diff --git a/DSD/qrs/biblio.bib b/DSD/qrs/biblio.bib
index 80668b0..070813b 100644
--- a/DSD/qrs/biblio.bib
+++ b/DSD/qrs/biblio.bib
@@ -610,7 +610,25 @@ series = {CoDS COMAD 2020}
}
@misc{sleep_states,
-title={Sleep States Description: },
+title={Sleep States Description},
url={https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/system-sleeping-states},
year={2023},
}
+
+
+@misc{mitre_crypto,
+ title={Mitre ATT\&CK - T1496 Resource Hijacking},
+ url = {https://attack.mitre.org/versions/v13/techniques/T1496/},
+}
+@misc{mitre_botnet,
+ title={Mitre ATT\&CK - T1583.005 Acquire Infrastructure: Botnet},
+ url = {https://attack.mitre.org/versions/v13/techniques/T1583/005/},
+}
+@misc{mitre_prevent,
+ title={Mitre ATT\&CK - T1562.001 Impair Defenses: Disable or Modify Tools},
+ url = {https://attack.mitre.org/versions/v13/techniques/T1562/001/},
+}
+@misc{mitre_ransomware,
+ title={Mitre ATT\&CK - T1486 Data Encrypted for Impact},
+ url = {https://attack.mitre.org/versions/v13/techniques/T1486/},
+}
diff --git a/DSD/qrs/images/2w_experiment.pdf b/DSD/qrs/images/2w_experiment.pdf
new file mode 100644
index 0000000..fc0522a
Binary files /dev/null and b/DSD/qrs/images/2w_experiment.pdf differ
diff --git a/DSD/qrs/images/2w_experiment.svg b/DSD/qrs/images/2w_experiment.svg
index 115e9b4..5cff0e5 100644
--- a/DSD/qrs/images/2w_experiment.svg
+++ b/DSD/qrs/images/2w_experiment.svg
@@ -2,12 +2,12 @@
+ transform="translate(-25.925243,-96.337988)">
0
+ y="105.39599">0
4
+ y="105.39599">4
8
+ y="105.39599">8
12
+ y="105.39599">12
16
+ y="105.39599">16
20
+ y="105.39599">20
24
+ y="105.39599">24
Work Hours
+ y="162.5531">Work Hours
+ style="fill:#ffe680;stroke-width:0.669568;stroke-linecap:round;stroke-linejoin:round"
+ d="m 480.05162,152.04333 78.4472,0.0495 v 1.44799 11.63273 l -78.4472,-0.0939 z"
+ sodipodi:nodetypes="cccccc" />
Maintenance
+ y="162.4709">Maintenance
+ d="m 103.9744,152.09723 113.62356,-0.0539 h 0.008 v 13.07631 l -113.63109,0.0539 z"
+ sodipodi:nodetypes="cccccc" />
Sleep
+ y="161.89915">Sleep
Sleep
+ y="161.92709">Sleep
Establishedtimetable
Rules
-
1
+ style="font-size:12px;stroke-width:0.264583"
+ x="157.85608"
+ y="195.06633">1
1
- 1
+ style="font-size:12px;stroke-width:0.264583"
+ x="441.99997"
+ y="195.06633">1
2
3
1: Device should be in "sleep" state.2: Exactly one "reboot" occurence and no "high" occurence.3: There should not be "high" states for more than 2m.4: No "reboot" occurence.
- 4
+ style="font-size:12px;stroke-width:0.264583"
+ x="309.46637"
+ y="195.10233">4
UTC
+ style="font-size:12px;stroke-width:0.264583"
+ x="25.745243"
+ y="105.08312"
+ id="tspan3242">Time
4
- 8
- 12
- 16
- 20
- 24
- EST
- 4
- 0
+ y="126.33556">0
Compressed
+ style="font-size:12px;stroke-width:0.264583"
+ x="25.745243"
+ y="126.0227"
+ id="tspan612">CompressedTime
4
+ y="126.41959">4
1
+ y="126.38358">1
2
+ y="126.4136">2
3
+ y="126.33556">3
diff --git a/DSD/qrs/main.tex b/DSD/qrs/main.tex
index c793a48..48a9849 100644
--- a/DSD/qrs/main.tex
+++ b/DSD/qrs/main.tex
@@ -596,7 +596,7 @@ The scenario comprises 4 phases:
\begin{figure}
\centering
\includegraphics[width=0.49\textwidth]{images/2w_experiment.pdf}
-\caption{Overview of the scenario and rules for the Second case study.}
+\caption{Overview of the scenario and rules for the second case study.}
\label{fig:2w_experiment}
\end{figure}
@@ -622,25 +622,21 @@ The rules are formaly defined using the \gls{stl} syntax which is bespoke for de
\begin{table*}
\centering
- \begin{tabular}{p{0.03\textwidth} | p{0.20\textwidth} | p{0.47\textwidth} | p{0.20\textwidth}}
+ \begin{tabular}{p{0.03\textwidth} | p{0.25\textwidth} | p{0.37\textwidth} | p{0.25\textwidth}}
Rule & Description & STL Formula & Threat\\
\toprule
- 1 & "SLEEP" state only & $R_1 := \square_{[0,1h]\cup [2h40,3h20]}(SLEEP=1)$ & Machine takeover, Botnet, Rogue Employee\\
- 2 & Exactly one occurence of "REBOOT" & $R_2 := \lozenge(REBOOT_{[t]}=1) \cup (\neg \square_{[,2h40]}(REBOOT=1)$ & \gls{apt}, Backdoors\\
- 3 & No "HIGH" state for more than 30s. & $R_3 := \square (HIGH_{[t_0]}=1 \rightarrow \lozenge_{[t_0,t_0+30s]}(HIGH_{[t]}=0))$ & CryptoMining Malware, Ransomware, BotNet\\
- 4 & No "REBOOT" occurence. & $R_4 := \neg \square_{[1h,2h40]}(REBOOT_{[t]}=1)$ & Malware Installation\\
+ 1 & "SLEEP" state only & $R_1 := \square_{[0,1h]\cup [2h40,3h20]}(s[t]=0)$ & Machine takeover, Botnet\cite{mitre_botnet}, Rogue Employee\\
+ 2 & Exactly one occurence of "REBOOT" & $R_2 := \lozenge(s[t]=3) \cup (\neg \square_{[,2h40]}(s[t]=3)$ & \gls{apt}\cite{mitre_prevent}, Backdoors\\
+ 3 & No "HIGH" state for more than 30s. & $R_3 := \square (s[t_0]=2 \rightarrow \lozenge_{[t_0,t_0+30s]}(s[t]=2))$ & CryptoMining Malware \cite{mitre_crypto}, Ransomware\cite{mitre_ransomware}, BotNet\cite{mitre_botnet}\\
+ 4 & No "REBOOT" occurence. & $R_4 := \neg \square_{[1h,2h40]}(s[t]=3)$ & Malware Installation\\
\bottomrule
\end{tabular}
- \caption{Characteristics of the machines in the evaluation dataset.}
+ \caption{Security rules applied to the detected states of the machine. $s[t]$ represent the label at time $t$.}
\label{tab:rules}
\end{table*}
-\agd{add MITRE references for each threat}
-\agd{fix stl formulas to use labels and not states name}
-\subsection{Dataset}
-
\subsection{Results}
\section{Discussion}\label{sec:discussion}