update

PhD/seminar/seminar.typ

@@ -12,7 +12,7 @@
 
 #title-slide(
   author: [Arthur Grisel-Davy],
-  title: "Seminar: Process-Power Consistency as Sanity Check",
+  title: "Process List Verification with Power Analysis",
   subtitle: "Subtitle",
   date: "September 2024",
   extra: ""
@@ -29,28 +29,15 @@
 #slide(title:"State of the IDS")[
   // Process masquerading is trivialy posible and used by many attacks (Mitre AttCK list)
 
-#line-by-line[
-- #text(weight:"bold")[Known Attacks] #cite(label("mitre_masquerade"), supplement:"MITRE"): AcroRD32.exe (Adobe), kb-10233.exe (Windows Update), mfevtpse.exe (McAfee).
-- #text(weight:"bold")[Technics:]
- - #box(baseline: 60%, height:2em, image("images/linux.svg", height:100%)): Bind Mounts @mount, #text(fill:red)[find more]
-
-
- - #box(baseline: 60%, height:2em, image("images/windows.svg", height:100%)): msdtc.exe , #text(fill:red)[find more]
+#text(weight:"bold")[Known Attacks:]
+- AcroRD32.exe (Adobe), kb-10233.exe (Windows Update), mfevtpse.exe (McAfee).
+- Azazel Rootkit
+- Adore-ng Rootkit
+- DLL Injections (in explorer.exe)
+- Direct Kernel Object Manipulation (FU Rootkit)
+- Hooking System Calls (t0rn Rootkit)
 ]
 
-]
-
-
-#slide(title:"State of the IDS")[
-  // Countermeasure to process masquerading
-Listed by MITRE|ATT&CK:
-- Monitor OS API Calls (e.g. forks)
-- Monitor process creation source.
-Listed by Red Canary:
-- Heuristic on process properties (name, location, etc.)
-
-#uncover(2)[#align(center)[#text(fill:red, weight:"bold")[All Host-Based Methods!]]]
-]
 
 #slide(title:"State of the IDS")[
   #align(center)[
@@ -78,10 +65,10 @@ You should not trust data comming from a the device to protect, it might have be
 // Why is it correlated with the process list
 // Why is it the best/most practical side-channel
 Power is: 
-- Easy to measure (at high sampling rate)
+- Easy & cheap to measure (at high sampling rate)
 - Position independant
-- Ubiquitus
-- Scaling from global to granular
+- Ubiquitous
+// - Scaling from global to granular
 ]
 
 #slide(title: "Problem Statement")[
@@ -101,7 +88,7 @@ Power is:
 #slide(title:"Input Data - Power")[
 - Cable current #sym.arrow current clamp #sym.arrow ADC #sym.arrow server
 - Capure: 10ksps
-- Downsample: 2 SPS with average and median aggregation. #text(red)[check the specifics]
+- Downsample: 2 SPS with average and median aggregation.
 ]
 
 
@@ -111,7 +98,7 @@ Power is:
 
 #slide(title: "Input Data - Processes")[
 
-#for i in range(10){
+#for i in range(9){
     [#only(i+1)[#image("images/processes_"+str(i+1)+".svg", height:100%)]]
 }
 
@@ -171,11 +158,20 @@ Power is:
   #only(2)[#align(center)[#image("images/states_ts.svg", height:100%)]]
 ]
 
-#slide(title:"Future Works")[
- - Collect more and better data.
- - Developp a benchmark for attack detection.
-]
+#slide(title:"Conclusion and Future Works")[
 
-#slide(title:"Bibliography")[
-  #bibliography("biblio.yml")
+#text(weight:"bold")[Conclusion:]
+ - Exploitable relationship processes-power
+ - Many applicable methods #sym.arrow robustness
+ - Large range of targets
+
+#uncover(2)[
+#text(weight:"bold")[Next Steps:]
+ - Collect more and better data
+ - Try methods on other devices
+ - Developp a benchmark for attack detection
+ - Decomposition Approach
+   - Extract process information from decomposed abnormal time series
+   - Benchmark against MLP approach
+]
 ]