grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

gramarly futurwork

Browse source
This commit is contained in:
Arthur Grisel-Davy 2023-10-02 09:39:02 -04:00
parent 548337df0d
commit cf15a444a1
2 changed files with 33 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

65
PhD/research_proposal/futurwork.tex
View file

@ -1,24 +1,24 @@
\chapter{Planned Work}\label{chap:futurwork} \chapter{Planned Work}\label{chap:futurwork}
All the work achieved in the preliminary work serves as the foundation for the planned work. All the work achieved in the preliminary work serves as the foundation for the planned work.
The thesis will focus on the state detection problem under various input data and detection requirements. The thesis will focus on the state detection problem under various input data and detection requirements.
Detecting the state of a system constitute a stepping stone in the construction of specialized tools for physics-based security. Detecting the state of a system constitutes a stepping stone in the construction of specialized tools for physics-based security.
As illustrated by the \gls{sds} and \gls{bpv}, the detection of specific attacks often relies on the ability to pre-process the time series to find sections of interest. As illustrated by the \gls{sds} and \gls{bpv}, the detection of specific attacks often relies on the ability to pre-process the time series to find sections of interest.
In this sense, solving the state detection problem enables a deeper investigation of power consumption by making the data actionable. In this sense, solving the state detection problem enables a deeper investigation of power consumption by making the data actionable.
The different machines and data measurement designs lead to different problems to solve and different detection capabilities. The different machines and data measurement designs lead to different problems to solve and different detection capabilities.
This chapter described the problems to study with their problem statement as well as the motivations and expected results. This chapter described the problems to study with their problem statement as well as the motivations and expected results.
The problems are discretized based on the input data and measured machines that constitute the power trace. The problems are discretized based on the input data and measured machines that constitute the power trace.
A single sensor only measure the power flowing through one cable. A single sensor only measures the power flowing through one cable.
It is possible to combine sensores to measure multiple related consumptions --- for example, the consumptions of different components in the same machine. It is possible to combine sensors to measure multiple related consumptions --- for example, the consumptions of different components in the same machine.
In this case, the problem is called \textit{multi-measure} and the resulting input data is multivariate trace. In this case, the problem is called \textit{multi-measure}, and the resulting input data is a multivariate trace.
It is also possible to place the sensor on a power cable that provide power to multiple machines. It is also possible to place the sensor on a power cable that provides power to multiple machines.
In this case, the problem is called \textit{multi-sources} and the resulting input data is an aggregate of multiple traces. In this case, the problem is called \textit{multi-sources}, and the resulting input data is an aggregate of multiple traces.
The difference between machines and components is a fine and blury line as the description of a machine often fits individual components. The difference between machines and components is a fine and blurry line, as the description of a machine often fits individual components.
In this thesis, a component is a system that expects instructions from a central unit while a machine run its own software. In this thesis, a component is a system that expects instructions from a central unit while a machine runs its own software.
For example, at a macroscopic scale, a graphics card does not take the initiative on its own to run any software and expect instructions from the rest of the \gls{pc}. For example, at a macroscopic scale, a graphics card does not take the initiative on its own to run any software and expect instructions from the rest of the \gls{pc}.
Figure~\ref{fig:map} present an overview of the three main problems developped in this chapter. Figure~\ref{fig:map} presents an overview of the three main problems developed in this chapter.
Each problem present a variation in the input data, but they all share the same goal of activity detection. Each problem presents a variation in the input data, but they all share the same goal of activity detection.
\begin{figure} \begin{figure}
\centering \centering
@ -34,10 +34,10 @@ The global state are usualy \textit{OFF}, \textit{ON}, \textit{BOOT}, \textit{HI
Depending on the machine, other states like \textit{FIRMWARE FLASH}, \textit{SLEEP} or a specific activity mode can also be detected. Depending on the machine, other states like \textit{FIRMWARE FLASH}, \textit{SLEEP} or a specific activity mode can also be detected.
The experiments focus on the deployment to general-purpose computers, network switches, and \gls{wap}/routers. The experiments focus on the deployment to general-purpose computers, network switches, and \gls{wap}/routers.
In the next months, the goal for the \gls{dsd} is to evaluate the performances of the runtime state detection in broaders and more exhaustives conexts. In the next months, the goal for the \gls{dsd} is to evaluate the performances of the runtime state detection in broader and more exhaustive contexts.
The current accuracy and edit distance performances (see Figure \ref{fig:dsd_acc}) illustrate the capabilities of the \gls{dsd} for the detection of well defined states --- i.e. states associated with a striking variation of average power consumption. The current accuracy and edit distance performances (see Figure \ref{fig:dsd_acc}) illustrate the capabilities of the \gls{dsd} for the detection of well-defined states --- i.e. states associated with a striking variation of average power consumption.
However, in order to provide a useful and reliable runtime labeling of the a machine's activity, the \gls{dsd} must achieve similar results with a more diverse selection of states. However, in order to provide a useful and reliable runtime labelling of the machine's activity, the \gls{dsd} must achieve similar results with a more diverse selection of states.
The work on \gls{dsd} is the fundation for the planned development of more specific applications of the same principle of physics-based monitoring. The work on \gls{dsd} is the foundation for the planned development of more specific applications of the same principle of physics-based monitoring.
\begin{figure} \begin{figure}
\centering \centering
@ -49,8 +49,8 @@ The work on \gls{dsd} is the fundation for the planned development of more speci
\section{Single-Source, Multi-Measure} \section{Single-Source, Multi-Measure}
The global power consumption of a machine does not fully describe its activity. The global power consumption of a machine does not fully describe its activity.
In an embedded system, the power consumption can be attributed to different components, each with its specific activity. In an embedded system, the power consumption can be attributed to different components, each with its specific activity.
For the simplest systems performing one specific task, the activity of each component is often correlate with each other. For the simplest systems performing one specific task, the activity of each component is often correlated with each other.
If the system is in a Mode \textit{A} then each component is in Mode \textit{A}, and the global power consumption will display the Mode \textit{A} pattern. If the system is in a Mode \textit{A}, then each component is in Mode \textit{A}, and the global power consumption will display the Mode \textit{A} pattern.
For more complex systems, different components can be in different modes to accommodate the multi-tasking nature of the global activity. For more complex systems, different components can be in different modes to accommodate the multi-tasking nature of the global activity.
In this case, if the first component is in Mode \textit{A} but the second is in Mode \textit{B}, this indicates a different global activity than if both are in the same mode. In this case, if the first component is in Mode \textit{A} but the second is in Mode \textit{B}, this indicates a different global activity than if both are in the same mode.
For example, if the bootup sequence of a general-purpose computer shows a significant \gls{cpu} activity but no \gls{hdd} activity, it could indicate a failure to boot or an attacker booting the system from external storage. For example, if the bootup sequence of a general-purpose computer shows a significant \gls{cpu} activity but no \gls{hdd} activity, it could indicate a failure to boot or an attacker booting the system from external storage.
@ -71,9 +71,9 @@ $ts$ is composed of $n$ dimensions with the $j^{th}$ dimension referred to as $t
Each sample $ts[i]$ is a vector or $n$ component representing the value of each dimension of $t$ at a point in time. Each sample $ts[i]$ is a vector or $n$ component representing the value of each dimension of $t$ at a point in time.
The items of the set $P$ are sets of patterns $P_j$ with $j\in[1,m]$. The items of the set $P$ are sets of patterns $P_j$ with $j\in[1,m]$.
Each set of patterns $P_j$ is associated with one component of a global pattern. Each set of patterns $P_j$ is associated with one component of a global pattern.
In other words, each component $P_{j,k}$ represent a the pattern $j$ along the $k^{th}$ dimension of $ts$. In other words, each component $P_{j,k}$ represent a pattern $j$ along the $k^{th}$ dimension of $ts$.
Thus, the number of components of each pattern must be equal to the dimensions of $ts$. Thus, the number of components of each pattern must be equal to the dimensions of $ts$.
Figure \ref{fig:notation} illustrate the $ts$ and $P$ objects. Figure \ref{fig:notation} illustrates the $ts$ and $P$ objects.
\begin{figure} \begin{figure}
\centering \centering
@ -83,14 +83,12 @@ Figure \ref{fig:notation} illustrate the $ts$ and $P$ objects.
\end{figure} \end{figure}
\subsection{Applications} \subsection{Applications}
The multi-measure setup present two potential benefits that will be investigated in this thesis. The multi-measure setup presents two potential benefits that will be investigated in this thesis.
First, correlated information could allows for a more robust detection mechanism. First, correlated information could enable a more robust detection mechanism.
If all components of a machine display behaviours associated with the same global activity, the detection confidence could improve compared with the global consumption only. If all components of a machine display behaviours associated with the same global activity, the detection confidence could improve compared with the global consumption only.
Second, multiple measures could enable a more granular activity detection. Second, multiple measures could enable a more granular activity detection.
With the power consumption measurement of multiple components available, every combination of component's activity can be associated with a different global activity. With the power consumption measurement of multiple components available, every combination of component's activity can be associated with a different global activity.
These changes would allow for detecting potentially anomalous combinations of states and for a better understanding of the machine's behaviour. These changes would allow for detecting potentially anomalous combinations of states and better understanding the machine's behaviour.
\sfm{Because we address embedded stsrems, somewhere discuss the problem of actuators distorting the power trace (e.g., fans, motors, etc). You can link that to the MSSM problem.}
The typical application of this technology would concern general-purpose computers or medium-complexity systems with multiple internal components. The typical application of this technology would concern general-purpose computers or medium-complexity systems with multiple internal components.
These machines are typically difficult to profile with global consumption as each component influences the measure in a different way. These machines are typically difficult to profile with global consumption as each component influences the measure in a different way.
@ -103,7 +101,7 @@ If the Single-Source Multi-Measure was looking \textit{in} a machine to get more
In a context where measuring the consumption of individual machines is not possible, the problem of disambiguation arises. In a context where measuring the consumption of individual machines is not possible, the problem of disambiguation arises.
Signal disambiguation is the ability to identify the source of each component signal from a single aggregated signal. Signal disambiguation is the ability to identify the source of each component signal from a single aggregated signal.
This is a difficult problem as the different sources can affect each other, sometimes in a non-linear way. This is a difficult problem as the different sources can affect each other, sometimes in a non-linear way.
Figure \ref{fig:mssm_illustration} illustrate the aggregation of multiple consumption sources in a single measurement. Figure \ref{fig:mssm_illustration} illustrates the aggregation of multiple consumption sources in a single measurement.
\begin{figure} \begin{figure}
\centering \centering
@ -129,11 +127,11 @@ The operator $\oplus$ is the aggregation function, generally the summation or ca
The MSSM problem can be expressed as a combination of $k$ SSSM problems with a different input time series. The MSSM problem can be expressed as a combination of $k$ SSSM problems with a different input time series.
Because the input is an aggregated time series, the patterns describing an activity may not appear similarly in the input. Because the input is an aggregated time series, the patterns describing an activity may not appear similarly in the input.
These patterns may be distorded by the aggregation with another pattern from another source. The aggregation with another pattern from another source may distort these patterns.
The main hurdle when developping a solution for the MSSM problem will be to correctly identify the distorded patterns when having access to all possible distortion sources (the other patterns). The main hurdle when developing a solution for the MSSM problem will be correctly identifying the distorted patterns when accessing all possible distortion sources (the other patterns).
\subsection{Applications} \subsection{Applications}
The successful design of a Multi-source Single-Measure monitoring system would finds its best application in an industrial setting. The successful design of a Multi-source Single-Measure monitoring system would find its best application in an industrial setting.
Any industry that relies on many simple embedded systems to reliably perform a task can benefit from a monitoring system that is minimally disruptive to install. Any industry that relies on many simple embedded systems to reliably perform a task can benefit from a monitoring system that is minimally disruptive to install.
For example, an assembly line can leverage hundreds of conveyor belt drivers, robotic arms, or quality assessment points. For example, an assembly line can leverage hundreds of conveyor belt drivers, robotic arms, or quality assessment points.
Each type of system is simple in its design and task. Each type of system is simple in its design and task.
@ -145,14 +143,15 @@ The MSMM problem is a combination of the previous ones for which a clear applica
In an MSMM context, multiple capture systems would each measure an aggregate power consumption to form a multivariate time series. In an MSMM context, multiple capture systems would each measure an aggregate power consumption to form a multivariate time series.
Each dimension of this time series would incorporate the consumption of one or more individual components. Each dimension of this time series would incorporate the consumption of one or more individual components.
As long as the capture architecture (i.e., what machine is monitored by which capture system) is known, the analysis is a combination of the methods previously presented. As long as the capture architecture (i.e., what machine is monitored by which capture system) is known, the analysis is a combination of the methods previously presented.
In the case where the capture architecture is unknown, the problem become out of scope for this thesis. When the capture architecture is unknown, the problem becomes out of scope for this thesis.
\section{Conclusion} \section{Conclusion}
The main problem is conceptually simple: identify machine activity from their power consumption to detect abnormal or forbidden activities. The main problem is conceptually simple: identify machine activity from their power consumption to detect abnormal or forbidden activities.
The ability to interpret power consumption time series as higher-level events enables the definition of security-related rules. The ability to interpret power consumption time series as higher-level events enables the definition of security-related rules.
The simplest form of this problem consist in measuring the global consumption of one simple devices as a univariate time-series (SSSM problem). This problem's simplest form is measuring one single device's global consumption as a univariate time series (SSSM problem).
This problem lead to the developement of the \gls{dsd} which can already recognize some activity patterns from a machine. This problem leads to the development of the \gls{dsd}, which can already recognize some activity patterns from a machine.
However, the potential of this idea does no stop at the SSSM problem. However, the potential of this idea continues beyond the SSSM problem.
By capturing multiple consumptions from specific components from a machine (MSSM problem), the detection algorithm should support the detection of more granular activity. By capturing multiple consumptions from specific components from a machine (MSSM problem), the detection algorithm should support the detection of more granular activity.
Complementarily, measuring the aggregated consumption of multiple machines as a single time series offers powerfull applications. Complementarily, measuring the aggregated consumption of multiple machines as a single time series offers powerful applications.
Each of these problems require a different aproach and enable different applications. Each of these problems requires a different approach and enables different applications.

2
PhD/research_proposal/pastwork.tex
View file

@ -398,7 +398,7 @@ The \gls{bpv} and \gls{dsd} algorithms propose approaches to the problems of boo
These two complementary aspects represent a large area of the attack surface of a typical embedded system. These two complementary aspects represent a large area of the attack surface of a typical embedded system.
The unique properties of host independence and unforgeability of the input data make the physics-based \gls{ids} a promising complement for any security suite. The unique properties of host independence and unforgeability of the input data make the physics-based \gls{ids} a promising complement for any security suite.
More work is obviously required. More work is required.
The main point of interest is to evaluate the performance of the \gls{dsd} to make it as versatile and reliable as possible. The main point of interest is to evaluate the performance of the \gls{dsd} to make it as versatile and reliable as possible.
From the xPSU project, we understood that a more granular measurement of the power consumption could be beneficial in detecting specific attacks and enabling root cause analysis instead of basic anomaly detection. From the xPSU project, we understood that a more granular measurement of the power consumption could be beneficial in detecting specific attacks and enabling root cause analysis instead of basic anomaly detection.
The continuation of the research work will focus on runtime monitoring and investigate different data measurement scales and their respective benefits. The continuation of the research work will focus on runtime monitoring and investigate different data measurement scales and their respective benefits.