grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add results for bpv

Browse source
This commit is contained in:
Arthur Grisel-Davy 2023-08-01 16:26:16 -04:00
parent fee0323ee1
commit 66397ac8d5
3 changed files with 52 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

38
PhD/research_proposal/pastwork.tex
View file

@ -176,24 +176,42 @@ The distance of each new trace to the reference average is computed and compared
If the distance is above the pre-computed threshold, the new trace is considered anomalous.
\subsection{Results}
We evaluated the \gls{bpv} on three occasions.
We evaluated the \gls{bpv} on two occasions.
First, we assembled a panel of relevant devices, including switches, \gls{wap} and \gls{pc}.
The evaluations revealed that the \gls{bpv} performed better on simpler devices like switches and \gls{wap} compared to general-purpose computers.
This is mainly due to the reduced variability and noise in the traces captured from simpler devices that produce a more robust model.
This first study leads to the publication of a work-in-progress paper in the EMSOFT 2022 conference \cite{grisel2022work} that describes the design and capabilities of the \gls{bpv} in its first version.
Then, we performed a case study with an industry partner on \gls{rtu}.
The \gls{rtu} was composed of one low-complexity embedded system and one main general-purpose computer.
The computer's activity overtook most of the other information in the trace and made it more difficult to detect subtle variations.
However, the \gls{bpv} could still detect intrusions in the computer from the global trace.
For example, a user modifying some settings through the \gls{bios} or booting into a different \gls{os} was detected.
This case study revealed that some systems could have multiple valid modes of the boot sequence.
This discovery enabled us to rethink the model of the \gls{bpv} to allow such variations.
We performed the final evaluation on a drone.
%Then, we performed a case study with an industry partner on \gls{rtu}.
%The \gls{rtu} was composed of one low-complexity embedded system and one main general-purpose computer.
%The computer's activity overtook most of the other information in the trace and made it more difficult to detect subtle variations.
%However, the \gls{bpv} could still detect intrusions in the computer from the global trace.
%For example, a user modifying some settings through the \gls{bios} or booting into a different \gls{os} was detected.
%This case study revealed that some systems could have multiple valid modes of the boot sequence.
%This discovery enabled us to rethink the model of the \gls{bpv} to allow such variations.
We performed the second evaluation on a drone.
A drone is a prime machine for the \gls{bpv} as its low complexity allows for consistent boot traces.
We successfully detected different firmware versions by leveraging the information from the two previous experiments.
Along the evaluations, the \gls{bpv} capabilities have been modified to adapt to specific cases and enable anomalous training samples, multi-model evaluations, and autonomous learning.
\agd{add results}
\begin{table}[ht]
\centering
\begin{tabular}{lccc}
\toprule
\textbf{Test Case} & \textbf{Experiment} & \textbf{F1 Score} \tabularnewline
\toprule
\multirow{4}*{Network Devices} & TP-Link switch & 0.87\tabularnewline
& HP switch & 0.98 \tabularnewline
& Asus Router & 1.00\tabularnewline
& Linksys Router & 0.92\tabularnewline
\midrule
\multirow{4}*{Drone} & Original & 1.00\tabularnewline
& Compiled & 1.00\tabularnewline
& Low Battery & 1.00\tabularnewline
& Bootloader Bug & 1.00\tabularnewline
\bottomrule
\end{tabular}
\label{tab:fw-results}
\end{table}
\newpage
\section{State Detection and Segmentation}