrusion detection capabilities, they are still quite ineffective against attacks such as firmware modification~\cite{cisco_trust,thomson_2019}, bypassing secure boot-up~\cite{Cui2013WhenFM, hau_2015}, log tampering~\cite{koch2010security}, or hardware tampering\cn. + +The literature shows promising work in improving the state-of-the-art in security by analyzing side-channel emissions from embedded systems. +Systems generate side-channel emissions, which usually reflect their activity in the form of power consumption \cite{kocher1999differential, brier2004correlation, Moreno2018}, electromagnetic waves \cite{khan2019malware, sehatbakhsh2019remote}, acoustic emissions \cite{genkin2014rsa, liuacoustic}, etc. +Side-channel based \glspl{ids} analyze side-channel emissions and can complement state-of-art \glspl{ids}, as shown in this paper. +The \gls{ids} uses \gls{dsp} and \gls{ml} to detect anomalies or recognize patterns of previously detected intrusions. +Thus, using this IDS would improve the security of the embedded system by detecting attacks that regular \gls{ids} fail to identify. + +\subsection{Contributions} +This paper proposes a side-channel-based \gls{ids} that can complement existing \glspl{ids} and improve security for embedded systems. +The side-channel based \gls{ids} can potentially protect any embedded system as a black box and detect a range of attacks against it. +Our \gls{ids} is deployed for an HP Procurve 5406zl network switch as a black box. +The experiments in the paper illustrate the \gls{ids} capabilities of detecting firmware manipulation and hardware tampering attacks against the switch and defending against log entry forging by offering log verification. + +The side-channel based \gls{ids} achieves near-perfect accuracy scores despite using relatively straightforward \gls{dsp} methods and \gls{ml} algorithms. The algorithms analyze \gls{ac} and \gls{dc} power consumption of the network switch to detect these attacks. The experiments use a relatively small dataset that contains roughly \numprint{1000} power traces. + +\subsection{Paper Organization} + +The remainder of the paper is organized as follows: +Section~\ref{sec:Overview} provides an overview of the motivation for the experiments and threat model. +Section~\ref{Related Work} talks about other side-channel-based approaches for runtime monitoring and integrity assessment. +Section~\ref{Firmware} covers experiments related to Firmware Manipulation, +Section~\ref{RunTime} covers Log Verification and Auditing, +and Section~\ref{Hardware} covers Hardware Tampering. +The paper concludes in Sections~\ref{Discussion} and ~\ref{Conclusion}. + +\section{Overview} +\label{sec:Overview} + +All embedded systems leak information about their operation through side channel emissions. +Side-channel-based \glspl{ids} use \gls{dsp} methods and \gls{ml} algorithms to model the side-channel data and learn patterns that correlate to the system activity. +A major part of designing a reliable side-channel \gls{ids} is identifying appropriate side-channel emissions among temperature, vibration, ultrasound, EM, power consumption, etc.; our experiments focus on the system's power consumption. +Power consumption is reasonably easy to non-intrusively and reliably measure. + +Side-channel-based \gls{ids} can complement \gls{hids} and \gls{nids} in offering runtime monitoring and integrity assessment for embedded systems, as shown in Table~\ref{tab:example}. +Side-channel-based \glspl{ids} run independently from the system they monitor, which renders them more difficult to circumvent compared to \gls{ids} hosted within the system. +Because of the independent nature, a malfunction of the \gls{ids} can not disrupt the regular operation of the system. +This makes the system monitored by the \gls{ids} immune to any operational failure or security vulnerability that the \gls{ids} might have. +This paper presents a case study for using side-channel based \glspl{ids} to offer runtime monitoring and integrity assessment for network equipment. + + + +\begin{table}[htb] + \centering + \begin{tabularx}{\columnwidth}{X>{\hsize=.4\hsize}cccc} + \toprule + \textbf{Attack Scenarios} & \textbf{Reference} & \textbf{\gls{hids}} & \textbf{\gls{nids}} & \textbf{SCIDS}\tabularnewline + \midrule +% The attacker can: & & & \tabularnewline +% \addlinespace[1em] + Run unapproved executable through backdoor & \small{\cite{cve-2018-0150,cve-2018-0151,cve-2018-0222}} + & \cmark & \xmark & \cmark\tabularnewline + \addlinespace[1em] + Exploit existing executable & \small{\cite{kovacs_2019,CVE-2019-12649}}& \cmark & \xmark & \cmark\tabularnewline + \addlinespace[1em] + Spy on the network & \small{\cite{Hernandez2014SmartNT,router_hacking_slingshot}}& \xmark & \cmark & \cmark \tabularnewline + \addlinespace[1em] + Pivot/proxy for network attack & \small{\cite{router_hacking_slingshot,symantec_security_response}} & \xmark & \cmark & \cmark\tabularnewline + \addlinespace[1em] + Bypass secure boot & \small{\cite{cisco_trust,thomson_2019}} & \xmark & \xmark & \cmark\tabularnewline + \addlinespace[1em] + Change firmware & \small{\cite{Cui2013WhenFM,hau_2015}}& \xmark & \xmark & \cmark\tabularnewline + + \bottomrule + + + \end{tabularx} + \caption{Attack scenarios that side-channel based \gls{ids} can detect} + \label{tab:example} +\end{table} + +\subsection{Threat Model} +\label{subsec:threat-model} + +In the context of this work, we consider active attackers that can tamper with the execution of network devices. +These attackers can accomplish their goal by assuming different roles and exploiting several mechanisms, as summarized below: + +\textbf{Remote Code Execution:} +A remote attacker may take advantage of known or zero-day remote exploits in categories such as remote code injection, privilege escalation, etc. +The outcome could be to temporarily tamper with the device's execution, possibly persistently. + +\textbf{Brute-Force or Dictionary-Based Password Guessing:} +A remote attacker could attempt to log in through password guessing, with the objective of tampering with the device's execution once logged in. + +\textbf{Unauthorized Firmware Reprogramming (or Failure to Apply a Scheduled Firmware Upgrade):} +Either through physical access to the device or upon successful administrative login, the attacker can reprogram the firmware of the device. +The applied firmware can be an older version to reactivate a specific vulnerability, or it could be a custom firmware that contains some backdoor or rootkit. + +\textbf{Unauthorized Hardware Configuration Changes:} +An attacker with physical access to the device could apply undocumented changes to the configuration of the device to its advantage. + +\textbf{Tampering with Administrative/Maintenance Logs:} +The attacker's goal may be to mislead the operators through actions such as failing to apply a firmware upgrade while reporting that the firmware has been upgraded. +This could be done with the purpose of keeping a particular vulnerability in the device while the administrators assume that such vulnerability has been addressed. + + +\subsection{Analysis of Side-channels} +Electronic systems, including embedded devices, involuntarily leak information through different side channels. +Due to each side channel's specific nature, some are more useful for different applications. +In the context of \gls{ids} for network equipment, we considered power consumption, ultrasound and \gls{em} emissions. +After initial tests, power consumption proved to provide the most information about the system state relative to the practicality of measurement. + +In our setup, the power consumption of the device is measured in two different ways: measurement at the \gls{ac} line (between the device's \gls{psu} and the power outlet); and measurement at the \gls{dc} power (from the \gls{psu} to the motherboard of the device). +During every operation of the device, the different instructions will have impacts on the overall power consumption \cite{727070} and will be detectable in either \gls{ac} and \gls{dc} power consumption. +\gls{ac} powertraces are less intrusive to capture than \gls{dc} power consumption and offer the most transparent way to retrofit the proposed system for different devices. +However, its \gls{snr} is lower compared to the \gls{dc} measurement because the \gls{ac}/\gls{dc} switching converter introduces a buffering of electrical energy, thus hiding some of the fine-grained details. +Work by Moreno~et~al.~\cite{Moreno2018} uses the power consumption of embedded systems for non-intrusive online runtime monitoring through reconstruction of the program's execution trace. + +\section{Related Work} +\label{Related Work} +The idea of side-channel based \gls{ids} traces back to the seminal work in side-channel analysis by Paul C. Kocher. +He introduced Differential Power Analysis to find secret keys used by cryptographic protocols in tamper-resistant devices~\cite{kocher1999differential}. +This led to a field of research focussing on side-channel analysis that has been growing since. Power analysis is the most common and widely studied side-channel analysis technique~\cite{brier2004correlation,mangard2008power}. %new citations% +Cagalj et al.~\cite{vcagalj2014timing} shows a successful passive side-channel timing attack on U.S. patent Mod 10 method and Hopper-Blum (HB) protocol. +%Quisquater et al.~\cite{quisquater2002automatic} present an approach to identify executed instructions with the use of self-organizing maps, power analysis and analysis of electromagnetic traces. %new citations% +Zhai et al.~\cite{zhai2015method} propose a self-organizing maps approach that uses features extracted from an embedded processor to detect abnormal behaviour in embedded devices. +%Eisenbarth et al.~\cite{eisenbarth2010building} propose a methodology for recovering the instruction flow of microcontrollers using its power consumption. +Goldack et al.~\cite{goldack2008side} propose a solution to identify individual instructions on a PIC microcontroller by mapping each instruction type to a power consumption template. +However, the attack focussed side-channel analysis can offer non-intrusive runtime monitoring, as well. \\ +\indent +Literature shows promising work in assessing integrity through power monitoring.%~\cite{10.1145/2976749.2978299}. +Works by Moreno et al. offer two building blocks for this work. +In~\cite{moreno2013non}, the team proposes a solution for non-intrusive debugging and program tracing using side-channel analysis. +In this work, they use the power consumption of a given embedded system to identify the code block the embedded system was executing at the time. +The team builds on their previous technique and presents a new one~\cite{Moreno2018} using the power consumption of embedded systems for non-intrusive online runtime monitoring through anomaly detection. +%They use a signals and systems analysis approach to identify anomalies using the power consumption of a system and showcase this by identifying buffer overflow attacks on their system. +Msgna et al.~\cite{msgna2014verifying} propose a technique for using the instruction-level power consumption of a system to verify the integrity of the software components of a system with no prior knowledge of the software code. +Grisel-Davy et al.~\cite{grisel2022work} propose the verification of the boot process of various embedded systems using their power consumption signature. +%In~\cite{kur2009improving}, Kur et al. perform power analysis of smart cards based on the JavaCard platform help identify vulnerable operations, obtain bytecode instruction information, and also propose a framework to replace vulnerable operations with safe alternatives.\\ +\indent +In more recent literature, there is a trend towards the use of \gls{ml} for side-channel analysis to enhance the security of systems. +Michele Giovanni Calvi~\cite{calvi2019runtime} offers a solution for runtime monitoring of an entire cyberphysical system treated as a black box. +They collect data from a self-driving car during operations such as steering and acceleration. +Using this data, they train a Long Short Term Memory~\cite{hochreiter1997long} deep learning model and use it to verify the safety of the vehicle. %new citations% +Zhengbing et al. \cite{4488501} suggest the use of forensic techniques for profiling user behaviour to detect intrusions and propose an intelligent lightweight \gls{ids}. Hanilçi et al.~\cite{hanilci2011recognition} use recorded speech from a cell phone to ascertain the cell phone brand and model through using vector quantization and \gls{svm} models on the \gls{mfcc} of the audio. +In~\cite{khan2019malware} Khan et al. propose a technique to identify malware in critical embedded and cyberphysical systems using \gls{em} side channel signals. +Their technique uses deep learning on EM emanation to model the behaviour of an uncompromised system. +The system flags an activity as anomalous when the emanations differ from the normal ones used to train the neural network. +Sehatbakhsh et al.~\cite{sehatbakhsh2019remote} also use EM emanations and detect malware code injection into a known application without any prior knowledge of the malware signature. +They use HDBSCAN clustering method to identify anomalous behaviour exhibited by the malicious code. +Yilmaz et al.~\cite{yilmaz2019detecting} implement K-Nearest Neighbors clustering methods along with PCA dimensionality reduction method to model EM emanations from a phone with the different operational status of front/rear camera. +Using the ML methods, they can determine the state of cellphone cameras. \\ +\indent +The work that this paper proposes builds on top of the aforementioned works. An HP network switch, treated as a black box, generates side-channel leaks in the form of its power consumption. +The experiments treat this power consumption as an output of the system when the inputs are certain attacks/stimuli that triggers the switch. The data train the \gls{ml} models, which, in turn, successfully identify the attacks/stimuli on the switch. + +\section{Experiment Family I: Firmware Manipulation} +\label{Firmware} +Embedded systems require firmware updates for a range of reasons including the addition of features or security patches. +Attacks on these systems commonly target the firmware update process~\cite{hau_2015}. +The ability to modify the firmware enables attackers to perform a range of other attacks, such as Communication Channel Manipulation [CAPEC 216], Protocol Manipulation [CAPEC 272], Functionality Bypass [CAPEC 554], and Software Integrity Attack [CAPEC 184]. + +The following two experiments were conducted with ten official firmware versions using the same device configuration. +Starting from the pre-installed version K.15.06.008, we performed upgrades to the next ten higher release versions (K.15.07 to K.15.17) and picked the final build for each release. + +\subsubsection{Feature Engineering} +\label{FE-Firmware} +With the HP Procurve Switch 5406zl taking around 120 seconds to complete its boot-up sequence, this experiment family produces the largest datasets of this case study. +Therefore, several preprocessing steps were applied to reduce the size of the datasets and remove noise. +A combination of downsampling and a sliding median filter yields the best results at a minimal size per training set. +Given a power trace with a length of \numprint{120e6} datapoints, downsampling with a factor of \numprint{1e6} results in a sample size of 120 and provides an overall accuracy of \numprint[\%]{99} for this experiment. +This process enables training accurate machine-learning models (see Table~\ref{tab:fw-results}) with less than \numprint{1000} training samples, each consisting of 120 datapoints (See Figure~\ref{fig:firmwares-samples}). + +Both temporal and frequency domains are investigated. +For the temporal domain, the preprocessed \gls{ac} or \gls{dc} time series are considered. +For the frequency domain, the \gls{psd} of the \gls{dc} data serves as input data. +Figure~\ref{fig:firmwares} illustrates the influence on the boot-up sequence in both temporal and frequency domains for two different firmware versions. + +\begin{figure} + \begin{subfigure}{0.49\textwidth} + \centering + \includegraphics[width=\linewidth]{images/Firmware_Comparison_TD_direct.pdf} + \caption{Median-filtered power traces of boot-up sequences for two different firmware versions (ten captures each).} + \label{fig:firmwares-samples} + \end{subfigure} + \begin{subfigure}{0.49\textwidth} + \centering + \includegraphics[width=\linewidth]{images/psd.pdf} + \caption{PSD of power traces of boot-up sequences for two different firmware versions (two traces for each version)} + \label{fig:firmwares-psd} + \end{subfigure} +\caption{Impact of different firmware versions on the power consumption at boot time.} +\label{fig:firmwares} +\end{figure} + +\subsection{Experiment 1: Classifying Firmware Versions} +\label{Classifying-Firmware-Versions} +Given a power trace during boot-up, this experiment aims to +predict which firmware from a given set of ten different versions is currently installed on the device. The result can be used to confirm successful firmware updates and to check whether the device reports the correct version. + +\subsubsection{Results} +The \gls{rfc} delivers the best results of all tested \gls{ml} algorithms over both time and requency domains. +%A \gls{rfc} model trained on 786 samples achieved an accuracy of over \numprint[\%]{99} on an independently collected set of \gls{dc} data. + +%\paragraph{\textbf{Frequency Domain}} +%Among the various \gls{ml} models trained on frequency-domain data, \gls{rfc} model has the best results with \numprint[\%]{99} accuracy. The \gls{rfc} model when tested on an independently collected validation set presents the same results, verifying the integrity of the model. The details of trained models and their performances can be found on the Table~\ref{tab:fw-change-fd-precision-comparison}. + +\begin{table}[ht] + \centering + \begin{tabular}{lccc} + \toprule + \textbf{Data} & \textbf{Model} & \textbf{Macro F1 Score} & \textbf{Accuracy} \tabularnewline + \midrule + \multirow{2}*{DC Time Domain} & \gls{rfc} & \numprint[\%]{100} & \numprint[\%]{100} \tabularnewline + & \gls{svm} & \numprint[\%]{96.8} & \numprint[\%]{99.3}\tabularnewline + \midrule + \multirow{2}*{AC Time Domain}& \gls{rfc} & \numprint[\%]{87.4} & \numprint[\%]{98.9} \tabularnewline + & \gls{svm} & \numprint[\%]{75.8} & \numprint[\%]{95.5} \tabularnewline + \midrule + \multirow{2}*{DC Frequency Domain} & \gls{rfc} & \numprint[\%]{97.6} & \numprint[\%]{99.8} \tabularnewline + & \gls{svm} & \numprint[\%]{95.3} & \numprint[\%]{96.0} \tabularnewline + \bottomrule + \end{tabular} + \caption{Comparison between the different algorithms for firmware classification on an independent verification set of size 100} + \label{tab:fw-results} +\end{table} + + +\subsection{Experiment 2: Detecting Firmware Change} +Given the most recently collected power trace during boot-up and the power trace collected before it, the goal of Experiment 2 is to predict whether the firmware has been altered between these two traces. +The model uses \gls{dtw} and a training procedure on the collected traces, which implements a distance value as a parameter to the model to provide a decision, on whether there is a change in the firmware version. + +\subsubsection{Results} + +The model uses a windowed \gls{dtw} to compute the distance between the current and the previous power traces collected during the boot-up. +The distance that results from \gls{dtw} is then subjected to a comparison with the model parameters. +The model has the parameter $D_{\max}$ (maximum distance). +Optimization of the parameter involves training on the data collected for the firmware classification experiment. + +Given a pseudo-random sample trace of class $j$ from the training set, the selected sample acts as the baseline for the class $j$ model. +For each class $j$ from the training set, the training computes the \gls{dtw} distance between any sample of class $j$ and all the samples in the training set. +The results determine the parameters of the model. +The maximum distance is for class $j$ is defined as $d_{j_{\max}}$ and the variance of the distances as $\sigma_j$. + + +The decision for each class can be made using the class's distance and variance. +A global decision, combining them all, is achieved by introducing the parameter, $D_{\max}$. +This parameter is the mean of the parameter $d_{n_{\max}}$ across all the models belonging to a class. +Getting the average instead of the maximum of $d_{n_{\max}}$ is valid because the distance results obtained from \gls{dtw} are roughly similar on all classes, and any bias that may occur towards a single class is removed from the model. +Following the same idea, $\sigma_{\mathrm{all}}$ is defined as the average of each $\sigma_j$. + +The general model uses $D_{\max}$ and $\sigma_{\mathrm{all}}$, as follows: + +\begin{equation} + \text{decision} = \left\{\begin{matrix} + 0 & \text{ if } D_{\mathrm{max}} \sigma_{\mathrm{all}} \geqslant DTW(a,b) (1+\sigma_{\mathrm{all}})\\ + 1 & \text{ if } D_{\mathrm{max}} \sigma_{\mathrm{all}} < DTW(a,b) (1+\sigma_{\mathrm{all}})\\ +\end{matrix}\right. +\end{equation} +where $a$ and $b$ denote two boot-up samples. + +The equivalence case denotes that there is no change in the firmware. +Because $D_{\max}$ is the average of all $d_{j_{\max}}$ values, thus it falls into the range of observed values. + +Training and test results indicate that the model achieves \numprint[\%]{99} accuracy when the $D_{\max}$ is \numprint{27.16}. +The test data is data collected under the same conditions as the training data and includes firmware versions that are present during the training process and firmware versions that are not present. The test data has never been subjected to the training process, and the training procedure applies the above notations with the described parameters set during the training process. +Based on the model accuracy, a generalization of the model is possible with the introduced $D_{\max}$ without requiring any input from the firmware classification model. + + +\section{Experiment Family II: Run-Time Monitoring} +\label{RunTime} +Secure Shell (SSH) allows users to securely access a remote device even if the network is insecure. +Systems that enable SSH access maintain logs of SSH login attempts. +However, maintaining a log of the login attempt history proves futile since an attacker with system control can forge these log entries. +Since side-channel \glspl{ids} only focus on external properties and are independent of the system it monitors, they can defend against an attacker forging log entries. + + +\subsection{Experiment 1: Detecting SSH Login Attempts} +\label{detect_ssh} + +This experiment aims to identify instances of SSH login attempts in the power trace collected from a network switch during its regular operation. + +\subsubsection{Feature Engineering} +The signal collected from the network switch is a time series $T_1 \triangleq \{x \in \mathbb{R}\}$ sampled \numprint[MHz]{1} then downsamples by a factor of \numprint{1000} which results in 1 sample per millisecond. +Each sample has a corresponding label that is either 1 (\gls{ssh} login attempt) or 0 (no \gls{ssh} attempt) represented as $ T_2 \triangleq \{y \in \mathbb\{0,1\}\}$. + + +%SSH login attempts show discernible patterns in the power traces collected. +Figure~\ref{fig:ssh_time_window} show power consumption increases during each login attempt. +The data acquisition process saves these timestamps of the connections while capturing the power traces. +To create training samples for the \gls{ml} algorithms, a sliding window of \numprint{500} datapoints and step size of \numprint{250} datapoints divides the powertrace into multiple samples with $S \triangleq \{ x \in \mathbb{R}\}$ with $|S| = 500$ and $S \subseteq T_1$. + +Every data point in the sample is a feature of the model. If ${S \in [1]^{500}}$, then the sample is indicative of an SSH attempt otherwise, the feature indicates no SSH attempt. A matrix representation of $Z = \{ S_{1}, S_{2}, ... , S_{L}\}$ with rows of $S$ and $\forall i,j: |S_i|=|S_j|$, and the accompanying set of labels $Y_{Z} = \{ y_Z \in \{0,1\}^{L}\}$ where $L$ is the total number of samples. + +\begin{figure}[htp] + \centering + \includegraphics[width=\linewidth]{images/time_domain_ssh.pdf} + \caption{Downsampled and scaled DC power traces during SSH login attempts and the corresponding labels.} + \label{fig:ssh_time_window} +\end{figure} + +The samples created while applying sliding windows to the power trace exist in the time domain. +Application of \gls{fft} can convert the data from temporal domain to frequency domain. The \gls{fft} calculates the frequency spectrum for windows of 500 features. The spectrum is labelled 0 or 1, corresponding to their original labels from the temporal domain. + +\subsubsection{Results} + +A test set with \numprint{4095} samples consisting of \numprint{500} features each led to the results in Table \ref{tab:ssh-precision-comparison}. +The feature engineering step extracts the samples from 20 power traces (each 50 seconds long). +In total, there were 120 power traces and the model trained over 85 of them and validated over 15. +\gls{ssh} attempts comprised \numprint[\%]{30} of the data, and the rest represented the idle behaviour of the system. +The skew in the dataset makes the model more certain while predicting a positive class and helps lower the number of false positives. + +The \gls{svm} model trained on data in temporal domain using the Gaussian Kernel configured with $C = 1$ and $\gamma = 0.1$ achieved an accuracy of \numprint[\%]{98}. +\gls{rfc}, configured with 500 trees and a maximum depth of 50, performed equally well and achieved an accuracy of \numprint[\%]{97}, also on temporal domain. + + +Lastly, a \gls{1dcnn} trained on a mix of data from both time and frequency domain achieves an accuracy rate of \numprint[\%]{95} and minimizes \gls{fpr} to \numprint[\%]{1}. +However, it has the highest \gls{fnr}. + +Thus, \gls{svm} had the best accuracy rates along with the lowest \gls{fnr} and the second lowest \gls{fpr}. \gls{rfc} trained on time-domain data, on the other hand, has the lowest \gls{fpr} but has a much higher \gls{fnr}. + + +\begin{table}[ht] + \begin{center} + + \begin{tabular}{ccccccc} + \toprule + \textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline + \midrule + %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Time Domain}} & \tabularnewline + \midrule + \gls{rfc} & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{0.6} & \numprint[\%]{14} \tabularnewline + SVM & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{96} & \numprint[\%]{98} & \numprint[\%]{0.8} & \numprint[\%]{8} \tabularnewline + 1D~CNN & \numprint[\%]{94} & \numprint[\%]{93} & \numprint[\%]{93} & \numprint[\%]{96} & \numprint[\%]{2} & \numprint[\%]{9} \tabularnewline + \midrule + %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Frequency Domain}} & \tabularnewline + \midrule + \gls{rfc} & \numprint[\%]{89} & \numprint[\%]{67} & \numprint[\%]{72} & + \numprint[\%]{88} & + \numprint[\%]{12} & + \numprint[\%]{8} \tabularnewline + SVM & -- & -- & -- & -- & -- & -- \tabularnewline + 1D~CNN & + \numprint[\%]{90} & \numprint[\%]{90} & \numprint[\%]{90} & \numprint[\%]{94} & + \numprint[\%]{3} & + \numprint[\%]{17} \tabularnewline + \midrule + %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Time + Frequency Domain}} & \tabularnewline + \midrule + 1D~CNN & \numprint[\%]{89} & + \numprint[\%]{95} & + \numprint[\%]{92} & + \numprint[\%]{95} & + \numprint[\%]{1} & + \numprint[\%]{20} \tabularnewline + \bottomrule + \end{tabular} + + \end{center} + \caption{Comparison between the different algorithms for detecting SSH login attempts} + \label{tab:ssh-precision-comparison} +\end{table} + +\subsection{Experiment 2: Classifying SSH Login Attempts} +Given a window of power trace with an SSH login attempt, this experiment attempts to classify the login attempt as successful or unsuccessful. + +\subsubsection{Feature Engineering} +This experiment builds on top of experiment \ref{detect_ssh} and classifies the \gls{ssh} login attempts detected as successful or failed. The experiment considers the data only in the temporal domain. The matrix representation for this experiment is a slight modification of the previous one: $Z = \{ S_{1}, S_{2}, ... , S_{L}\}$ with rows of $S$ and $\forall i,j: |S_i|=|S_j|$, and the accompanying set of labels $Y_{Z} = \{ y_Z \in \{-1,1\}^{L}\}$ where $L$ is the total number of windows, $S$ is a window of \numprint{500} samples in time-domain, and all the windows correspond to either a successful or a failed SSH login attempt. + +\subsubsection{Results} + +Models trained using \glspl{svm} and \gls{1dcnn} gave the best results for the classification along with the lowest \gls{fpr} and \gls{fnr}. Optimizing the parameters of the \gls{rfc} with 250 trees, \glspl{svm} with $C = 100$, $\gamma = 10$, and Gaussian Kernel, and \gls{1dcnn}, the accuracy score reached \numprint[\%]{96.7}, \numprint[\%]{98.5} and \numprint[\%]{98.6} respectively. Table \ref{tab:ssh-classification-precision-comparison} details all the results. + + The experiment uses roughly 5000 samples extracted from experiment \ref{detect_ssh} that includes only successful and unsuccessful SSH attempts. 65\% of all the samples comprise the training set, 15\% contributes to the validation set, and the test set includes 20\% of all the samples. Testing is done over roughly 1000 samples of 500 features. The \gls{svm} model performed the best and had the lowest \gls{fpr} and \gls{fnr}. The model requires a mean time of 203 ms ($\sigma$=9 ms) per prediction and requires 184MB of storage space. + + +\begin{table}[ht] + \begin{center} + \begin{tabular}{ccccccc} + \toprule + \textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline + \midrule + & \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time Domain}} & \tabularnewline + \midrule + \gls{rfc} & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{96.7} & \numprint[\%]{12} & \numprint[\%]{8} \tabularnewline + SVM & \numprint[\%]{99} & \numprint[\%]{99} & \numprint[\%]{99} & \numprint[\%]{98.5} & + \numprint[\%]{1} & + \numprint[\%]{1.5} \tabularnewline + 1D~CNN & \numprint[\%]{98.5} & + \numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{1} & \numprint[\%]{2} \tabularnewline + \bottomrule + \end{tabular} + \end{center} + \caption{Comparison between the different algorithms for classifying SSH login attempts} + \label{tab:ssh-classification-precision-comparison} +\end{table} + + +i\section{Experiment Family III: Hardware Tampering} +\label{Hardware} + +The HP Procurve Switch 5406zl supports the on-the-fly installation of networking modules to modify the number of ports available. +This capability exposes the switch to a Hardware Integrity Attack [CAPEC 440]. +An attacker with physical access to the front panel of the network equipment can tamper with the modules and potentially install unauthorized ones. +Installing new modules could offer an attacker a way to gain access to the machine by leveraging a poor default configuration of the ports. +For example, on network equipment where the default configuration does not include a limit for the number of MAC addresses per port, installing an extension module could allow an attacker to perform a MAC Flood attack [CAPEC 125]. +i +Existing \glspl{ids} and security software do not yet offer functionality to detect the installation of unauthorized modules. +Hence, currently, the only way to identify unauthorized hardware modification is through the use of the network equipment's involuntary emissions. + +\subsection{Experiment 1: Identifying Number of Expansion Modules} +\label{expe:hardware-1} + +This experiment aims to identify the number of modules installed from a measure of \gls{ac} or \gls{dc} power consumption. +In this experiment, there was no on-the-fly installation or removal of the module during the capture, only in between captures. + +\subsubsection{Feature Engineering} +The installation or removal of an expansion module increases or decreases the average \gls{dc} and \gls{ac} power consumption of the device. +By analyzing the power consumption, it is possible to identify the number of expansion modules installed at any time. + +\textbf{\gls{dc} data:} To create the training dataset, the prepossessing program extracted snippets of data randomly picked from \numprint{138} 20 seconds long \gls{dc} power consumption trace. +Each trace is 20 seconds long to avoid any outlier condition that, for a few seconds, could affect the average power consumption and cause biased training. +Within each trace, the program picked ten snippets of five values. +Those values of the number and length of snippets correspond to the minimum training time needed to achieve a \numprint[\%]{100} accuracy with a stratified 10-fold cross-validation setup with the data used in this experiment. The average value of each snippet is then computed. The final training dataset is a 1D array of shape $(\numprint{1380},1)$. + +\textbf{\gls{ac} data:} Each number of expansion modules will cause a different pattern in the fundamental \numprint[Hz]{60} wave of the \gls{ac} power consumption. + +To create the training dataset, the prepossessing program extracted $N$ periods of the fundamental wave by detecting consecutive local minima in the trace. +%Depending on the number $N$, the model achieved different results (see Table \ref{tab:periods_ac}). +The extracted periods of \numprint{3333} data points (one period of the \numprint[Hz]{60} captured at 1MSPS and decimated by 5) constitute the training set of shape $(\numprint{4320},\numprint{3333})$. + +\subsubsection{Results} + +The average \gls{dc} value measured in this experiment for each number of modules does not overlap. +This property enables both \gls{svm} and \gls{knn} to perfectly classify the number of modules installed. +The \gls{svm} model trained with a linear kernel performed the same as the \gls{knn} model with $K=1$. +Both methods classify the traces with a \numprint[\%]{100} accuracy. + + +The \gls{ac} periods, even when following different patterns depending on the number of modules, remain similar at some points and do not present a separation as clear as the \gls{dc} averages. The \gls{svm} model was able to identify the number of modules installed with an accuracy of \numprint[\%]{99}. + + +Results from Table~\ref{tab:hardware-results} show that \gls{dc} data yields the best results with both approaches (\gls{svm} and \gls{knn}). These high accuracy and recall results are the result of the clear and non-overlapping grouping of the averages \gls{dc} consummation. The results presented are produced with a stratified 10-fold cross-validation setup. + +\begin{table}[ht] + \begin{center} + \begin{tabular}{ccccc} + \toprule + \textbf{Input data} & \textbf{Model} & \textbf{Accuracy} & \textbf{Recall}\tabularnewline + \midrule + \gls{dc} & SVM & \numprint[\%]{100} & \numprint[\%]{100}\tabularnewline + \gls{dc} & KNN & \numprint[\%]{100} & \numprint[\%]{100}\tabularnewline + \gls{ac} & SVM & \numprint[\%]{99.5} & \numprint[\%]{99.45}\tabularnewline + \bottomrule + \end{tabular} + \end{center} + \caption{Comparison between the different models for hardware detection with a stratified 10-fold cross validation setup} + \label{tab:hardware-results} +\end{table} + + +\section{Discussion} +\label{Discussion} + +\noindent +\textbf{Influence of traffic on the results.} +The data used for training the models did not include traffic and were collected in a laboratory environment. +Because the production equipment is used by actual users, it is impossible to perform attack that would disrupt to connection quality or lower the security of the device. +%Hence, flashing firmware is not possible because it requires rebooting the machine, \gls{ssh} attacks are not possible because it requires disabling some security features, and hardware tempering is not possible because it requires to physically disconnect the users. +However, complementary experiments were conducted to verify whether traffic would have a significant influence on the results of the experiment. +%This can be explained by the fact that all the expansion module consume power whether or not they have active connection. +%This property make the detection of the number of modules installed possible and it may not be the same for every networking equipment. +For Experiment Family I (section~\ref{Firmware}), the traffic can not influence the results as the there is no traffic possible during the boot-up sequence and the experiment use only the boot-up sequences to perform the classification. +For Experiment Family II (section~\ref{RunTime}) and III (section~\ref{Hardware}), we captured data containing real traffic (captures on the identical production switch) and simulated traffic (connections between multiples pairs of machines at around 1Gbps in the laboratory environment). +Traffic data does not show any significant influence on \gls{dc} or \gls{ac} in both time and frequency domain. +From these results, it is possible to conclude that traffic should not affect the results from the presented experiments. + +\noindent +\textbf{Support for small datasets.} As presented in this paper, the trained models can successfully detect attacks executed on the network equipment. +Those results are especially interesting as the model training step relies on a small number of training samples to achieve near perfect accuracy scores. This is a success, because (1)~our models achieve similar accuracy as some of the most successful experiments involving \gls{ml}~\cite{szegedy2017inception,xie2017aggregated} but (2)~use only a small sample size compared to image libraries with millions of image samples as training data. +Our experiments use a maximum of \numprint{1000} power trace samples. +The small number of training samples makes this approach adaptable to a range of different systems and domains because it solves the issue of collecting large amounts of data usually required to enable \gls{ml} approaches. +The models trained are relatively lightweight owing to the small number of samples along with the heavy downsampling performed on data for the experiments. +The lightweight nature of the models allows for fast online run-time monitoring and integrity assessment of embedded systems. + +\section{Conclusion} +\label{Conclusion} + +This paper introduces a physics-based \gls{ids} that offers a novel and complementary type of runtime monitoring and integrity assessment for network equipment. +The proposed \gls{ids} leverages side-channel information generated by the system at the physical level and infer the system's state and activities to detect attacks. +This paper present en evaluation of the performances against hardware tampering, firmware manipulation, and log tampering. +The results show that the used methods achieve near perfect accuracy on all experiments with only a small training set. +Overall, the introduced techniques provide a glimpse on a general concept that is extensible to other real-time and embedded systems. +Future work can investigate additional side channels and how the interaction can even further reduce the required sample size and improve the accuracy. + + +\bibliographystyle{splncs04} +\bibliography{bibliography} + + +\end{document} + + diff --git a/EET1/MLCS_conference/old_main.tex b/EET1/MLCS_conference/old_main.tex new file mode 100644 index 0000000..a180e20 --- /dev/null +++ b/EET1/MLCS_conference/old_main.tex @@ -0,0 +1,1069 @@ +%% bare_jrnl.tex +%% V1.4b +%% 2015/08/26 +%% by Michael Shell +%% see http://www.michaelshell.org/ +%% for current contact information. +%% +%% This is a skeleton file demonstrating the use of IEEEtran.cls +%% (requires IEEEtran.cls version 1.8b or later) with an IEEE +%% journal paper. +%% +%% Support sites: +%% http://www.michaelshell.org/tex/ieeetran/ +%% http://www.ctan.org/pkg/ieeetran +%% and +%% http://www.ieee.org/ + +%%************************************************************************* +%% Legal Notice: +%% This code is offered as-is without any warranty either expressed or +%% implied; without even the implied warranty of MERCHANTABILITY or +%% FITNESS FOR A PARTICULAR PURPOSE! +%% User assumes all risk. +%% In no event shall the IEEE or any contributor to this code be liable for +%% any damages or losses, including, but not limited to, incidental, +%% consequential, or any other damages, resulting from the use or misuse +%% of any information contained here. +%% +%% All comments are the opinions of their respective authors and are not +%% necessarily endorsed by the IEEE. +%% +%% This work is distributed under the LaTeX Project Public License (LPPL) +%% ( http://www.latex-project.org/ ) version 1.3, and may be freely used, +%% distributed and modified. A copy of the LPPL, version 1.3, is included +%% in the base LaTeX documentation of all distributions of LaTeX released +%% 2003/12/01 or later. +%% Retain all contribution notices and credits. +%% ** Modified files should be clearly indicated as such, including ** +%% ** renaming them and changing author support contact information. ** +%%************************************************************************* + + +% *** Authors should verify (and, if needed, correct) their LaTeX system *** +% *** with the testflow diagnostic prior to trusting their LaTeX platform *** +% *** with production work. The IEEE's font choices and paper sizes can *** +% *** trigger bugs that do not appear when using other class files. *** *** +% The testflow support page is at: +% http://www.michaelshell.org/tex/testflow/ + + +\documentclass[journal]{IEEEtran} + +\usepackage[toc,acronym,abbreviations,nonumberlist,nogroupskip,style=super]{glossaries-extra} +\usepackage{numprint} +\usepackage{tabularx} +\newcolumntype{Y}{>{\centering\arraybackslash}X} + +% \renewcommand{\baselinestretch}{.98} + +% \usepackage[compact]{titlesec} +% +% \titlespacing*{\section}{0mm}{3mm}{1.5mm} +% \titlespacing*{\subsection}{0mm}{2.5mm}{1mm} +% \titlespacing*{\subsubsection}{0mm}{2mm}{0.75mm} + + +\usepackage{booktabs} +\usepackage{amssymb} +\usepackage{textcomp}% http://ctan.org/pkg/amssymb +\usepackage{pifont}% http://ctan.org/pkg/pifont +\newcommand{\cmark}{\ding{51}}% +\newcommand{\xmark}{\textbullet}% +\usepackage[hidelinks]{hyperref} +\usepackage{flushend} + +% *** CITATION PACKAGES *** +% +\usepackage{cite} + +\usepackage[pdftex]{graphicx} +% *** GRAPHICS RELATED PACKAGES *** +% +\ifCLASSINFOpdf + \usepackage[pdftex]{graphicx} + % declare the path(s) where your graphic files are + % \graphicspath{{../pdf/}{../jpeg/}} + % and their extensions so you won't have to specify these with + % every instance of \includegraphics + \DeclareGraphicsExtensions{.pdf,.jpeg,.png} +\else + % or other class option (dvipsone, dvipdf, if not using dvips). graphicx + % will default to the driver specified in the system graphics.cfg if no + % driver is specified. + % \usepackage[dvips]{graphicx} + % declare the path(s) where your graphic files are + \graphicspath{{../eps/}} + % and their extensions so you won't have to specify these with + % every instance of \includegraphics + \DeclareGraphicsExtensions{.eps} +\fi + +% \usepackage{amssymb} +% \newcommand\SF[1]{$\bigstar$\footnote{sf: #1}} +% \newcommand\AG[1]{$\bigstar$\footnote{agd: #1}} +% \newcommand\CM[1]{$\bigstar$\footnote{cm: #1}} +% \newcommand\JD[1]{$\bigstar$\footnote{jd: #1}} +% \newcommand\SSS[1]{$\bigstar$\footnote{ss: #1}} +% \newcommand\GG[1]{$\bigstar$\footnote{gg: #1}} + +\usepackage[pdftex]{graphicx} +\usepackage{adjustbox} + + + + +% correct bad hyphenation here +\hyphenation{op-tical net-works semi-conduc-tor} +\input{acronyms} + +\begin{document} +% +% paper title +% Titles are generally capitalized except for words such as a, an, and, as, +% at, but, by, for, in, nor, of, on, or, the, to and up, which are usually +% not capitalized unless they are the first or last word of the title. +% Linebreaks \\ can be used within to get better formatting as desired. +% Do not put math or special symbols in the title. +\title{Side-channel Based Intrusion Detection\\for Network Equipment} +%\author{Paper 1175} +% +% +% author names and IEEE memberships +% note positions of commas and nonbreaking spaces ( ~ ) LaTeX will not break +% a structure at a ~ so this keeps an author's name from being broken across +% two lines. +% use \thanks{} to gain access to the first footnote area +% a separate \thanks must be used for each paragraph as LaTeX2e's \thanks +% was not built to handle multiple paragraphs +% + +\author{Julian Dickert*, Sebastian Fischmeister*, Goksen U. Guler*, Arthur Grisel-Davy*, Waleed Khan*, Carlos Moreno*, Jack Morgan*, Shikhar Sakhuja$^\ddagger$*, Philippe Vibien* \thanks{* Author names are listed in alphabetical order.} \\[1em] +Department of Electrical and Computer Engineering +\& $^\ddagger$ David R. Cheriton School of Computer Science +University of Waterloo, Canada} +% note the % following the last \IEEEmembership and also \thanks - +% these prevent an unwanted space from occurring between the last author name +% and the end of the author line. i.e., if you had this: +% +% \author{....lastname \thanks{...} \thanks{...} } +% ^------------^------------^----Do not want these spaces! +% +% a space would be appended to the last name and could cause every name on that +% line to be shifted left slightly. This is one of those "LaTeX things". For +% instance, "\textbf{A} \textbf{B}" will typeset as "A B" not "AB". To get +% "AB" then you have to do: "\textbf{A}\textbf{B}" +% \thanks is no different in this regard, so shield the last } of each \thanks +% that ends a line with a % and do not let a space in before the next \thanks. +% Spaces after \IEEEmembership other than the last one are OK (and needed) as +% you are supposed to have spaces between the names. For what it is worth, +% this is a minor point as most people would not even notice if the said evil +% space somehow managed to creep in. + + + +% The paper headers + +% The only time the second header will appear is for the odd numbered pages +% after the title page when using the twoside option. +% +% *** Note that you probably will NOT want to include the author's *** +% *** name in the headers of peer review papers. *** +% You can use \ifCLASSOPTIONpeerreview for conditional compilation here if +% you desire. + + + + +% If you want to put a publisher's ID mark on the page you can do it like +% this: +%\IEEEpubid{0000--0000/00\$00.00~\copyright~2015 IEEE} +% Remember, if you use this you must call \IEEEpubidadjcol in the second +% column for its text to clear the IEEEpubid mark. + + + +% use for special paper notices +%\IEEEspecialpapernotice{(Invited Paper)} + + + + +% make the title area +\maketitle + +% As a general rule, do not put math, special symbols or citations +% in the abstract or keywords. +\begin{abstract} + +Current security protection mechanisms for embedded systems often include running a Host-based Intrusion Detection System~(HIDS) on the system itself. This presents a problem where an attacker can leverage a vulnerability in the underlying system to attack the Intrusion Detection System~(IDS) and disable the protection mechanism. In the context of embedded systems, such as network equipment, these devices remain vulnerable to firmware and hardware tampering, as well as log manipulation and forging. + +Recent work demonstrates the effectiveness of separating the detection mechanism from the monitored system. Side-channel emissions, such as power consumption, ultrasound, or electromagnetic waves, provide an independent and extrinsic data source that allows extraction of details about the system state. The information collected from the side-channels offers an accurate representation of the operations within the system. + +To address the vulnerabilities of HIDS, this paper presents a solution for external IDS that analyzes the system state inferred from side-channels to offer protection. +The external IDS utilizes machine-learning-based side-channel analysis to monitor and assess the behaviour and integrity of network switches in real time. The proposed IDS successfully offers intrusion detection for an HP Procurve Network Switch 5406zl, with data available from a live environment with roughly \numprint{3000} active users, using its power consumption as side-channel emissions. + +The proposed IDS successfully detects three different classes of attacks: (i)~firmware manipulation with \numprint[\%]{99} accuracy, (ii)~hardware tampering with \numprint[\%]{100} accuracy, and (iii)~brute-force SSH login attempts with \numprint[\%]{98} accuracy. The machine-learning models behind the IDS use a small number of power traces as the training data and still achieve a high accuracy for the attack detection. +The concepts and techniques discussed in the paper can also extend to offer intrusion detection for embedded systems in general. + +% Most network embedded systems in data centers use Intrusion Detection Systems (IDS) to deter cases of attacks from bad actors. Literature shows that IDS are ineffective in defending against attacks such as Firmware Manipulation and Hardware Tampering. IDS can also be ineffective for run time monitoring of networks. Involuntary emissions -- power consumption, ultrasound, electromagnetic waves -- from a embedded system can compliment IDS and offer protection where the IDS fail. These emissions offer an accurate representation of the operations within the embedded system. + +% This paper offers a proof of concept for analyzing the power consumption of a black box system under test (SUT) using Machine Learning. The SUT for the experiment was an HP Procurve Network Switch. The suite of experiments assesses the integrity of the switch and deploys run-time monitoring on the switch without any side-effects. All experiments were performed on the switch without taking it offline or tampering with the switch. Thus, the research compliments IDS in assessing integrity of an SUT by detecting firmware manipulation, hardware tampering, and offers run-time monitoring by identifying and classifying SSH attempts through just the AC and DC power consumption of the switch. + + +\end{abstract} +\glsresetall % reset all acronyms to be expanded on first use. + +% Note that keywords are not normally used for peerreview papers. + + + + + + + +% For peer review papers, you can put extra information on the cover +% page as needed: +% \ifCLASSOPTIONpeerreview +% \begin{center} \bfseries EDICS Category: 3-BBND \end{center} +% \fi +% +% For peerreview papers, this IEEEtran command inserts a page break and +% creates the second title. It will be ignored for other modes. + + + +\section{Introduction} +Data centers are experiencing unprecedented growth~\cite{osti_1372902} because of the increased reliance on cloud services. Due to this growth, cyberattacks on data centers are at an all-time high with a 54\% increase just over 2019~\cite{datacenterbreach}. The downtime of data centers cost companies hundreds of thousands of dollars per hour~\cite{6848725}. For example, Facebook lost 90 million USD over an outage that lasted merely 14 hours. + +All data centers use network equipment such as network switches and routers. A successful attack on a network switch could have devastating effects on the integrity of the datacenter. To deter cases of cyberattacks, datacenters often use \gls{ids}. +Current \glspl{ids} use different approaches to detect intrusions. +\glspl{hids} are implemented directly on the monitored device and leverage information provided by the system (e.g. log entries, resource usage, or configuration files) to detect intrusions. +\glspl{nids} leverage network information (e.g., traffic frames, traffic volume, or firewall configurations) to detect intrusions at the network level. +Although \glspl{hids} and \glspl{nids} offer comprehensive intrusion detection capabilities, they are still quite ineffective against attacks such as firmware modification~\cite{cisco_trust,thomson_2019} and bypassing secure boot-up~\cite{Cui2013WhenFM, hau_2015}. They also fail to offer effective run-time monitoring through auditing and verifying log entries~\cite{koch2010security}. + +% Network Equipments are embedded platforms that generate recurrent emission patterns. These emissions are involuntary can exist as electromagnetic, noise or electrical signals. These emissions strictly correlate to the system's activity. Any physical channel that generates such an involuntary emission is called a side-channel. These emissions are formally called side-channel emissions and can offer insights into a system under observation. Traditionally, researchers used side-channel emissions to attack systems. These attacks can impact personal computers, servers, mobile devices or any type of embedded systems. Some examples of these attacks present the possibility of reducing the field of research for a cryptographic key \cite{10.1007/3-540-68697-5_9}, predicting user inputted text based on the sound of a keyboard \cite{10.1145/1609956.1609959} or recovering a document using the sound of a printer \cite{printers}. +% Some side channel attacks even leverage electromagnetic emissions of a chip \cite{10.1007/3-540-36400-5_4}. +% These types of attacks can be easy to implement and minimally invasive as they rely on information that is independent of the system and is extrinsically sourced. + +The literature shows promising work in improving the state-of-the-art in security by analyzing side-channel emissions from embedded systems. These can be in the form of power consumption \cite{kocher1999differential, brier2004correlation, mangard2008power, quisquater2002automatic, Moreno2018, msgna2014verifying, kur2009improving}, electromagnetic waves \cite{khan2019malware, sehatbakhsh2019remote, yilmaz2019detecting, 8192483}, acoustic emissions \cite{genkin2014rsa, liuacoustic}, etc. Systems generate side-channel emissions as recurrent patterns which usually corresponds to the system's activity. Side-channel based \glspl{ids} (see Figure~\ref{fig:side-ids}) analyze side-channel emissions and can improve the state-of-art in \glspl{ids}, as shown in this paper. The \gls{ids} uses \gls{dsp} and \gls{ml} algorithms, to detect anomalies, or recognize patterns of previously detected intrusions. Thus, the use of this IDS would improve security of the embedded system by detecting attack vectors that regular \gls{ids} fail to identify. + +\subsection{Contributions} +This paper proposes a side-channel based \gls{ids} that can complement existing \gls{ids}s and improve security for embedded systems. The side-channel based \gls{ids} can potentially treat any embedded system as a black box and detect a range of attacks against it. +Our \gls{ids} treats an HP Procurve 5406zl network switch as a black box. +The experiments in the paper together constitute a side-channel based IDS that has the following capabilities: + +\begin{itemize} + \item Detecting firmware manipulation and hardware tampering attacks against the switch. + \item Defending against log entry forging by offering log verification/auditing. +\end{itemize} + +The side-channel based \gls{ids} achieves near perfect accuracy scores despite using relatively straightforward \gls{dsp} methods and \gls{ml} algorithms. The algorithms analyze AC and DC power consumption of the network switch to detect these attacks. The experiments use a relatively small dataset that contains roughly \numprint{1000} power traces. +The small data requirement and high accuracy rates while defending against attacks makes the techniques outlined in this paper ready for deployment in the industry. + + +\subsection{Paper Organization} + +The remainder of paper is organized as follows: +Section~\ref{sec:Overview} provides an overview for the motivation for the experiments and threat model. +Section~\ref{Related Work} talks about other side-channel based approaches for run-time monitoring and integrity assessment. +Section~\ref{Firmware} covers experiments related to Firmware Manipulation, +Section~\ref{RunTime} covers Log Verification and Auditing, +and Section~\ref{Hardware} covers Hardware Tampering. +Section~\ref{Discussion} holds some discussion about the scope and limitations of the work. Section~\ref{sec:big_picture} details the wider potential and applicability of the work. +The paper finally conclude in Section~\ref{Conclusion}. + +\section{Overview} +\label{sec:Overview} + +All embedded systems leak information about their operation through side channel emissions. +Side-channel based \glspl{ids} use \gls{dsp} methods and \gls{ml} algorithms to model the side-channel data and learn patterns from the data that correlate to the system activity. +A major part of designing a reliable side-channel \gls{ids} is identifying quality side-channel emissions. While a system emits a wide range of side-channels such as temperature, vibration, ultrasound, EM, power consumption, etc., our experiments focus on the power consumption of the system. +Power consumption has been studied for its use in assessing the internal state of embedded systems. +It is reasonably easy to measure non-intrusively, and discussions surrounding power analysis dates back to over two decades~\cite{kocher1999differential}. +Hence, our primary source of side-channel for the \gls{ids} is the \gls{ac} and \gls{dc} power consumption of the network switch. + +Side-channel based IDS can complement \gls{hids} and \gls{nids} in offering runtime monitoring and integrity assessment for embedded systems as shown in Table \ref{tab:example}. Side-channel based \glspl{ids} run independent to the system they monitor which makes it more difficult to circumvent compared to \gls{ids} hosted within the system. +Because of the independent nature, a malfunction of the \gls{ids} can not disrupt the regular operation of the system. +This makes the system monitored by the \gls{ids} immune to any operational failure or security vulnerability that the \gls{ids} might have. +This paper presents a case study for using side-channel based \glspl{ids} to offer run-time monitoring and integrity assessment for network equipment. + + +\begin{figure}[h] + \centering + \includegraphics[width=\columnwidth]{images/preview_ids} + \caption{IDS based on the involuntary emissions of the system} + \label{fig:side-ids} +\end{figure} + +% For example, our system consumed more power while it was responding to an SSH attempt. Further, the duration of the increased power consumption was longer for a successful SSH attempt compared to an unsuccessful one. Similarly, other properties of the system can also be measured using the time-series data. For instance, an extra hardware module would constantly result in a higher power consumption which would allow analysis to detect instances of hardware manipulation. Even different firmware versions have different power consumption while booting up. + +% Machine Learning methods can train over the side-channel profiles and compliment IDS in enhancing security of embedded systems. Table \ref{tab:example} shows different attacks where machine-learning based side-channel analysis can compliment IDS in offering protection for the system. + +\begin{table}[htb] + \centering + \begin{tabularx}{\columnwidth}{X>{\hsize=.4\hsize}cccc} + \toprule + \textbf{Attack Scenarios} & \textbf{Reference} & \textbf{\gls{hids}} & \textbf{\gls{nids}} & \textbf{SCIDS}\tabularnewline + \midrule +% The attacker can: & & & \tabularnewline +% \addlinespace[1em] + Run unapproved executable through backdoor & \small{\cite{cve-2018-0150,cve-2018-0151,cve-2018-0222,cve-2018-0329,cve-2018-15439}} + & \cmark & \xmark & \cmark\tabularnewline + \addlinespace[1em] + Exploit existing executable & \small{\cite{kovacs_2019,CVE-2019-12649,CVE-2019-12651}}& \cmark & \xmark & \cmark\tabularnewline + \addlinespace[1em] + Spy on the network & \small{\cite{Hernandez2014SmartNT,router_hacking_slingshot}}& \xmark & \cmark & \cmark \tabularnewline + \addlinespace[1em] + Pivot/proxy for network attack & \small{\cite{router_hacking_slingshot,symantec_security_response}} & \xmark & \cmark & \cmark\tabularnewline + \addlinespace[1em] + Bypass secure boot & \small{\cite{cisco_trust,thomson_2019}} & \xmark & \xmark & \cmark\tabularnewline + \addlinespace[1em] + Change firmware & \small{\cite{Cui2013WhenFM,hau_2015}}& \xmark & \xmark & \cmark\tabularnewline + + \bottomrule + \addlinespace[1em] + + \end{tabularx} + \caption{Attack scenarios that side-channel based \gls{ids} can detect} + \label{tab:example} +\end{table} + +% The experiments successfully identifies activities within the system. With side-channel information, the models trained can identify instances of firmware manipulation, offer defence again brute-force SSH attempt while offering run-time monitoring, and detect hardware tampering. + +\subsection{Threat Model} +\label{subsec:threat-model} + +In the context of this work, we consider active attackers that can tamper with the execution of the network devices. These attackers can accomplish their goal by assuming different roles and exploiting several mechanisms, as summarized below: + +\begin{itemize} + \item \textbf{Remote Code Execution:} A remote attacker could exploit the exposure of the network device's administrative features (e.g., login capabilities, with or without administrative privileges) to the local network or the Internet. Thus, the attacker may take advantage of available, or zero-day, remote exploits in categories such as remote code injection, privilege escalation, etc. + + The outcome could be to temporarily tamper with the device's \hbox{execution\,---\,that} is, alter the current execution, with a device's reboot restoring the correct functionality; or modify the device's configuration settings so that even after a reboot, the altered functionality will remain active. + + \item \textbf{Brute-Force or Dictionary-Based Password Guessing:} % $\bigstar$\footnote{I'm not particularly convinced of adding this; reviewers could easily argue that it doesn't make sense to use side-channels to protect against this, which is trivially detectable by standard (Network based) IDSs. Then again, a big section of the experiments deals with brute-force login attempts; maybe we should sell those experiments as nothing more than a demonstration that we can detect deviations from the normal execution, and that SSH login attempts are just an example of such deviations?} + A remote attacker could attempt to login through password guessing, with the objective of tampering with the device's execution once logged in. + + \item \textbf{Unauthorized Firmware Reprogramming (or Failure to Apply a Scheduled Firmware Upgrade):} Either through physical access to the device, or upon a successful administrative login (either by a legitimate administrator or a remote attacker that guessed or stole an administrator's credentials), the attacker can reprogram the firmware of the device. The applied firmware can be an older version (if the device allows it) to reactivate a particular vulnerability, or it could be a custom firmware that contains some backdoor or rootkit functionality. + + \item \textbf{Unauthorized Hardware Configuration Changes:} An attacker with physical access to the device could apply undocumented changes to the configuration of the device, e.g., by connecting or disconnecting modules, tampering with configuration switches or jumpers, etc. Depending on the device's capabilities, a remote attacker could potentially enable or disable modules or functionality of the device, keeping these changes undocumented. + + \item \textbf{Tampering with Administrative/Maintenance Logs:} The attacker's goal may be to mislead the operators through actions such as failing to apply a firmware upgrade while reporting that the firmware has been upgraded; this could be done with the purpose of keeping a particular vulnerability in the device while the administrators assume that such vulnerability has been addressed. +\end{itemize} + +In the cases of attackers with physical access to the devices, we highlight the +aspect that these attackers are assumed to have limited, perhaps opportunistic, +physical access; that is, they may be one rogue operator in a team of several +operators with administrative access. Moreover, it is assumed that a system such +as the \gls{ids} that we propose in this paper would be implemented with additional +physical security measures, to make it physically inaccessible to such local +attackers. In other words, it is assumed that even an attacker that can physically +tamper with the network device will not be able to tamper with the \gls{ids}. + +\subsection{Analysis of Side-channels} +Electronic systems, including embedded devices, involuntarily leak information through different types of side-channels. +Due to each side-channel's specific nature, each one can, to a greater or lesser extent, prove useful for different applications. +In the context of \gls{ids} for network equipment, we considered power consumption, ultrasound and \gls{em} emissions as the most promising side-channels. + +In our setup, the power consumption of the device is measured in two different ways: measurement at the AC line (between the power outlet and the device's \gls{psu}); and measurement at the DC power (from the \gls{psu} to the ``motherboard'' of the device). We evaluated both measurements since each have unique advantages that the other one lacks. During every operation of the device, the different instructions will have impacts on the overall power consumption \cite{727070} that will be detectable in both \gls{ac} and \gls{dc} power consumption. +The main advantage of collecting \gls{ac} powertraces is that it is less intrusive than capturing the \gls{dc} power consumption and offers the most transparent way to retrofit the proposed system into a network operation center. +One disadvantage, however, is its lower \gls{snr} compared to the \gls{dc} measurement. +The reason for this is the functionality of the \gls{ac}/\gls{dc} switching converter, which introduces a higher level of ``buffering'' of electrical energy, thus hiding some of the fine-grained details in the power consumption. +Recent work by Moreno~et~al.~\cite{Moreno2018} uses the power consumption of embedded systems for non-intrusive online runtime monitoring through reconstruction of the program's execution trace. +% (ALREADY SAID IN THE PREVIOUS PARAGRAPH) The power consumption's main advantage as a side-channel is that it is easily accessible from outside the network equipment and the hardware does not have to me modified, making the technique retrofittable into existing equipment. A drawback, however, is that this side-channel may require modification of the wiring, especially and more intrusively in the case of DC power. + +Another potentially effective side-channel is the acoustic emanations from the electronics, usually ultrasound. Researchers have been successful in extracting full 4096-bit RSA decryption keys using these acoustic emanations~\cite{genkin2014rsa}. %new citations% +Faruque et al.~\cite{7479068} present an acoustic side channel attack to reconstruct the object that an additive manufacturing system, such as a 3D printer, is printing without access to the original design. +The main advantage of ultrasound over power consumption is its contactless measurement, using only a microphone placed near the device. +However, this technique requires precise placement of the microphone to achieve reproducible results. +Additionally, acoustic emissions from the environment (e.g., from the fans in the \gls{psu}) can interfere with the measurements, possibly reducing the effectiveness of this side-channel. + +The operation of modern electronic devices also produce \gls{em} emanations. These emanations are correlated to the device's activity, making it an effective side-channel. +Nazari et al.~\cite{8192483} successfully used \gls{em} emissions to detect if program flow has deviated or if anomalous code is running. +The use of \gls{em} emissions allows for contactless measurement of the side-channel, even over longer distances than ultrasound. +Yet, the equipment necessary to measure high-frequency radiation like this is more expensive than for the other side-channels. +Moreover, network equipment is often located inside a metal case that shields \gls{em} waves, increasing the difficulty to obtain accurate measurements. + +There are also other side channels that we consider less effective in the context of our work. These include temperature, vibration, time required for logical operations, etc. These side-channels are often useful in the context of attacks that rely on statistical parameters of the measurements. For example, thermal based attacks can extract RSA private keys from low-power CMOS microcontrollers \cite{hutter2013temperature}, or identify operations in neighbouring cores in multicore processors \cite{masti2015thermal}. However, overall temperature changes occur too slowly and would fail to offer any meaningful insight into the operation of embedded systems such as network switches. + + +% \subsection{Data Collection} \label{Data Collection} + +% \begin{figure}[h] +% \centering +% \includegraphics[width=\columnwidth,height=5cm]{images/overview_eet} +% \caption{Overview of the Data Collection Setup} +% \label{fig:overview} +% \end{figure} + +% A data acquisition pipeline developed in-house generates side-channel profiles that consist of emissions from different side-channels. These emissions exist as high-frequency time-series data that contain patterns corresponding to the response of the system triggered by stimuli. +% The case studies consider an HP Procurve 5406zl network switch as the \gls{sut}, and \gls{ac} and \gls{dc} power consumption together as the side-channel profile. +% The pipeline synchronizes all the emissions to minimize jitter, ensures completeness of emissions for all points in time, and automatically labels the data. +% This addresses one of the biggest problems in \gls{ml}: acquiring reliably labelled data~\cite{BARCHARD20131917,BARCHARD20111834,kozak2015,tu2015}. + +% The data acquisition pipeline consists of three main components (see Figure \ref{fig:overview}): +% A Control Unit (Attack-PC), a System Under Test (network switch), and a Capture System (Digitizer-PC). +% User-defined Experiment Scenario files contain information about each experiment and include the type of attack, the number of attacks per iteration, and the number of iterations per experiment. +% When starting the pipeline, the Coordinator parses the given Experiment Scenario file and organizes the entire data collection process, including: +% \begin{itemize} +% \item Controlling the Attack-PC, which is responsible for generating stimuli that resemble real-world attacks on the network switch. +% \item Generating a metadata file that contains accurate labelling information for the attack during the experiment. +% \item Starting the Digitizer-PC that captures the side-channel emissions. +% \item Repeating this process for a given number of iterations after successful storage of the captured data. +% \end{itemize} + +% Shunt resistors and differential amplifiers equip the \gls{psu}'s wiring to measure the power consumption of the switch. The current through the shunt resistor creates a proportional voltage drop which the differential amplifier amplifies and passes to the \gls{adc} in the Digitizer-PC. +% The \gls{adc}'s capture rate is \numprint[MHz]{1} for all experiments. The pipeline collects both AC and DC power traces in this fashion. + + + +% Discuss different side channels that can be obtained from network equipment + +%% Structure: +%% Define the side channel (1 sentence) +%% Cite another source that uses the side channel for something (1 sentence) +%% Discuss advantages or disadvantages of using the side channel for monitoring network equipment (2-3 sentences) +%% Verdict of whether we include the side channel + +% Power +% + easily accessible from outside the network equipment +% + comes in two components + +% RF +% + contactless +% - devices can be shielded +% - expensive + +% ultrasound +% + Related work shows good results for attacks +% - requires precise placement of the probe +% - requires high control of the environment, so it's not scalable + + + + + + + + +%However, there are a few subtleties in the design of the circuits that the following subsections explore. + +% \subsubsection{\textbf{AC Power Tracing}}\SF{This is not needed; remove it} +% A shunt resistor and a differential amplifier make up the power tracing board. +% This board sits between the switch's \gls{psu} and the power socket and measures the \gls{ac} power consumption of the network switch. + +% \subsubsection{\textbf{DC Power Tracing}}\SF{this is not needed; you can bring the observations into the discussion section, but otherwise remove this section} +% The implementation of the \gls{dc} capture circuitry was more invasive than the one for AC. +% To perform measurements on the \gls{dc} side, a shunt resistor had to be integrated into the \gls{psu}'s wiring. +% The resistor's two terminals connect to a coaxial power connector that is then used to connect to another custom-built differential amplifier board. +% Due to the lower voltage on the DC side, a higher current flows through the wires which may lead to overheating issues on the resistor. +% Including the shunt resistor in the power supply allows for usage of the network switch's internal heat sinking capabilities, thus dealing with the overheating issue. + +% \section{Experiments} +% The case study involves 3 different families of experiments including 2 experiments each. Each experiment uses Machine Learning algorithms to analyze the power consumption of the network switch. The switch was never taken offline while tapping into its emissions. The experiments relate to either assessing integrity of the switch or deploying run-time monitoring systems for the switch. + + +\section{Related Work} \label{Related Work} +The idea of side-channel based IDS traces back to the seminal work in side-channel analysis by Paul C. Kocher. +He introduced Differential Power Analysis to find secret keys used by cryptographic protocols in tamper resistant devices~\cite{kocher1999differential}. +This led to a field of research focussing on side-channel analysis that has been ever growing. Power analysis is the most common and widely studied side-channel analysis technique~\cite{brier2004correlation,mangard2008power}. %new citations% +Cagalj et al.~\cite{vcagalj2014timing} show a successful passive side-channel timing attack on U.S. patent Mod 10 method and Hopper-Blum (HB) protocol. +Quisquater et al.~\cite{quisquater2002automatic} present an approach to identify executed instructions with the use of self-organizing maps, power analysis and analysis of electromagnetic traces. %new citations% +Zhai et al.~\cite{zhai2015method} propose a self-organizing maps approach that uses features extracted from an embedded processor to detect abnormal behavior in embedded devices. +Eisenbarth et al.~\cite{eisenbarth2010building} propose a methodology for recovering the instruction flow of microcontrollers using its power consumption. +Goldack et al.~\cite{goldack2008side} propose a solution to identify individual instructions on a PIC microcontroller through mapping each instruction type to a power consumption template. +However, the attack focussed side-channel analysis can offer non-intrusive run-time monitoring, as well. \\ +\indent +Literature shows promising work in assessing integrity through cache monitoring~\cite{7163050} and power monitoring~\cite{10.1145/2976749.2978299}. +Works by Moreno et al. offer two building blocks for this work. +In~\cite{moreno2013non}, the team proposes a solution for non-intrusive debugging and program tracing using side-channel analysis. +In this work, they use the power consumption of a given embedded system to identify the code block the embedded system was executing at the time. +The team builds on their previous technique and presents a new one~\cite{Moreno2018} using the power consumption of embedded systems for non-intrusive online run-time monitoring through anomaly detection. +They use a signals and systems analysis approach to identify anomalies using the power consumption of a system and show case this by identifying buffer overflow attacks on their system. +Msgna et al.~\cite{msgna2014verifying} propose a technique for using the instruction-level power consumption of a system to verify the integrity of the software components of a system with no prior knowledge of the software code. +In~\cite{kur2009improving}, Kur et al. perform power analysis of smart cards based on the JavaCard platform helps identify vulnerable operations, obtain bytecode instruction information, and also proposes a framework to replace vulnerable operations with safe alternatives.\\ +\indent +In more recent literature, there is a trend towards the use of \gls{ml} for side-channel analysis to enhance the security of systems. +Michele Giovanni Calvi~\cite{calvi2019runtime} offers a solution for run time monitoring of an entire cyberphysical system treated as a black box. +They collect data from a self-driving car during operations such as steering and acceleration. +Using this data, they train an Long Short Term Memory~\cite{hochreiter1997long} deep learning model and use it to verify the safety of the vehicle. %new citations% +Zhengbing et al. \cite{4488501} suggest the use of forensic techniques for profiling user behaviour to detect intrusions and propose an intelligent lightweight \gls{ids}. Hanilçi et al.~\cite{hanilci2011recognition} use recorded speech from a cell phone to ascertain the cell phone brand and model through using vector quantization and \gls{svm} models on the \gls{mfcc} of the audio. +In~\cite{khan2019malware} Khan et al. propose a technique to identify malware in critical embedded and cyberphysical systems using \gls{em} side channel signals. +Their technique uses deep learning on EM emanation to model the behavior of an uncompromised system. +The system flags an activity as anomalous when the emanations differ from the normal ones used to train the neural network. +Sehatbakhsh et al.~\cite{sehatbakhsh2019remote} also use EM emanations and detect malware code injection into a known application without any prior knowledge of the malware signature. +They use HDBSCAN clustering method to identify anomalous behavior exhibited by the malicious code. +Yilmaz et al.~\cite{yilmaz2019detecting} implement K-Nearest Neighbors clustering methods along with PCA dimensionality reduction method to model EM emanations from a phone with the different operational status of front/rear camera. +Using the ML methods, they can determine the state of cellphone cameras. \\ +\indent +The work that this paper proposes builds on top of the aforementioned works. An HP network switch, treated as a black box, generates side-channel leaks in the form of its power consumption. +The experiments treat this power consumption as an output of the system when the input are certain attacks/stimuli that triggers the switch. The data trains \gls{ml} models which, in turn, successfully identifies the attacks/stimuli on the switch. + + + +\section{Experiment Family I: Firmware Manipulation} \label{Firmware} +Embedded systems need regular firmware updates for a range of reasons such as addition of features or security patches. +Attacks on these systems commonly target the firmware update process~\cite{hau_2015}. +A successful attack could compromise the integrity of the switch and the data center. +The ability to modify the firmware enables attackers to perform a range of other attacks, such as Communication Channel Manipulation [CAPEC 216], Protocol Manipulation [CAPEC 272], Functionality Bypass [CAPEC 554], and Software Integrity Attack [CAPEC 184]. + +The following two experiments were conducted with ten different official firmware versions using the same device configuration. +Starting from the pre-installed version K.15.06.008 we performed upgrades to the next 10 higher release versions (K.15.07 to K.15.17), and picked the final build for each release. +Firmware downgrades were put aside to avoid bricking the device. + + +\subsection{Classifying Firmware Versions} \label{Classifying-Firmware-Versions} +Given a power trace during boot-up, the goal of this experiment is to +predict which firmware from a given set of ten different versions is currently installed on the device. The result can be used to confirm successful firmware updates and to check whether the device reports the correct version. + +\subsubsection{\textbf{Feature Engineering}} \label{FE-Firmware} +With the HP Procurve Switch 5406zl taking around 120 seconds to complete its boot-up sequence, this experiment family produces the largest datasets of this case study. +At a sampling rate of \numprint[MHz]{1}, each dataset consists of \numprint{120e6} datapoints. +With a file size of two times 240 MB (one file for AC, one file for DC) per run, the \gls{ml} algorithms for this experiment would require more processing power than for any of the other performed experiments. + +\begin{figure}[htp] + \centering + \includegraphics[width=\linewidth]{images/Firmware_Comparison_TD_direct.eps} + \caption{Median-filtered (i.e. smoothed) power traces of boot-up sequences for two different firmware versions (ten captures each). At around 70 seconds, there is a visible difference in the time series.} + \label{fig:eet-samples} +\end{figure} + +Therefore, several preprocessing steps were applied to reduce the size of the datasets and remove noise. +It was found that a combination of downsampling and a sliding median filter yields the best results at a minimal size per training set. Given a power trace with a length of \numprint{120e6} datapoints, downsampling with a factor of (in total) \numprint{1e6} results in a sample size of 120 and provides an overall accuracy of \numprint[\%]{99} for this experiment. +A sliding median filter, which is applied between two rounds of downsampling, replaces each value with the median value of the window. + +This process enables training accurate machine-learning models (cf. Table \ref{tab:fw-change-fd-precision-comparison}) with less than \numprint{1000} training sets, each consisting of 120 datapoints. + +\begin{figure}[htp] + \centering + \includegraphics[width=\linewidth]{images/psd.eps} + \caption{PSD of power traces of boot-up sequences for two different firmware versions (two trace for each version)} + \label{fig:eet-psd} +\end{figure} + +The model in frequency domain uses \gls{psd}~\cite{1536928} of DC data. Before the preprocessing the data have datapoints with a length of \numprint{120e6}, recorded at a sampling rate of \numprint[MHz]{1}. Visual inspections and analysis suggest that the patterns are more distinguishable between samples \numprint{70e6}-\numprint{120e6} based on this, preprocessing removes the first \numprint{70e6} samples. After removing the first \numprint{70e6} samples decimating~\cite{1456237} data with a factor of 100 helps by filtering some of the noise and decreases required time to calculate \gls{psd}. Calculating the \gls{psd} of the data follows the preceding operations. + +Figure~\ref{fig:eet-psd} shows an example \gls{psd} for two different firmware versions where different patterns are observable. The visual inspection of the \gls{psd} also shows that selecting different frequencies ranges can improve or worsen the accuracy of the model. The visible patterns on the \gls{psd} plots indicate that selecting all of the data points from \gls{psd} helps increase the accuracy of the model when correlated with the results. + +\subsubsection{\textbf{Results}} + +%\paragraph{\textbf{Time Domain}} +The \gls{rfc} delivers the best results of all tested \gls{ml} algorithms. +A \gls{rfc} model trained on 786 samples achieved an accuracy of over \numprint[\%]{99} on an independently collected set of \gls{dc} data. + +%\paragraph{\textbf{Frequency Domain}} +Among the various \gls{ml} models trained on frequency-domain data, \gls{rfc} model has the best results with \numprint[\%]{99} accuracy. The \gls{rfc} model when tested on an independently collected validation set presents the same results, verifying the integrity of the model. The details of trained models and their performances can be found on the Table~\ref{tab:fw-change-fd-precision-comparison}. + +\begin{table}[ht] + \begin{center} + \begin{tabularx}{\columnwidth}{YYYYY} + \toprule + \textbf{Model} & \textbf{Macro Precision} & \textbf{Macro Recall} & \textbf{Macro F1 Score} & \textbf{Accuracy} \tabularnewline + \midrule + & \multicolumn{3}{>{\hsize=\dimexpr3\hsize+3\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time Domain – DC Data}} & \tabularnewline + \midrule + \gls{rfc} & \numprint[\%]{100} & \numprint[\%]{100} & \numprint[\%]{100} & \numprint[\%]{100} \tabularnewline + \gls{svm} & \numprint[\%]{97.0} & \numprint[\%]{97.4} & \numprint[\%]{96.8} & \numprint[\%]{99.3}\tabularnewline + \midrule + & \multicolumn{3}{>{\hsize=\dimexpr3\hsize+3\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time Domain – AC Data}} & \tabularnewline + \midrule + \gls{rfc} & \numprint[\%]{90.0} & \numprint[\%]{93.7} & \numprint[\%]{87.4} & \numprint[\%]{98.9} \tabularnewline + \gls{svm} & \numprint[\%]{80.7} & \numprint[\%]{75.1} & \numprint[\%]{75.8} & \numprint[\%]{95.5} \tabularnewline + \midrule + & \multicolumn{3}{>{\hsize=\dimexpr3\hsize+3\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Frequency Domain – DC Data}} & \tabularnewline + \midrule + \gls{rfc} & \numprint[\%]{97.0} & \numprint[\%]{96.5} & \numprint[\%]{97.6} & \numprint[\%]{99.8} \tabularnewline + SVM & \numprint[\%]{95.5} & \numprint[\%]{96.5} & \numprint[\%]{95.3} & \numprint[\%]{96.0} \tabularnewline + \bottomrule + \end{tabularx} + \end{center} + \caption{Comparison between the different algorithms for firmware classification on an independent verification set of size 100} + \label{tab:fw-change-fd-precision-comparison} +\end{table} + +\subsection{Detecting Firmware Change} +Given the most recently collected power trace during boot-up and the power trace collected one before it, the goal of Experiment 2 is to predict whether the firmware has been altered between these two traces. +The model uses \gls{dtw} and a training procedure on the collected traces, which implements a distance value as a parameter to the model to provide a decision, whether there is a change in the firmware version. + +\subsubsection{\textbf{Feature Engineering}} + +Measuring the distance with \gls{dtw} is a computationally expensive operation~\cite{10.5555/645803.669511}. +The expensive computation requirements can be overcome by reducing the number of points while calculating the difference with \gls{dtw}. To decrease the computing times the power trace gets downsampled. Applying sliding median filter helps reduce the noise in the trace. +After these operations all of the samples contain \numprint{120} points. The samples are pseudo-randomly splitted to train, test and validation sets. + +Section \ref{Classifying-Firmware-Versions} provides a more detailed description of the preprocessing steps, which are the same for this experiment. + +\subsubsection{\textbf{Results}} +Results obtained from the firmware classification model (cf. section \ref{Classifying-Firmware-Versions}) suggests that it is possible to verify the firmware version on the system. +The model design from the firmware classification experiment provides useful insight to determine whether there is a change in the firmware or not as the labels are known for each firmware. + +The model uses a windowed \gls{dtw} to compute the distance between the current and the previous power traces collected during the boot-up. +The distance that results from \gls{dtw} is then subjected to a comparison with the model parameters. +The model have the parameter $D_{\max}$ (maximum distance). +Optimizing of the parameter involves training on the data collected for the firmware classification experiment. + +%In this context, the threshold $k$ for a class $j$, $k_j$, is defined as the increase of the distance on the maximum distance, $d_{max}$ calculated for the same class, percentage-wise.\SF{this sentence is unclear, a comma appears out of nowhere and the rest is a fragment} + +Given a pseudo-random sample trace of Class $j$ from the training set, the selected sample acts as the baseline for the Class $j$ model. +\gls{dtw} in the model calculates the distance between the baseline and all the samples in the training set. +The results determine the parameters of the model. +The maximum distance is defined as ($d_{j_{\max}}$) and the variance of the distances of class $j$ as $\sigma_j$. + +The following example illustrates the described process: +Given that Class 1 has a maximum distance of $d_{1_{\max}}$ when the \gls{dtw} is computed with the traces belonging to the same class. + +A non-generalized, specific to each firmware version, instance of the model is the following. +Given the firmware sample $a$ belonging to Class $y$ collected during the previous boot-up and the current firmware sample $b$ belonging to any class, the model can provide the decision whether there is a change in the firmware or not. +The resulting decision is $1$ if there is a change in the firmware version, and $0$ otherwise. + +\begin{equation} + \text{decision} = \left\{\begin{matrix} +0 & \text{ if } d_{y_{\mathrm{max}}} \sigma_j \geqslant DTW{a,b} (1+\sigma_j)\\ +1 & \text{ if } d_{y_{\mathrm{max}}} \sigma_j < DTW{a,b} (1+\sigma_j)\\ +\end{matrix}\right. +\end{equation} + + +The equation shows the possible cases when the model makes the decision. The equivalence case provides the decision of $0$ as the maximum distance for the class is already observed and considered valid, verifying there is no change in the firmware version. + +%The decisions from the model when compared to the ground truth labels that indicate whether the firmware has changed.\SF{no single sentence paragraphs} + +Above steps describe the training procedure to produce models for each class. Instead of requiring another parameter in the model that uses the class information of each sample, it is possible to remove that parameter by introducing the parameter, $D_{\max}$. This parameter is the mean of the parameter $d_{n_{\max}}$ across all the models belonging to a class. Getting the average instead of the maximum of $d_{n_{\max}}$ is valid because the distance results obtained from \gls{dtw} are roughly similar on all classes and any bias that may occur towards a single class is removed from the model. + +The equation to calculate the parameter and the generalized value of variance is the following: +\begin{align} + D_{\max} &= \frac{~1~}{n} \, \sum_{i=1}^n d_{i_{\max}} \\ + \sigma_{\mathrm{all}} &= \frac{~1~}{n} \, \sum_{i=1}^n \sigma_{i_{\max}} +\end{align} +where $n$ denotes the number of classes. + +The general model uses $D_{\max}$, as follows: + +\begin{equation} + \text{decision} = \left\{\begin{matrix} +0 & \text{ if } D_{\mathrm{max}} \sigma_{\mathrm{all}} \geqslant DTW{a,b} (1+\sigma_{\mathrm{all}})\\ +1 & \text{ if } D_{\mathrm{max}} \sigma_{\mathrm{all}} < DTW{a,b} (1+\sigma_{\mathrm{all}})\\ +\end{matrix}\right. +\end{equation} +where $a$ and $b$ denote two boot-up samples. + +The equivalence case denotes that there is no change in the firmware. +Because $D_{\max}$ is the average of all $d_{j_{\max}}$ values, thus it falls into the range of observed values. + +Training and test results indicate that the model achieves \numprint[\%]{99} accuracy when the $D_{\max}$ is \numprint{27.16}. +The test data is data that have been collected under same conditions with the training data and includes firmware versions that are present during the training process as well as firmware versions that are not present. The test data has never been subjected to the training process and the training procedure is applying the above notations with the described parameters that were set during the training process. +Based on the model accuracy a generalization of the model is possible with the introduced $D_{\max}$ without requiring any input from the firmware classification model. + + +%% \subsubsection{\textbf{Limitations}}\SF{this goes into the discussion section} +%%The similarity score can be very high\SF{no qualitative statements unless you provide data}, if the said change is a firmware upgrade where the both firmware versions have similar power traces. The model may give false positive results based on this limitation. However this limitation can be overcome by further improvements on the implementation and usage of the model.\SF{rephrase this paragraph. It's too verbose without lots of content. The three sentences can be combined into a single one.} + +%%Another limitation is that\SF{start of sentence to here is just filler; try to be more concise} the model will detect changes based on a threshold. Therefore, the threshold provided to the model must be fine-tuned\SF{passive voice} and this involves a training step.\SF{state that due to the simplicity of the approach, this fine tuning and training can be accomplished online (without using passive voice)} + +\section{Experiment Family II: Run-Time Monitoring} \label{RunTime} +Secure Shell (SSH) is a cryptographic protocol, formalized by the \gls{ietf} in 2006, that allows users to securely access a remote device even if the network is insecure. All systems that enable SSH access usually maintain logs of SSH login attempts. These logs offer details about SSH login attempts on the system. However, maintaining a log of the login attempt history proves futile since an attacker with control of the system can forge these log entries. Since, side-channel \gls{ids} only focus on external properties and are independent of the system they monitor, they can defend against an attacker forging log entries. The \gls{ids} also offers defence against attacks such as Identity Spoofing [CAPEC 151], API Manipulation [CAPEC 113], Brute Force [CAPEC 112], Fuzzing [CAPEC 28], Excavation [CAPEC 116]. + + + + +% The DAQ collects the dataset at 1MS/s for 50 seconds (5,000,000 data points) per trace with 60 traces for successful SSH attempts and 60 for unsuccessful. \ + +% Our power trace is a time series that we can define as +% \[T_{1} = X_{1}, X_{2}, ..... , X_{N}\] +% \[X_{i} \in R\] where N is the total number of data points in the time series. + +% The DAQ also automates generation of the metadata file that contains the labels. For each SSH attempt, the metadata file reports its start and end times. The label information and power consumption are two separate time series. The labels exist as a discrete time-series consisting of 0s or 1s representing no SSH attempt or an SSH attempt. When there is an SSH attempt, the power consumption time series shows a spike and the labelling time series outputs 1s. Thus, the labelling time series can be formalized as: + +% \[T_{2} = Y_{1}, Y_{2}, ..... , Y_{N}\] +% \[Y_{i} \in [0, 1]\] + +% Figure \ref{fig:ssh_overview} shows time series of 7500 datapoints in time domain along with its labels. During feature engineering, windows of 500 datapoints are chosen as samples. Because of the decimation, the data corresponds 1 millisecond to 1 datapoint. If a window contains only datapoints representative of SSH attempts, the window is labelled 1, otherwise, it is labelled 0. There is a delay of 2 seconds between each SSH attempt. A sliding window method extracts training samples for the \gls{ml} models. The sliding window method included window size of 500 datapoints and a step size of 250 datapoints. Smaller window sizes ensure more windows where all datapoints correlate to SSH activity. Thus, a sample can be formalized as: + +% \[S = X_{1}, X_{2}, .... , X_{500}\] +% \[S \subset T_{1}\] + +% If ${S \in [1]^{500}}$ then the feature is indicative of an SSH attempt otherwise the feature indicates no SSH attempt. + +% We can represent this as a matrix of the features +% \[Z = [S_{1}, S_{2}, ... , S_{L}]\] +% \[Y_{Z} \in [0,1]^{L}\] + + + + +% All our feature engineering till this point, have been in the time domain. However, we also experimented with converting our time-domain based features into the frequency domain by running a Fourier Transformation on the features. While visualizing the FFTs of our samples (Fig. 2), we can see that the current consumption of the switch during an SSH attempt looks very different from the current consumption when the switch is idle. We explore our results from the time domain and frequency domain in the results section. + +\subsection{Detecting SSH Login Attempts} +\label{detect_ssh} + +This experiment aims to identify instances of SSH login attempts in the power trace collected from a network switch during its regular operation. We define regular operation as the state after bootup where all the ports and services of the network switch are functioning and the switch is available on the network for remote access. + +\subsubsection{\textbf{Feature Engineering}} The signal collected from the network switch is time series $T_1 \triangleq \{x \in \mathbb{R}\}$ with uniformly sampled values $x$ at a frequency of \numprint[MHz]{1}. This experiment downsamples the data by a factor of \numprint{1000} which results in 1 sample per millisecond. Although this leads to loss of some data, it makes the feature space smaller and avoids the curse of dimensionality \cite{theodoridis2009pattern, 4766926} during training. Each sample has a corresponding label that is either 1 (\gls{ssh} login attempt) or 0 (no \gls{ssh} attempt). The labels can be represented as: $ T_2 \triangleq \{y \in \mathbb\{0,1\}\}$. + + +SSH login attempts show discernible patterns in the power traces collected. There is a visible spike in power consumption during each login attempt. Figure~\ref{fig:ssh_time_window} shows roughly \numprint{14000} datapoints in the time domain along with its labels. The start time of the capture along with the markers for start and end times of the individual \gls{ssh} login attempt allows the calculation of the labels. +The data acquisition process saves these timestamps while capturing the power traces. To create training samples for the \gls{ml} algorithms, a sliding window of \numprint{500} datapoints and step size of \numprint{250} datapoints divides the powertrace into multiple samples with $S \triangleq \{ x \in \mathbb{R}\}$ with $|S| = 500$ and $S \subseteq T_1$. + +Every datapoint in the sample is a feature for the model. If ${S \in [1]^{500}}$ then the sample is indicative of an SSH attempt otherwise the feature indicates no SSH attempt. A matrix representation of $Z = \{ S_{1}, S_{2}, ... , S_{L}\}$ with rows of $S$ and $\forall i,j: |S_i|=|S_j|$, and the accompanying set of labels $Y_{Z} = \{ y_Z \in \{0,1\}^{L}\}$ where $L$ is the total number of samples. + +\begin{figure}[htp] + \centering + \includegraphics[width=\linewidth]{images/time_domain_ssh.eps} + + + \includegraphics[width=\linewidth]{images/time_domain_ssh_labels.eps} + \caption{Downsampled and scaled DC power traces during a sequence of SSH login attempts (top figure) and the corresponding labels (bottom figure)} + \label{fig:ssh_time_window} +\end{figure} + +The samples created while applying sliding window to the power trace exist in time domain. Application of \gls{fft} can convert the data from time-domain to frequency domain. The \gls{fft} calculates the frequency spectrum for windows of 500 features. The spectrum is labelled 0 or 1 corresponding to their original labels from the time-domain. + +% \begin{figure}[htp] +% \centering +% \includegraphics[width=\linewidth]{images/ssh_fft.eps} +% \caption{Spectrum of an SSH login attempt window and an idle window in frequency domain.}\JD{Fix or remove} +% \label{fig:ssh_fft_comparison} +% \end{figure} + +\subsubsection{\textbf{Results}} + + A test set with \numprint{4095} samples consisting of \numprint{500} features each led to the results in Table \ref{tab:ssh-precision-comparison}. The feature engineering step extracts these samples from 20 power traces (each 50 second long). In total, there were 120 power traces and the model trained over 85 of them and validated over 15. \gls{ssh} attempts comprised \numprint[\%]{30} of the data, and the rest represented the idle behaviour of the system. The skew in the dataset makes the model more certain while predicting a positive class and helps lower the number of false positives. + + The \gls{svm} model trained on data in time-domain using the Gaussian Kernel configured with $C = 1$ and $\gamma = 0.1$ achieved an accuracy of \numprint[\%]{98}. \gls{rfc}, configured with 500 trees and a maximum depth of 50, performed equally well and achieved an accuracy of \numprint[\%]{97}, also on time-domain. + + The models trained on data in frequency domain were not as promising as they were in time domain. \gls{1dcnn} model had the highest accuracy with an accuracy of \numprint[\%]{94}. The \gls{svm} model did not converge while training on data in frequency domain. + + Lastly, a \gls{1dcnn} trained on a mix of data from both time and frequency domain achieves an accuracy rate of \numprint[\%]{95} and minimizes \gls{fpr} to \numprint[\%]{1}, however, it has the highest \gls{fnr}. + + Thus, \gls{svm} had the best accuracy rates along with the lowest \gls{fnr} and the second lowest \gls{fpr}. \gls{rfc} trained on time-domain data, on the other hand, has the lowest \gls{fpr} but has a much higher \gls{fnr}. Low \gls{fpr} is more important than \gls{fnr} during log verification/auditing because a system can always detect an \gls{ssh} login on a subsequent attempt even if it misses one. However, a high \gls{fpr} would flag the system incessantly and be costly to the system administrator. Thus, \gls{svm} would be the choice of algorithm to implement this experiment because of its high accuracy rates and low \gls{fpr} and \gls{fnr}. + + The \gls{svm} model requires a mean time of 763ms ($\sigma$=25ms) while \gls{rfc} requires a mean time of 469ms ($\sigma$=2.9ms) per prediction. The final model size for both the algorithms was 380MB. With a sub-second prediction time, a relatively small model size, and high precision rates, the techniques behind these models can offer effective runtime monitoring for network switches and other embedded systems. + +% \begin{figure}[htb] +% \centering +% \includegraphics[width=8cm]{images/time-cnn.png} +% \caption{1D CNN with Time-Domain EET samples} +% \label{fig:1d-cnn-TD} +% \end{figure} + + + + + +% \begin{figure}[htb] +% \centering +% \includegraphics[width=8cm]{images/frequency-cnn.png} +% \caption{1D CNN with Frequency-Domain EET samples} +% \label{fig:1d-cnn-FD} +% \end{figure} + + + + + +% \begin{figure}[ht] +% \centering +% \includegraphics[width=8cm]{images/merged-cnn.png} +% \caption{1D CNN with both Frequency-Domain and Time-Domain EET samples} +% \label{fig:1d-cnn-combined} +% \end{figure} + +Table \ref{tab:ssh-precision-comparison} presents the results of all the algorithms used on data across all domains. + +\begin{table}[ht] + \begin{center} + + \begin{tabularx}{\columnwidth}{YYYYYYY} + \toprule + \textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline + \midrule + & \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Time Domain}} & \tabularnewline + \midrule + \gls{rfc} & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{0.6} & \numprint[\%]{14} \tabularnewline + SVM & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{96} & \numprint[\%]{98} & \numprint[\%]{0.8} & \numprint[\%]{8} \tabularnewline + 1D~CNN & \numprint[\%]{94} & \numprint[\%]{93} & \numprint[\%]{93} & \numprint[\%]{96} & \numprint[\%]{2} & \numprint[\%]{9} \tabularnewline + \midrule + & \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Frequency Domain}} & \tabularnewline + \midrule + \gls{rfc} & \numprint[\%]{89} & \numprint[\%]{67} & \numprint[\%]{72} & + \numprint[\%]{88} & + \numprint[\%]{12} & + \numprint[\%]{8} \tabularnewline + SVM & -- & -- & -- & -- & -- & -- \tabularnewline + 1D~CNN & + \numprint[\%]{90} & \numprint[\%]{90} & \numprint[\%]{90} & \numprint[\%]{94} & + \numprint[\%]{3} & + \numprint[\%]{17} \tabularnewline + \midrule + & \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Time + Frequency Domain}} & \tabularnewline + \midrule + 1D~CNN & \numprint[\%]{89} & + \numprint[\%]{95} & + \numprint[\%]{92} & + \numprint[\%]{95} & + \numprint[\%]{1} & + \numprint[\%]{20} \tabularnewline + \bottomrule + \end{tabularx} + + \end{center} + \caption{Comparison between the different algorithms for detecting SSH login attempts} + \label{tab:ssh-precision-comparison} +\end{table} + +% \subsubsection{\textbf{Limitations}} +% The power consumption of the network switch\SF{is it a switch? do we always call it a switch?} can affect the model, if it\SF{what changes? the switch or the model?} were to change due to changes in the firmware. Collecting side-channel emissions over more firmware versions can address these issues. +% This\SF{what does "this" refer to?} will result in a more robust model that can accommodate and work with more variations in the experiment setup. + +\subsection{Classifying SSH Login Attempts} +Given a window of power trace where there is an SSH login attempt, this experiment attempts to classify the login attempt as successful or unsuccessful. + +\subsubsection{\textbf{Feature Engineering}} +This experiment builds on top of experiment \ref{detect_ssh} and classifies the \gls{ssh} login attempts detected as successful or failed. The experiment considers the data only in time-domain. The matrix representation for this experiment is a slight modification of the previous one: $Z = \{ S_{1}, S_{2}, ... , S_{L}\}$ with rows of $S$ and $\forall i,j: |S_i|=|S_j|$, and the accompanying set of labels $Y_{Z} = \{ y_Z \in \{-1,1\}^{L}\}$ where $L$ is the total number of windows, $S$ is a window of \numprint{500} samples in time-domain, and all the windows correspond to either a successful or a failed SSH login attempt. Figure \ref{fig:ssh_time_classification} shows difference between the DC power trace of a successful and failed SSH login attempt. + +\begin{figure}[htp] + \begin{center} + \includegraphics[width=\columnwidth]{images/ssh_class_2} + \end{center} + \caption{Downsampled DC power traces of a successful and failed SSH login attempt} + \label{fig:ssh_time_classification} +\end{figure} + +\subsubsection{\textbf{Results}} + +Models trained using \glspl{svm} and \gls{1dcnn} gave the best results for the classification along with the lowest \gls{fpr} and \gls{fnr}. Optimizing the parameters of the \gls{rfc} with 250 trees, \glspl{svm} with $C = 100$, $\gamma = 10$, and Gaussian Kernel, and \gls{1dcnn}, the accuracy score reached \numprint[\%]{96.7}, \numprint[\%]{98.5} and \numprint[\%]{98.6} respectively. Table \ref{tab:ssh-classification-precision-comparison} details all the results. + + The experiment uses roughly 5000 samples extracted from experiment \ref{detect_ssh} that includes only successful and unsuccessful SSH attempts. 65\% of all the samples comprise the training set, 15\% contributes to the validation set, and the test set includes 20\% of all the samples. Testing is done over roughly 1000 samples of 500 features. The \gls{svm} model performed the best and had the lowest \gls{fpr} and \gls{fnr}. The model requires a mean time of 203 ms ($\sigma$=9 ms) per prediction and requires 184MB of storage space. + + +\begin{table}[ht] + \begin{center} + \begin{tabularx}{\columnwidth}{YYYYYYY} + \toprule + \textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline + \midrule + & \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time Domain}} & \tabularnewline + \midrule + \gls{rfc} & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{96.7} & \numprint[\%]{12} & \numprint[\%]{8} \tabularnewline + SVM & \numprint[\%]{99} & \numprint[\%]{99} & \numprint[\%]{99} & \numprint[\%]{98.5} & + \numprint[\%]{1} & + \numprint[\%]{1.5} \tabularnewline + 1D~CNN & \numprint[\%]{98.5} & + \numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{1} & \numprint[\%]{2} \tabularnewline + \bottomrule + \end{tabularx} + \end{center} + \caption{Comparison between the different algorithms for classifying SSH login attempts} + \label{tab:ssh-classification-precision-comparison} +\end{table} + +% \subsubsection{\textbf{Limitations}} +% Along with limitations from the previous experiment, the feature engineering makes the assumption that the given input sample contains an SSH login attempt. If an input does not include an SSH attempt, it will still classify it as either a failed or a successful SSH attempt. + +\section{Experiment Family III: Hardware Tampering} \label{Hardware} + +The HP Procurve Switch 5406zl offers the on-the-fly installation of networking modules to modify the number of Ethernet ports available. +This capability exposes the switch to a Hardware Integrity Attack [CAPEC 440]. +An attacker with physical access to the front panel of the network equipment could tamper with the modules and potentially install unauthorized ones. +Installing new modules could offer a way to gain access to the machine by an attacker leveraging a poor default configuration of the ports. +For example, on a network equipment where the default configuration does not include a limit for the number of MAC addresses per port, installing an extension module could allow an attacker to perform a MAC Flood attack [CAPEC 125]. This attack consist in filling the MAC address table of the switch with new MAC address. When this table is full, the switch is forced to broadcast every frame to every ports. This way, an attacker can receive traffic that it should not have access to \cite{7130435}. +Using this method, an attacker could gain illegitimate access without the need to reboot the system (necessary for firmware manipulation attacks). +Existing \glspl{ids} and security software do not yet offer functionality to detect the installation of unauthorized modules. +Hence, currently the only way to identify unauthorized hardware modification is through the use of the network equipment's involuntary emissions. + +\subsection{Identifying Number of Expansion Modules} +\label{expe:hardware-1} + +This experiment aims to identify the number of modules installed from a capture of \gls{ac} or \gls{dc} power consumption from the network equipment. In this experiment, there was no on-the-fly installation or removal of module during the capture. + +\subsubsection{\textbf{Feature Engineering}} +The impact of the installation or removal of a module can is detectable in both \gls{dc} and \gls{ac} power consumption. These two types of emissions require different processing to extract the features that characterize the number of modules. + + The installation or removal of an expansion module increases or decreases the average \gls{dc} power consumption of the device. +By analyzing \gls{dc} power consumption, it is then possible to identify the number of expansion modules installed at any time. +To create the training dataset, the prepossessing program extracted snippets of data randomly picks from \numprint{138} 20 second long \gls{dc} power consumption trace. A snippet is an extract of the trace composed of consecutive data-points. Each trace is 20 second long to avoid any outlier condition that, for a few seconds, could affect the average power consumption and cause a biased training. Within each trace, the program picked 10 snippets of 5 values. Those values of number and length of snippets corresponds to the minimum training time needed to achieve a \numprint[\%]{100} accuracy with a stratified 10-fold cross validation setup with the data used in this experiment. The average value of each snippet is then computed. The final training dataset is a 1D array of shape $(\numprint{1380},1)$. + +Expansion modules also have an impact on the pattern of \gls{ac} power consumption. +Each number of expansion modules will cause a different pattern in the fundamental \numprint[Hz]{60} wave of the \gls{ac} power consumption. +Those patterns only depend on the number of modules installed and not on which slots they are used. +To create the training dataset, the prepossessing program extracted periods of the fundamental wave by detecting consecutive local minima in the trace. From each 20 second trace, the program extract $N$ periods. Depending on the number $N$, the model achieved different results (see Table \ref{tab:periods_ac}). +The extracted periods of \numprint{3333} data points (one period of the \numprint[Hz]{60} captured at 1MSPS and decimated by 5), constitute the training set of shape $(\numprint{4320},\numprint{3333})$. + +\begin{table}[ht] + \begin{center} + \begin{tabularx}{\columnwidth}{cYYYYYY} + \toprule + Number of periods & 10 & 20 & 30 & 40 & 50 & 60 \tabularnewline + \midrule + Accuracy (\%) & \numprint{98.61}& \numprint{98.99}& \numprint{99.26}& \numprint{99.53}& \numprint{99.72}& \numprint{99.78}\tabularnewline + \bottomrule + \end{tabularx} + \end{center} + \caption{Accuracy of the AC \gls{svm} model relative to the the number of period per traces} + \label{tab:periods_ac} +\end{table} + +\subsubsection{\textbf{Results}} +Models applied to \gls{ac} and \gls{dc} data performed differently at identifying the correct number of modules installed. + +The average \gls{dc} value measured in this experiment for each number of modules does not overlap (see Table~\ref{tab:clusters_dc}). +This allows to create intervals containing only one type of label. +This property enable both \gls{svm} and \gls{knn} to perfectly classify the number of modules installed. +The \gls{svm} model trained with a linear kernel performed the same as the \gls{knn} model with $K=1$. +Both methods classify the traces with a \numprint[\%]{100} accuracy. + +\begin{table}[ht] + \begin{center} + \begin{tabularx}{\columnwidth}{cYYYYYY} + \toprule + Class & 1 & 2 & 3 & 4 & 5 & 6 \tabularnewline + \midrule + Average [mV]& \numprint{54.9}& \numprint{72.5}& \numprint{90.1}& \numprint{95.2}& \numprint{125}& \numprint{144}\tabularnewline + St.d [mV]& \numprint{0.037}& \numprint{0.12}& \numprint{0.028}& \numprint{0.16}& \numprint{0.031}& \numprint{0.045}\tabularnewline + \bottomrule + \end{tabularx} + \end{center} + \caption{Average DC consumption for different numbers of modules installed with 200 points per class} + \label{tab:clusters_dc} +\end{table} + +The \gls{ac} periods, event when following different patterns depending on the number of modules, remain similar at some points and do not present a separation as clear as the \gls{dc} averages. The \gls{svm} model was able to identify the number of modules installed with an accuracy of \numprint[\%]{99}. + +\iffalse +\begin{figure}[h] + \centering + \includegraphics[width=0.9\columnwidth]{images/Hardware-modification/cluster_dc} + \caption{Average DC consumption for different numbers of modules installed with 200 points per number of modules} + \label{fig:clusters_dc} +\end{figure} +\fi + +Results from Table \ref{tab:hardware-results} shows that \gls{dc} data yields the best results with both approaches (\gls{svm} and \gls{knn}). These high accuracy and recall results are the result of the clear and non-overlapping grouping of the averages \gls{dc} consummation. The results presented are produced with a stratified 10-fold cross validation setup. + +\begin{table}[ht] + \begin{center} + \begin{tabularx}{\columnwidth}{YYYYY} + \toprule + \textbf{Input data} & \textbf{Model} & \textbf{Accuracy} & \textbf{Recall}\tabularnewline + \midrule + \gls{dc} & SVM & \numprint[\%]{100} & \numprint[\%]{100}\tabularnewline + \gls{dc} & KNN & \numprint[\%]{100} & \numprint[\%]{100}\tabularnewline + \gls{ac} & SVM & \numprint[\%]{99.5} & \numprint[\%]{99.45}\tabularnewline + \bottomrule + \end{tabularx} + \end{center} + \caption{Comparison between the different models for hardware detection with a stratified 10-fold cross validation setup} + \label{tab:hardware-results} +\end{table} + +\subsection{Detecting Installation or Removal of Expansion Modules} + +For this experiment, the goal is to detect the installation or removal of an expansion module from a power capture from the network equipment. For this experiment, modules were installed or removed on-the-fly during the capture. + +To achieve this goal, it is possible to leverage the method used in the previous experiment \ref{expe:hardware-1} and repeat the identification in regular intervals during operation. This is a different use case where the installation or removal occurs during the capture. +Any change in the number of expansion modules identified will be considered an attack on the hardware integrity of the device. +Figure~\ref{fig:installation-modules} shows the identification of the number of modules along the \gls{dc} capture. This detection uses \numprint{500} snippets of \numprint{20} data point. The Figure illustrate the steps followed by the classification from the model. Each step correspond to the installation of a module. The installation of a module does not trigger an instantaneous increase in the average consumption. For this reason, the predictions that follows the installation or a module can vary between two consecutive values. The average consumption and the predictions stabilize after a few seconds (around 10 seconds). + +\begin{figure}[h] + \centering + \includegraphics[width=\columnwidth,height=0.46\columnwidth]{images/Hardware-modification/detect_change} + \caption{Identification of the number of modules and detection of an installation} + \label{fig:installation-modules} +\end{figure} + +\section{Discussion} \label{Discussion} + +\noindent +\textbf{Influence of Traffic on the Results:} +The data used for training the models did not include traffic and were collected in a laboratory environment. Because the production equipment is used by actual users, it is not possible to perform attack that would disrupt to connection quality. Hence, flashing firmware is not possible because it requires rebooting the machine, \gls{ssh} attacks are not possible because it requires disabling some security features, and hardware tempering is not possible because it requires to physically disconnect the users. +However, complementary experiments were conducted to verify weather traffic would have a significant impact on the results of the experiment. This can be explained by the fact that all the expansion module consume power whether or not they have active connection. This property make the detection of the number of modules installed possible and it may not be the same for every networking equipment. For Experiment Family I (section~\ref{Firmware}), the traffic can not impact the results as the there is no traffic possible during the boot-up sequence and the experiment use only the boot-up sequences to perform the classification. For Experiment Family II (section~\ref{RunTime}) and III (section~\ref{Hardware}), we capture data containing real traffic (captures on the identical production switch) and simulated traffic (connections between multiples pairs of machines at around 1Gbps in the laboratory environment). Traffic data does not show any significant impact on \gls{dc} or \gls{ac} in both time and frequency domain. From these results, it is possible to conclude that traffic should not impact the results from the presented experiments. + +\noindent +\textbf{Support for Small Datasets:} As presented in this paper, the trained models can successfully detect attacks executed on the network equipment. +Those results are especially interesting as the model training step relies on a small number of training samples to achieve near perfect accuracy scores. This is a success, because (1)~our models achieve similar accuracy as some of the most successful experiments involving \gls{ml}~\cite{chollet2017xception,szegedy2017inception,xie2017aggregated,deng2009imagenet} but (2)~use only a small sample size compared to image libraries with millions of image samples as training data. +Our experiments use a maximum of \numprint{1000} power trace samples. +The small number of training samples makes this approach adaptable to a range of different systems and domains because it solves the issue of collecting large amounts of data usually required to enable \gls{ml} approaches. +The models trained are relatively lightweight owing to the small number of samples along with the heavy downsampling performed on data for the experiments. +The lightweight nature of the models allows for fast online run-time monitoring and integrity assessment of embedded systems. + +\noindent +\textbf{Computational requirements} +The machine used for performance measurement is a standard workstation equipped with \numprint[GB]{128} of RAM and an Intel Xeon E5-2630 v3 processor. This machine was also used for training. A substantially lower-powered machine will suffice for a deployment. The time an memory consummation were obtained with the \texttt{timeit} and \texttt{memit} command in Python. The commands evaluate the time and memory needed to predict one sample. The time interval reported in the experiment starts at receiving a raw measurement and ends with a prediction based on the sample. The evaluation excludes the training of the model, since this is done offline. Measurements for the best performing models are reported in table~\ref{tab:perfs}. + +\begin{table}[ht] + \begin{center} + \begin{tabularx}{\columnwidth}{lYYY} + \toprule + & Mean Time [ms] & Standard Deviation [ms] & Peak Memory Usage [MB]\tabularnewline + \midrule + Experiment 1 (RF, DC) & \numprint{13.5} & \numprint{1.9} & \numprint{103}\tabularnewline + %Experiment 1 (SVM, DC) & \numprint{2.1} & \numprint{0.6} & \numprint{104}\tabularnewline + Experiment 1 (RF, \gls{psd}-DC) & \numprint{2.1} & \numprint{0.3} & \numprint{102}\tabularnewline + %Experiment 1 (SVM, \gls{psd}-DC) & \numprint{2.3} & \numprint{0.5} & \numprint{101}\tabularnewline + Experiment 2 (DTW) & \numprint{0.52} & \numprint{0.2} & \numprint{306}\tabularnewline + %Experiment 3 (RF, DC) & \numprint{469} & \numprint{2.9} & \numprint{380}\tabularnewline + Experiment 3 (SVM, DC) & \numprint{763} & \numprint{25.5} & \numprint{380}\tabularnewline + %Experiment 4 (RF, DC) & \numprint{741} & \numprint{33} & \numprint{182}\tabularnewline + Experiment 4 (SVM, DC) & \numprint{203} & \numprint{9} & \numprint{184}\tabularnewline + %Experiment 5 (\gls{ac}) & \numprint{175} & \numprint{24.1} & \numprint{240}\tabularnewline + Experiment 5 (\gls{dc}) & \numprint{264} & \numprint{13.7} & \numprint{353}\tabularnewline + \bottomrule + \end{tabularx} + \end{center} + \caption{Computation time and memory usage for the best performing models} + \label{tab:perfs} +\end{table}{} + +%\noindent\textbf{} + +\section{The Bigger Picture} \label{sec:big_picture} + +The concepts and principles of what we showed in this paper are applicable to most embedded and real-time systems. As long as systems have recurring, well-defined behaviour, we can use side-channel analysis to identify behaviour patterns. These behaviour patterns are useful to create \gls{ids} for integrity assessment or runtime verification frameworks. + +The set of side-channels is not necessarily static for the class of embedded systems. For some systems, ultrasound or even temperature might be a good channel to use in the \gls{ids} or runtime verification framework. In general, we believe that power consumption overall is a good channel with a strong preference on using DC measurements. + +%This paper shows the suitability of side-channel based \gls{ids} to offer integrity assessment and run-time monitoring for only network switches, however, the principles and technique hold sound for all embedded systems. The data acquisition technique can extend to any embedded system and capture the systems power consumption. +%The \gls{dsp} methods and \gls{ml} algorithms can use the power consumption of other embedded systems in the same fashion as discussed in earlier sections. Different embedded systems might leak different side-channel emissions that can train \gls{ml} algorithms and offer another layer of protection. The principles of a side-channel based \gls{ids} is, thus, applicable to all embedded systems. + +Side-channels produce measurable physical effects that are external to the system and thus enable monitoring without interference to the system under test. The external nature has advantages to the dependability of the monitoring for certified safety-critical systems. For example, a defect in the software of either the system under test or the monitor will not affect the other system. Furthermore, isolation of the security system has the potential to provide increased cybersecurity~\cite{ICISSP2017}. + +%\CM{I strongly recommend to eliminate this whole paragraph. It is certainly an ``empty'' claim, and it makes it sound like we're desperate to make it look like we did a lot more than we're reporting (which, why would that ever be the case?)} +%We have experimented with side-channel based monitoring on a number of platforms besides the reported results. Tests included electronic control modules in vehicles, camera systems, Internet-of-Things platforms, and manufacturing systems. In all of them we found utility in monitoring side channels for runtime verification or intrusion detection. + +%ttacker with access to the system cannot circumvent the side-channel based \gls{ids}, (ii)~A bug in the \gls{ids} cannot disrupt the system it monitors. The latter can be extremely beneficial for run-time monitoring and integrity assessment of embedded systems that constitute security critical infrastructure such as power grids, medical devices, etc. Human errors often cause bugs in programs that can potentially make systems and other programs using it vulnerable through attacks such as privilege escalation. A bug in an \gls{ids} hosted on a system can render the system insecure. This highlights the importance of a comprehensive external \gls{ids} hosted independent of the system it monitors, as is the case for the side-chanenl \gls{ids} that this paper proposes. + + +% Have a section outlining that this can be expanded to many other areas + +% depend on the system, different side channels might be of interest, however, the basic concepts still hold + +% an industry standard could help facilitate the proliferation of side-channel-based monitoring + +% Mention that physical isolation has a twofold advantage, especially in the context of safety-critical systems: on the one hand, the system cannot affect (e.g., maliciously disable) the monitor; and on the other hand, the system is also immune to disruption caused by the operation of the monitor. + +\section{Conclusion} \label{Conclusion} + +This paper introduced a side-channel based \gls{ids} that offers a novel type of runtime monitoring and integrity assessment for network equipment. The specific attacks analyzed include hardware tampering, firmware manipulation, and log tampering. Our proposed \gls{ids} defends against these attacks by determining the system state and behaviour from the information emitted by the system's physical side-channels. The results show that the used methods achieve near perfect accuracy on all experiments with only a small training set. Overall, the introduced techniques provide a glimpse on a general concept that is extensible to other real-time and embedded systems. Future work can investigate additional side channels and how the interaction can even further reduce the required sample size and improve the accuracy. + + +\bibliography{bibliography}{} +\bibliographystyle{unsrt} + +% You can push biographies down or up by placing +% a \vfill before or after them. The appropriate +% use of \vfill depends on what kind of text is +% on the last page and whether or not the columns +% are being equalized. + +%\vfill + +% Can be used to pull up biographies so that the bottom of the last one +% is flush with the other column. +%\enlargethispage{-5in} + + + +% that's all folks +\end{document} + + diff --git a/EET1/MLCS_conference/splncs04.bst b/EET1/MLCS_conference/splncs04.bst new file mode 100644 index 0000000..2bcad4d --- /dev/null +++ b/EET1/MLCS_conference/splncs04.bst @@ -0,0 +1,1548 @@ +%% BibTeX bibliography style `splncs03' +%% +%% BibTeX bibliography style for use with numbered references in +%% Springer Verlag's "Lecture Notes in Computer Science" series. +%% (See Springer's documentation for llncs.cls for +%% more details of the suggested reference format.) Note that this +%% file will not work for author-year style citations. +%% +%% Use \documentclass{llncs} and \bibliographystyle{splncs03}, and cite +%% a reference with (e.g.) \cite{smith77} to get a "[1]" in the text. +%% +%% This file comes to you courtesy of Maurizio "Titto" Patrignani of +%% Dipartimento di Informatica e Automazione Universita' Roma Tre +%% +%% ================================================================================================ +%% This was file `titto-lncs-02.bst' produced on Wed Apr 1, 2009 +%% Edited by hand by titto based on `titto-lncs-01.bst' (see below) +%% +%% CHANGES (with respect to titto-lncs-01.bst): +%% - Removed the call to \urlprefix (thus no "URL" string is added to the output) +%% ================================================================================================ +%% This was file `titto-lncs-01.bst' produced on Fri Aug 22, 2008 +%% Edited by hand by titto based on `titto.bst' (see below) +%% +%% CHANGES (with respect to titto.bst): +%% - Removed the "capitalize" command for editors string "(eds.)" and "(ed.)" +%% - Introduced the functions titto.bbl.pages and titto.bbl.page for journal pages (without "pp.") +%% - Added a new.sentence command to separate with a dot booktitle and series in the inproceedings +%% - Commented all new.block commands before urls and notes (to separate them with a comma) +%% - Introduced the functions titto.bbl.volume for handling journal volumes (without "vol." label) +%% - Used for editors the same name conventions used for authors (see function format.in.ed.booktitle) +%% - Removed a \newblock to avoid long spaces between title and "In: ..." +%% - Added function titto.space.prefix to add a space instead of "~" after the (removed) "vol." label +%% - Added doi +%% ================================================================================================ +%% This was file `titto.bst', +%% generated with the docstrip utility. +%% +%% The original source files were: +%% +%% merlin.mbs (with options: `vonx,nm-rvvc,yr-par,jttl-rm,volp-com,jwdpg,jwdvol,numser,ser-vol,jnm-x,btit-rm,bt-rm,edparxc,bkedcap,au-col,in-col,fin-bare,pp,ed,abr,mth-bare,xedn,jabr,and-com,and-com-ed,xand,url,url-blk,em-x,nfss,') +%% ---------------------------------------- +%% *** Tentative .bst file for Springer LNCS *** +%% +%% Copyright 1994-2007 Patrick W Daly + % =============================================================== + % IMPORTANT NOTICE: + % This bibliographic style (bst) file has been generated from one or + % more master bibliographic style (mbs) files, listed above. + % + % This generated file can be redistributed and/or modified under the terms + % of the LaTeX Project Public License Distributed from CTAN + % archives in directory macros/latex/base/lppl.txt; either + % version 1 of the License, or any later version. + % =============================================================== + % Name and version information of the main mbs file: + % \ProvidesFile{merlin.mbs}[2007/04/24 4.20 (PWD, AO, DPC)] + % For use with BibTeX version 0.99a or later + %------------------------------------------------------------------- + % This bibliography style file is intended for texts in ENGLISH + % This is a numerical citation style, and as such is standard LaTeX. + % It requires no extra package to interface to the main text. + % The form of the \bibitem entries is + % \bibitem{key}... + % Usage of \cite is as follows: + % \cite{key} ==>> [#] + % \cite[chap. 2]{key} ==>> [#, chap. 2] + % where # is a number determined by the ordering in the reference list. + % The order in the reference list is alphabetical by authors. + %--------------------------------------------------------------------- + +ENTRY + { address + author + booktitle + chapter + doi + edition + editor + eid + howpublished + institution + journal + key + month + note + number + organization + pages + publisher + school + series + title + type + url + volume + year + } + {} + { label } +INTEGERS { output.state before.all mid.sentence after.sentence after.block } +FUNCTION {init.state.consts} +{ #0 'before.all := + #1 'mid.sentence := + #2 'after.sentence := + #3 'after.block := +} +STRINGS { s t} +FUNCTION {output.nonnull} +{ 's := + output.state mid.sentence = + { ", " * write$ } + { output.state after.block = + { add.period$ write$ +% newline$ +% "\newblock " write$ % removed for titto-lncs-01 + " " write$ % to avoid long spaces between title and "In: ..." + } + { output.state before.all = + 'write$ + { add.period$ " " * write$ } + if$ + } + if$ + mid.sentence 'output.state := + } + if$ + s +} +FUNCTION {output} +{ duplicate$ empty$ + 'pop$ + 'output.nonnull + if$ +} +FUNCTION {output.check} +{ 't := + duplicate$ empty$ + { pop$ "empty " t * " in " * cite$ * warning$ } + 'output.nonnull + if$ +} +FUNCTION {fin.entry} +{ duplicate$ empty$ + 'pop$ + 'write$ + if$ + newline$ +} + +FUNCTION {new.block} +{ output.state before.all = + 'skip$ + { after.block 'output.state := } + if$ +} +FUNCTION {new.sentence} +{ output.state after.block = + 'skip$ + { output.state before.all = + 'skip$ + { after.sentence 'output.state := } + if$ + } + if$ +} +FUNCTION {add.blank} +{ " " * before.all 'output.state := +} + + +FUNCTION {add.colon} +{ duplicate$ empty$ + 'skip$ + { ":" * add.blank } + if$ +} + +FUNCTION {date.block} +{ + new.block +} + +FUNCTION {not} +{ { #0 } + { #1 } + if$ +} +FUNCTION {and} +{ 'skip$ + { pop$ #0 } + if$ +} +FUNCTION {or} +{ { pop$ #1 } + 'skip$ + if$ +} +STRINGS {z} +FUNCTION {remove.dots} +{ 'z := + "" + { z empty$ not } + { z #1 #1 substring$ + z #2 global.max$ substring$ 'z := + duplicate$ "." = 'pop$ + { * } + if$ + } + while$ +} +FUNCTION {new.block.checka} +{ empty$ + 'skip$ + 'new.block + if$ +} +FUNCTION {new.block.checkb} +{ empty$ + swap$ empty$ + and + 'skip$ + 'new.block + if$ +} +FUNCTION {new.sentence.checka} +{ empty$ + 'skip$ + 'new.sentence + if$ +} +FUNCTION {new.sentence.checkb} +{ empty$ + swap$ empty$ + and + 'skip$ + 'new.sentence + if$ +} +FUNCTION {field.or.null} +{ duplicate$ empty$ + { pop$ "" } + 'skip$ + if$ +} +FUNCTION {emphasize} +{ skip$ } + +FUNCTION {embolden} +{ duplicate$ empty$ +{ pop$ "" } +{ "\textbf{" swap$ * "}" * } +if$ +} +FUNCTION {tie.or.space.prefix} +{ duplicate$ text.length$ #5 < + { "~" } + { " " } + if$ + swap$ +} +FUNCTION {titto.space.prefix} % always introduce a space +{ duplicate$ text.length$ #3 < + { " " } + { " " } + if$ + swap$ +} + + +FUNCTION {capitalize} +{ "u" change.case$ "t" change.case$ } + +FUNCTION {space.word} +{ " " swap$ * " " * } + % Here are the language-specific definitions for explicit words. + % Each function has a name bbl.xxx where xxx is the English word. + % The language selected here is ENGLISH +FUNCTION {bbl.and} +{ "and"} + +FUNCTION {bbl.etal} +{ "et~al." } + +FUNCTION {bbl.editors} +{ "eds." } + +FUNCTION {bbl.editor} +{ "ed." } + +FUNCTION {bbl.edby} +{ "edited by" } + +FUNCTION {bbl.edition} +{ "edn." } + +FUNCTION {bbl.volume} +{ "vol." } + +FUNCTION {titto.bbl.volume} % for handling journals +{ "" } + +FUNCTION {bbl.of} +{ "of" } + +FUNCTION {bbl.number} +{ "no." } + +FUNCTION {bbl.nr} +{ "no." } + +FUNCTION {bbl.in} +{ "in" } + +FUNCTION {bbl.pages} +{ "pp." } + +FUNCTION {bbl.page} +{ "p." } + +FUNCTION {titto.bbl.pages} % for journals +{ "" } + +FUNCTION {titto.bbl.page} % for journals +{ "" } + +FUNCTION {bbl.chapter} +{ "chap." } + +FUNCTION {bbl.techrep} +{ "Tech. Rep." } + +FUNCTION {bbl.mthesis} +{ "Master's thesis" } + +FUNCTION {bbl.phdthesis} +{ "Ph.D. thesis" } + +MACRO {jan} {"Jan."} + +MACRO {feb} {"Feb."} + +MACRO {mar} {"Mar."} + +MACRO {apr} {"Apr."} + +MACRO {may} {"May"} + +MACRO {jun} {"Jun."} + +MACRO {jul} {"Jul."} + +MACRO {aug} {"Aug."} + +MACRO {sep} {"Sep."} + +MACRO {oct} {"Oct."} + +MACRO {nov} {"Nov."} + +MACRO {dec} {"Dec."} + +MACRO {acmcs} {"ACM Comput. Surv."} + +MACRO {acta} {"Acta Inf."} + +MACRO {cacm} {"Commun. ACM"} + +MACRO {ibmjrd} {"IBM J. Res. Dev."} + +MACRO {ibmsj} {"IBM Syst.~J."} + +MACRO {ieeese} {"IEEE Trans. Software Eng."} + +MACRO {ieeetc} {"IEEE Trans. Comput."} + +MACRO {ieeetcad} + {"IEEE Trans. Comput. Aid. Des."} + +MACRO {ipl} {"Inf. Process. Lett."} + +MACRO {jacm} {"J.~ACM"} + +MACRO {jcss} {"J.~Comput. Syst. Sci."} + +MACRO {scp} {"Sci. Comput. Program."} + +MACRO {sicomp} {"SIAM J. Comput."} + +MACRO {tocs} {"ACM Trans. Comput. Syst."} + +MACRO {tods} {"ACM Trans. Database Syst."} + +MACRO {tog} {"ACM Trans. Graphic."} + +MACRO {toms} {"ACM Trans. Math. Software"} + +MACRO {toois} {"ACM Trans. Office Inf. Syst."} + +MACRO {toplas} {"ACM Trans. Progr. Lang. Syst."} + +MACRO {tcs} {"Theor. Comput. Sci."} + +FUNCTION {bibinfo.check} +{ swap$ + duplicate$ missing$ + { + pop$ pop$ + "" + } + { duplicate$ empty$ + { + swap$ pop$ + } + { swap$ + pop$ + } + if$ + } + if$ +} +FUNCTION {bibinfo.warn} +{ swap$ + duplicate$ missing$ + { + swap$ "missing " swap$ * " in " * cite$ * warning$ pop$ + "" + } + { duplicate$ empty$ + { + swap$ "empty " swap$ * " in " * cite$ * warning$ + } + { swap$ + pop$ + } + if$ + } + if$ +} +FUNCTION {format.url} +{ url empty$ + { "" } +% { "\urlprefix\url{" url * "}" * } + { "\url{" url * "}" * } % changed in titto-lncs-02.bst + if$ +} + +FUNCTION {format.doi} % added in splncs04.bst +{ doi empty$ + { "" } + { after.block 'output.state := + "\doi{" doi * "}" * } + if$ +} + +INTEGERS { nameptr namesleft numnames } + + +STRINGS { bibinfo} + +FUNCTION {format.names} +{ 'bibinfo := + duplicate$ empty$ 'skip$ { + 's := + "" 't := + #1 'nameptr := + s num.names$ 'numnames := + numnames 'namesleft := + { namesleft #0 > } + { s nameptr + "{vv~}{ll}{, jj}{, f{.}.}" + format.name$ + bibinfo bibinfo.check + 't := + nameptr #1 > + { + namesleft #1 > + { ", " * t * } + { + s nameptr "{ll}" format.name$ duplicate$ "others" = + { 't := } + { pop$ } + if$ + "," * + t "others" = + { + " " * bbl.etal * + } + { " " * t * } + if$ + } + if$ + } + 't + if$ + nameptr #1 + 'nameptr := + namesleft #1 - 'namesleft := + } + while$ + } if$ +} +FUNCTION {format.names.ed} +{ + 'bibinfo := + duplicate$ empty$ 'skip$ { + 's := + "" 't := + #1 'nameptr := + s num.names$ 'numnames := + numnames 'namesleft := + { namesleft #0 > } + { s nameptr + "{f{.}.~}{vv~}{ll}{ jj}" + format.name$ + bibinfo bibinfo.check + 't := + nameptr #1 > + { + namesleft #1 > + { ", " * t * } + { + s nameptr "{ll}" format.name$ duplicate$ "others" = + { 't := } + { pop$ } + if$ + "," * + t "others" = + { + + " " * bbl.etal * + } + { " " * t * } + if$ + } + if$ + } + 't + if$ + nameptr #1 + 'nameptr := + namesleft #1 - 'namesleft := + } + while$ + } if$ +} +FUNCTION {format.authors} +{ author "author" format.names +} +FUNCTION {get.bbl.editor} +{ editor num.names$ #1 > 'bbl.editors 'bbl.editor if$ } + +FUNCTION {format.editors} +{ editor "editor" format.names duplicate$ empty$ 'skip$ + { + " " * + get.bbl.editor +% capitalize + "(" swap$ * ")" * + * + } + if$ +} +FUNCTION {format.note} +{ + note empty$ + { "" } + { note #1 #1 substring$ + duplicate$ "{" = + 'skip$ + { output.state mid.sentence = + { "l" } + { "u" } + if$ + change.case$ + } + if$ + note #2 global.max$ substring$ * "note" bibinfo.check + } + if$ +} + +FUNCTION {format.title} +{ title + duplicate$ empty$ 'skip$ + { "t" change.case$ } + if$ + "title" bibinfo.check +} +FUNCTION {output.bibitem} +{ newline$ + "\bibitem{" write$ + cite$ write$ + "}" write$ + newline$ + "" + before.all 'output.state := +} + +FUNCTION {n.dashify} +{ + 't := + "" + { t empty$ not } + { t #1 #1 substring$ "-" = + { t #1 #2 substring$ "--" = not + { "--" * + t #2 global.max$ substring$ 't := + } + { { t #1 #1 substring$ "-" = } + { "-" * + t #2 global.max$ substring$ 't := + } + while$ + } + if$ + } + { t #1 #1 substring$ * + t #2 global.max$ substring$ 't := + } + if$ + } + while$ +} + +FUNCTION {word.in} +{ bbl.in capitalize + ":" * + " " * } + +FUNCTION {format.date} +{ + month "month" bibinfo.check + duplicate$ empty$ + year "year" bibinfo.check duplicate$ empty$ + { swap$ 'skip$ + { "there's a month but no year in " cite$ * warning$ } + if$ + * + } + { swap$ 'skip$ + { + swap$ + " " * swap$ + } + if$ + * + remove.dots + } + if$ + duplicate$ empty$ + 'skip$ + { + before.all 'output.state := + " (" swap$ * ")" * + } + if$ +} +FUNCTION {format.btitle} +{ title "title" bibinfo.check + duplicate$ empty$ 'skip$ + { + } + if$ +} +FUNCTION {either.or.check} +{ empty$ + 'pop$ + { "can't use both " swap$ * " fields in " * cite$ * warning$ } + if$ +} +FUNCTION {format.bvolume} +{ volume empty$ + { "" } + { bbl.volume volume tie.or.space.prefix + "volume" bibinfo.check * * + series "series" bibinfo.check + duplicate$ empty$ 'pop$ + { emphasize ", " * swap$ * } + if$ + "volume and number" number either.or.check + } + if$ +} +FUNCTION {format.number.series} +{ volume empty$ + { number empty$ + { series field.or.null } + { output.state mid.sentence = + { bbl.number } + { bbl.number capitalize } + if$ + number tie.or.space.prefix "number" bibinfo.check * * + series empty$ + { "there's a number but no series in " cite$ * warning$ } + { bbl.in space.word * + series "series" bibinfo.check * + } + if$ + } + if$ + } + { "" } + if$ +} + +FUNCTION {format.edition} +{ edition duplicate$ empty$ 'skip$ + { + output.state mid.sentence = + { "l" } + { "t" } + if$ change.case$ + "edition" bibinfo.check + " " * bbl.edition * + } + if$ +} +INTEGERS { multiresult } +FUNCTION {multi.page.check} +{ 't := + #0 'multiresult := + { multiresult not + t empty$ not + and + } + { t #1 #1 substring$ + duplicate$ "-" = + swap$ duplicate$ "," = + swap$ "+" = + or or + { #1 'multiresult := } + { t #2 global.max$ substring$ 't := } + if$ + } + while$ + multiresult +} +FUNCTION {format.pages} +{ pages duplicate$ empty$ 'skip$ + { duplicate$ multi.page.check + { + bbl.pages swap$ + n.dashify + } + { + bbl.page swap$ + } + if$ + tie.or.space.prefix + "pages" bibinfo.check + * * + } + if$ +} +FUNCTION {format.journal.pages} +{ pages duplicate$ empty$ 'pop$ + { swap$ duplicate$ empty$ + { pop$ pop$ format.pages } + { + ", " * + swap$ + n.dashify + pages multi.page.check + 'titto.bbl.pages + 'titto.bbl.page + if$ + swap$ tie.or.space.prefix + "pages" bibinfo.check + * * + * + } + if$ + } + if$ +} +FUNCTION {format.journal.eid} +{ eid "eid" bibinfo.check + duplicate$ empty$ 'pop$ + { swap$ duplicate$ empty$ 'skip$ + { + ", " * + } + if$ + swap$ * + } + if$ +} +FUNCTION {format.vol.num.pages} % this function is used only for journal entries +{ volume field.or.null embolden + duplicate$ empty$ 'skip$ + { +% bbl.volume swap$ tie.or.space.prefix + titto.bbl.volume swap$ titto.space.prefix +% rationale for the change above: for journals you don't want "vol." label +% hence it does not make sense to attach the journal number to the label when +% it is short + "volume" bibinfo.check + * * + } + if$ + number "number" bibinfo.check duplicate$ empty$ 'skip$ + { + swap$ duplicate$ empty$ + { "there's a number but no volume in " cite$ * warning$ } + 'skip$ + if$ + swap$ + "(" swap$ * ")" * + } + if$ * + eid empty$ + { format.journal.pages } + { format.journal.eid } + if$ +} + +FUNCTION {format.chapter.pages} +{ chapter empty$ + 'format.pages + { type empty$ + { bbl.chapter } + { type "l" change.case$ + "type" bibinfo.check + } + if$ + chapter tie.or.space.prefix + "chapter" bibinfo.check + * * + pages empty$ + 'skip$ + { ", " * format.pages * } + if$ + } + if$ +} + +FUNCTION {format.booktitle} +{ + booktitle "booktitle" bibinfo.check +} +FUNCTION {format.in.ed.booktitle} +{ format.booktitle duplicate$ empty$ 'skip$ + { +% editor "editor" format.names.ed duplicate$ empty$ 'pop$ % changed by titto + editor "editor" format.names duplicate$ empty$ 'pop$ + { + " " * + get.bbl.editor +% capitalize + "(" swap$ * ") " * + * swap$ + * } + if$ + word.in swap$ * + } + if$ +} +FUNCTION {empty.misc.check} +{ author empty$ title empty$ howpublished empty$ + month empty$ year empty$ note empty$ + and and and and and + key empty$ not and + { "all relevant fields are empty in " cite$ * warning$ } + 'skip$ + if$ +} +FUNCTION {format.thesis.type} +{ type duplicate$ empty$ + 'pop$ + { swap$ pop$ + "t" change.case$ "type" bibinfo.check + } + if$ +} +FUNCTION {format.tr.number} +{ number "number" bibinfo.check + type duplicate$ empty$ + { pop$ bbl.techrep } + 'skip$ + if$ + "type" bibinfo.check + swap$ duplicate$ empty$ + { pop$ "t" change.case$ } + { tie.or.space.prefix * * } + if$ +} +FUNCTION {format.article.crossref} +{ + key duplicate$ empty$ + { pop$ + journal duplicate$ empty$ + { "need key or journal for " cite$ * " to crossref " * crossref * warning$ } + { "journal" bibinfo.check emphasize word.in swap$ * } + if$ + } + { word.in swap$ * " " *} + if$ + " \cite{" * crossref * "}" * +} +FUNCTION {format.crossref.editor} +{ editor #1 "{vv~}{ll}" format.name$ + "editor" bibinfo.check + editor num.names$ duplicate$ + #2 > + { pop$ + "editor" bibinfo.check + " " * bbl.etal + * + } + { #2 < + 'skip$ + { editor #2 "{ff }{vv }{ll}{ jj}" format.name$ "others" = + { + "editor" bibinfo.check + " " * bbl.etal + * + } + { + bbl.and space.word + * editor #2 "{vv~}{ll}" format.name$ + "editor" bibinfo.check + * + } + if$ + } + if$ + } + if$ +} +FUNCTION {format.book.crossref} +{ volume duplicate$ empty$ + { "empty volume in " cite$ * "'s crossref of " * crossref * warning$ + pop$ word.in + } + { bbl.volume + capitalize + swap$ tie.or.space.prefix "volume" bibinfo.check * * bbl.of space.word * + } + if$ + editor empty$ + editor field.or.null author field.or.null = + or + { key empty$ + { series empty$ + { "need editor, key, or series for " cite$ * " to crossref " * + crossref * warning$ + "" * + } + { series emphasize * } + if$ + } + { key * } + if$ + } + { format.crossref.editor * } + if$ + " \cite{" * crossref * "}" * +} +FUNCTION {format.incoll.inproc.crossref} +{ + editor empty$ + editor field.or.null author field.or.null = + or + { key empty$ + { format.booktitle duplicate$ empty$ + { "need editor, key, or booktitle for " cite$ * " to crossref " * + crossref * warning$ + } + { word.in swap$ * } + if$ + } + { word.in key * " " *} + if$ + } + { word.in format.crossref.editor * " " *} + if$ + " \cite{" * crossref * "}" * +} +FUNCTION {format.org.or.pub} +{ 't := + "" + address empty$ t empty$ and + 'skip$ + { + t empty$ + { address "address" bibinfo.check * + } + { t * + address empty$ + 'skip$ + { ", " * address "address" bibinfo.check * } + if$ + } + if$ + } + if$ +} +FUNCTION {format.publisher.address} +{ publisher "publisher" bibinfo.warn format.org.or.pub +} + +FUNCTION {format.organization.address} +{ organization "organization" bibinfo.check format.org.or.pub +} + +FUNCTION {article} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.title "title" output.check + new.block + crossref missing$ + { + journal + "journal" bibinfo.check + "journal" output.check + add.blank + format.vol.num.pages output + format.date "year" output.check + } + { format.article.crossref output.nonnull + format.pages output + } + if$ +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} +FUNCTION {book} +{ output.bibitem + author empty$ + { format.editors "author and editor" output.check + add.colon + } + { format.authors output.nonnull + add.colon + crossref missing$ + { "author and editor" editor either.or.check } + 'skip$ + if$ + } + if$ + new.block + format.btitle "title" output.check + crossref missing$ + { format.bvolume output + new.block + new.sentence + format.number.series output + format.publisher.address output + } + { + new.block + format.book.crossref output.nonnull + } + if$ + format.edition output + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} +FUNCTION {booklet} +{ output.bibitem + format.authors output + add.colon + new.block + format.title "title" output.check + new.block + howpublished "howpublished" bibinfo.check output + address "address" bibinfo.check output + format.date output +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {inbook} +{ output.bibitem + author empty$ + { format.editors "author and editor" output.check + add.colon + } + { format.authors output.nonnull + add.colon + crossref missing$ + { "author and editor" editor either.or.check } + 'skip$ + if$ + } + if$ + new.block + format.btitle "title" output.check + crossref missing$ + { + format.bvolume output + format.chapter.pages "chapter and pages" output.check + new.block + new.sentence + format.number.series output + format.publisher.address output + } + { + format.chapter.pages "chapter and pages" output.check + new.block + format.book.crossref output.nonnull + } + if$ + format.edition output + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {incollection} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.title "title" output.check + new.block + crossref missing$ + { format.in.ed.booktitle "booktitle" output.check + format.bvolume output + format.chapter.pages output + new.sentence + format.number.series output + format.publisher.address output + format.edition output + format.date "year" output.check + } + { format.incoll.inproc.crossref output.nonnull + format.chapter.pages output + } + if$ +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} +FUNCTION {inproceedings} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.title "title" output.check + new.block + crossref missing$ + { format.in.ed.booktitle "booktitle" output.check + new.sentence % added by titto + format.bvolume output + format.pages output + new.sentence + format.number.series output + publisher empty$ + { format.organization.address output } + { organization "organization" bibinfo.check output + format.publisher.address output + } + if$ + format.date "year" output.check + } + { format.incoll.inproc.crossref output.nonnull + format.pages output + } + if$ +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} +FUNCTION {conference} { inproceedings } +FUNCTION {manual} +{ output.bibitem + author empty$ + { organization "organization" bibinfo.check + duplicate$ empty$ 'pop$ + { output + address "address" bibinfo.check output + } + if$ + } + { format.authors output.nonnull } + if$ + add.colon + new.block + format.btitle "title" output.check + author empty$ + { organization empty$ + { + address new.block.checka + address "address" bibinfo.check output + } + 'skip$ + if$ + } + { + organization address new.block.checkb + organization "organization" bibinfo.check output + address "address" bibinfo.check output + } + if$ + format.edition output + format.date output +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {mastersthesis} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.btitle + "title" output.check + new.block + bbl.mthesis format.thesis.type output.nonnull + school "school" bibinfo.warn output + address "address" bibinfo.check output + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {misc} +{ output.bibitem + format.authors output + add.colon + title howpublished new.block.checkb + format.title output + howpublished new.block.checka + howpublished "howpublished" bibinfo.check output + format.date output +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry + empty.misc.check +} +FUNCTION {phdthesis} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.btitle + "title" output.check + new.block + bbl.phdthesis format.thesis.type output.nonnull + school "school" bibinfo.warn output + address "address" bibinfo.check output + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {proceedings} +{ output.bibitem + editor empty$ + { organization "organization" bibinfo.check output + } + { format.editors output.nonnull } + if$ + add.colon + new.block + format.btitle "title" output.check + format.bvolume output + editor empty$ + { publisher empty$ + { format.number.series output } + { + new.sentence + format.number.series output + format.publisher.address output + } + if$ + } + { publisher empty$ + { + new.sentence + format.number.series output + format.organization.address output } + { + new.sentence + format.number.series output + organization "organization" bibinfo.check output + format.publisher.address output + } + if$ + } + if$ + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {techreport} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.title + "title" output.check + new.block + format.tr.number output.nonnull + institution "institution" bibinfo.warn output + address "address" bibinfo.check output + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {unpublished} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.title "title" output.check + format.date output +% new.block + format.url output +% new.block + format.note "note" output.check + fin.entry +} + +FUNCTION {default.type} { misc } +READ +FUNCTION {sortify} +{ purify$ + "l" change.case$ +} +INTEGERS { len } +FUNCTION {chop.word} +{ 's := + 'len := + s #1 len substring$ = + { s len #1 + global.max$ substring$ } + 's + if$ +} +FUNCTION {sort.format.names} +{ 's := + #1 'nameptr := + "" + s num.names$ 'numnames := + numnames 'namesleft := + { namesleft #0 > } + { s nameptr + "{ll{ }}{ ff{ }}{ jj{ }}" + format.name$ 't := + nameptr #1 > + { + " " * + namesleft #1 = t "others" = and + { "zzzzz" * } + { t sortify * } + if$ + } + { t sortify * } + if$ + nameptr #1 + 'nameptr := + namesleft #1 - 'namesleft := + } + while$ +} + +FUNCTION {sort.format.title} +{ 't := + "A " #2 + "An " #3 + "The " #4 t chop.word + chop.word + chop.word + sortify + #1 global.max$ substring$ +} +FUNCTION {author.sort} +{ author empty$ + { key empty$ + { "to sort, need author or key in " cite$ * warning$ + "" + } + { key sortify } + if$ + } + { author sort.format.names } + if$ +} +FUNCTION {author.editor.sort} +{ author empty$ + { editor empty$ + { key empty$ + { "to sort, need author, editor, or key in " cite$ * warning$ + "" + } + { key sortify } + if$ + } + { editor sort.format.names } + if$ + } + { author sort.format.names } + if$ +} +FUNCTION {author.organization.sort} +{ author empty$ + { organization empty$ + { key empty$ + { "to sort, need author, organization, or key in " cite$ * warning$ + "" + } + { key sortify } + if$ + } + { "The " #4 organization chop.word sortify } + if$ + } + { author sort.format.names } + if$ +} +FUNCTION {editor.organization.sort} +{ editor empty$ + { organization empty$ + { key empty$ + { "to sort, need editor, organization, or key in " cite$ * warning$ + "" + } + { key sortify } + if$ + } + { "The " #4 organization chop.word sortify } + if$ + } + { editor sort.format.names } + if$ +} +FUNCTION {presort} +{ type$ "book" = + type$ "inbook" = + or + 'author.editor.sort + { type$ "proceedings" = + 'editor.organization.sort + { type$ "manual" = + 'author.organization.sort + 'author.sort + if$ + } + if$ + } + if$ + " " + * + year field.or.null sortify + * + " " + * + title field.or.null + sort.format.title + * + #1 entry.max$ substring$ + 'sort.key$ := +} +ITERATE {presort} +SORT +STRINGS { longest.label } +INTEGERS { number.label longest.label.width } +FUNCTION {initialize.longest.label} +{ "" 'longest.label := + #1 'number.label := + #0 'longest.label.width := +} +FUNCTION {longest.label.pass} +{ number.label int.to.str$ 'label := + number.label #1 + 'number.label := + label width$ longest.label.width > + { label 'longest.label := + label width$ 'longest.label.width := + } + 'skip$ + if$ +} +EXECUTE {initialize.longest.label} +ITERATE {longest.label.pass} +FUNCTION {begin.bib} +{ preamble$ empty$ + 'skip$ + { preamble$ write$ newline$ } + if$ + "\begin{thebibliography}{" longest.label * "}" * + write$ newline$ + "\providecommand{\url}[1]{\texttt{#1}}" + write$ newline$ + "\providecommand{\urlprefix}{URL }" + write$ newline$ + "\providecommand{\doi}[1]{https://doi.org/#1}" + write$ newline$ +} +EXECUTE {begin.bib} +EXECUTE {init.state.consts} +ITERATE {call.type$} +FUNCTION {end.bib} +{ newline$ + "\end{thebibliography}" write$ newline$ +} +EXECUTE {end.bib} +%% End of customized bst file +%% +%% End of file `titto.bst'.