start writing about case study 2
This commit is contained in:
Arthur Grisel-Davy
parent
c43c18e9aa
commit
dda69366e0
4 changed files with 164 additions and 39 deletions
|
|
@ -1,6 +1,8 @@
|
|||
\newabbreviation{tas}{TAS}{Temporal Action Segmentation}
|
||||
\newabbreviation{apt}{APT}{Advanced Persistent Threat}
|
||||
\newabbreviation{dsd}{DSD}{Device State Detector}
|
||||
\newabbreviation{cpd}{CPD}{Change Point Detection}
|
||||
\newabbreviation{stl}{STL}{Signal Temporal Logic}
|
||||
\newabbreviation{hids}{HIDS}{Host-Based Intrusion Detection Software}
|
||||
\newabbreviation{nids}{NIDS}{Network-Based Intrusion Detection Software}
|
||||
\newabbreviation{1nn}{1-NN}{1-Nearest Neighbor}
|
||||
|
|
@ -12,3 +14,4 @@
|
|||
\newabbreviation{mad}{MAD}{Machine Activity Detector}
|
||||
\newabbreviation{ids}{IDS}{Intrusion Detection Systems}
|
||||
\newabbreviation{nilm}{NILM}{Nonintrusive Load Monitoring}
|
||||
\newabbreviation{it}{IT}{Information Technology}
|
||||
|
|
|
|||
|
|
@ -609,3 +609,8 @@ series = {CoDS COMAD 2020}
|
|||
publisher={Elsevier}
|
||||
}
|
||||
|
||||
@misc{sleep_states,
|
||||
title={Sleep States Description: },
|
||||
url={https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/system-sleeping-states},
|
||||
year={2023},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,12 +2,12 @@
|
|||
<!-- Created with Inkscape (http://www.inkscape.org/) -->
|
||||
|
||||
<svg
|
||||
width="609.24652mm"
|
||||
height="216.63609mm"
|
||||
viewBox="0 0 609.24652 216.63609"
|
||||
width="609.7691mm"
|
||||
height="247.08583mm"
|
||||
viewBox="0 0 609.7691 247.08583"
|
||||
version="1.1"
|
||||
id="svg5"
|
||||
inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
|
||||
inkscape:version="1.2.2 (1:1.2.2+202305151915+b0a8486541)"
|
||||
sodipodi:docname="2w_experiment.svg"
|
||||
inkscape:export-filename="2w_experiment.pdf"
|
||||
inkscape:export-xdpi="175.618"
|
||||
|
|
@ -27,13 +27,13 @@
|
|||
inkscape:deskcolor="#505050"
|
||||
inkscape:document-units="mm"
|
||||
showgrid="false"
|
||||
inkscape:zoom="0.70710678"
|
||||
inkscape:cx="1268.5496"
|
||||
inkscape:cy="458.20519"
|
||||
inkscape:zoom="0.5"
|
||||
inkscape:cx="1336"
|
||||
inkscape:cy="587"
|
||||
inkscape:window-width="1920"
|
||||
inkscape:window-height="1056"
|
||||
inkscape:window-height="1016"
|
||||
inkscape:window-x="1920"
|
||||
inkscape:window-y="0"
|
||||
inkscape:window-y="27"
|
||||
inkscape:window-maximized="1"
|
||||
inkscape:current-layer="layer1" />
|
||||
<defs
|
||||
|
|
@ -42,7 +42,7 @@
|
|||
inkscape:label="Layer 1"
|
||||
inkscape:groupmode="layer"
|
||||
id="layer1"
|
||||
transform="translate(-7.7832484,-94.027168)">
|
||||
transform="translate(-7.2606705,-63.577428)">
|
||||
<rect
|
||||
style="fill:#cccccc;stroke:none;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
|
||||
id="rect241"
|
||||
|
|
@ -291,23 +291,23 @@
|
|||
<path
|
||||
id="rect2057"
|
||||
style="fill:#80b3ff;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
|
||||
d="m 236.54399,157.87929 h 208.3237 v 7.29425 h -208.3237 z"
|
||||
d="m 217.28525,157.87929 189.69775,0 v 7.29425 l -189.69775,0 z"
|
||||
sodipodi:nodetypes="ccccc" />
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-size:6px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text';letter-spacing:0px;word-spacing:0px;stroke-width:0.264583"
|
||||
x="325.25885"
|
||||
x="296.68713"
|
||||
y="163.61142"
|
||||
id="text2158"><tspan
|
||||
sodipodi:role="line"
|
||||
id="tspan2156"
|
||||
style="font-size:6px;stroke-width:0.264583"
|
||||
x="325.25885"
|
||||
x="296.68713"
|
||||
y="163.61142">Work Hours</tspan></text>
|
||||
<path
|
||||
id="path2160"
|
||||
style="fill:#ffe680;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
|
||||
d="m 501.68324,157.87929 37.87705,0.0276 v 7.29425 l -37.87705,-0.0276 z"
|
||||
d="m 482.59239,157.87929 75.9088,0.0276 v 7.29425 l -75.9088,-0.0276 z"
|
||||
sodipodi:nodetypes="ccccc" />
|
||||
<text
|
||||
xml:space="preserve"
|
||||
|
|
@ -323,51 +323,35 @@
|
|||
<path
|
||||
id="path2166"
|
||||
style="fill:#cd87de;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
|
||||
d="m 103.9744,157.87929 132.56959,-0.0539 v 7.29425 l -132.56959,0.0539 z"
|
||||
d="m 103.9744,157.87929 113.62356,-0.0539 v 7.29425 l -113.62356,0.0539 z"
|
||||
sodipodi:nodetypes="ccccc" />
|
||||
<path
|
||||
id="path2168"
|
||||
style="fill:#cd87de;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
|
||||
d="m 444.86772,157.87929 56.81552,0.0276 v 7.26864 l -56.81552,-0.002 z"
|
||||
sodipodi:nodetypes="ccccc" />
|
||||
<path
|
||||
id="path2170"
|
||||
style="fill:#cd87de;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
|
||||
d="m 539.56031,157.87929 18.93852,0.0754 v 7.29425 l -18.93852,-0.0754 z"
|
||||
d="m 406.96876,157.87929 75.76936,0.0276 v 7.26864 l -75.76936,-0.002 z"
|
||||
sodipodi:nodetypes="ccccc" />
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-size:6px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text';letter-spacing:0px;word-spacing:0px;stroke-width:0.264583"
|
||||
x="163.5032"
|
||||
x="154.0302"
|
||||
y="162.95747"
|
||||
id="text2174"><tspan
|
||||
sodipodi:role="line"
|
||||
id="tspan2172"
|
||||
style="font-size:6px;stroke-width:0.264583"
|
||||
x="163.5032"
|
||||
x="154.0302"
|
||||
y="162.95747">Sleep</tspan></text>
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-size:6px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text';letter-spacing:0px;word-spacing:0px;stroke-width:0.264583"
|
||||
x="466.51947"
|
||||
x="438.09744"
|
||||
y="162.98541"
|
||||
id="text2178"><tspan
|
||||
sodipodi:role="line"
|
||||
id="tspan2176"
|
||||
style="font-size:6px;stroke-width:0.264583"
|
||||
x="466.51947"
|
||||
x="438.09744"
|
||||
y="162.98541">Sleep</tspan></text>
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-size:6px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text';letter-spacing:0px;word-spacing:0px;stroke-width:0.264583"
|
||||
x="542.27356"
|
||||
y="163.02213"
|
||||
id="text2182"><tspan
|
||||
sodipodi:role="line"
|
||||
id="tspan2180"
|
||||
style="font-size:6px;stroke-width:0.264583"
|
||||
x="542.27356"
|
||||
y="163.02213">Sleep</tspan></text>
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-size:10px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text';letter-spacing:0px;word-spacing:0px;stroke-width:0.264583"
|
||||
|
|
@ -635,5 +619,71 @@
|
|||
style="stroke-width:0.0794137"
|
||||
x="555.52734"
|
||||
y="118.62257">4</tspan></text>
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-size:12.0059px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text';letter-spacing:0px;word-spacing:0px;stroke-width:0.0794137"
|
||||
x="101.04498"
|
||||
y="98.001839"
|
||||
id="text590"><tspan
|
||||
sodipodi:role="line"
|
||||
id="tspan588"
|
||||
style="stroke-width:0.0794137"
|
||||
x="101.04498"
|
||||
y="98.001839">0</tspan></text>
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-size:10px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text';letter-spacing:0px;word-spacing:0px;stroke-width:0.264583"
|
||||
x="39.374374"
|
||||
y="97.68898"
|
||||
id="text614"><tspan
|
||||
sodipodi:role="line"
|
||||
style="font-size:10px;stroke-width:0.264583"
|
||||
x="39.374374"
|
||||
y="97.68898"
|
||||
id="tspan612">Compressed</tspan></text>
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-size:12.0059px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text';letter-spacing:0px;word-spacing:0px;stroke-width:0.0794137"
|
||||
x="555.52734"
|
||||
y="98.085876"
|
||||
id="text421"><tspan
|
||||
sodipodi:role="line"
|
||||
id="tspan419"
|
||||
style="stroke-width:0.0794137"
|
||||
x="555.52734"
|
||||
y="98.085876">4</tspan></text>
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-size:12.0059px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text';letter-spacing:0px;word-spacing:0px;stroke-width:0.0794137"
|
||||
x="214.53951"
|
||||
y="98.049866"
|
||||
id="text425"><tspan
|
||||
sodipodi:role="line"
|
||||
id="tspan423"
|
||||
style="stroke-width:0.0794137"
|
||||
x="214.53951"
|
||||
y="98.049866">1</tspan></text>
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-size:12.0059px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text';letter-spacing:0px;word-spacing:0px;stroke-width:0.0794137"
|
||||
x="327.96201"
|
||||
y="98.07988"
|
||||
id="text429"><tspan
|
||||
sodipodi:role="line"
|
||||
id="tspan427"
|
||||
style="stroke-width:0.0794137"
|
||||
x="327.96201"
|
||||
y="98.07988">2</tspan></text>
|
||||
<text
|
||||
xml:space="preserve"
|
||||
style="font-size:12.0059px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text';letter-spacing:0px;word-spacing:0px;stroke-width:0.0794137"
|
||||
x="441.58859"
|
||||
y="98.001839"
|
||||
id="text433"><tspan
|
||||
sodipodi:role="line"
|
||||
id="tspan431"
|
||||
style="stroke-width:0.0794137"
|
||||
x="441.58859"
|
||||
y="98.001839">3</tspan></text>
|
||||
</g>
|
||||
</svg>
|
||||
|
|
|
|||
|
Before Width: | Height: | Size: 25 KiB After Width: | Height: | Size: 27 KiB |
|
|
@ -27,7 +27,7 @@
|
|||
\newcommand{\wv}{{\color{orange}[weak verb]}}
|
||||
|
||||
% correct bad hyphenation here
|
||||
\hyphenation{op-tical net-works semi-conduc-tor IEEEconf}
|
||||
\hyphenation{op-tical net-works semi-conduc-tor IEEEconf hyper-parameter}
|
||||
\begin{document}
|
||||
\input{acronyms}
|
||||
\title{\textbf{\Large MAD: One-Shot Machine Activity Detector for Physics-Based Cyber Security\\}}
|
||||
|
|
@ -575,8 +575,73 @@ With both performances metrics combined, \gls{mad} outperforms the other methods
|
|||
\end{figure*}
|
||||
|
||||
|
||||
|
||||
\section{Case Study 2: Attack Scenarios}
|
||||
The second case study focuses on a realistic production scenario.
|
||||
The goal of this study is to illustrate hoh \gls{mad} enbales hight abstraction level rules applications by converting the low-level power consumption signal into labeled and actionable states sequence.
|
||||
|
||||
|
||||
\subsection{Overview}
|
||||
This second case study aims at illustrating the performances of the \gls{mad} detector on more realisitc data.
|
||||
To this extend, a machine was setup to perform tasks on a typical office work schedule including work hours, sleep hours, and maintenance hours.
|
||||
The scenario comprises 4 phases:
|
||||
|
||||
\begin{itemize}
|
||||
|
||||
\item Night Sleep: During the night and until the worker begin the day, the machine is asleep in S3 sleep state\cite{sleep_state}. Any other state than sleep is considered anomalous during this time.
|
||||
\item Work Hours: During work hours, little restriction is applied on the activity. Only a sustained (more than 30s) high load is considered anoamlous.
|
||||
\item Evening Sleep: After work hours, the machine goes to sleep again for a few hours.
|
||||
\item Maintenance: During the night, the machine wakes up as part of an automated maintenance schedule. During maintenance updates are fetched and a reboot is performed.
|
||||
\end{itemize}
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics[width=0.49\textwidth]{images/2w_experiment.pdf}
|
||||
\caption{Overview of the scenario and rules for the Second case study.}
|
||||
\label{fig:2w_experiment}
|
||||
\end{figure}
|
||||
|
||||
In order to reduce the experimentation and processing time, the daily scenario is compressed into 4 hours, allowing 6 runs per day and a processing time of only $\approx 4min$ per run.
|
||||
Note that this compression of experiment time does not influence the results (the patterns are kept uncompressed) and is only for convenience and better confidence in the results.
|
||||
Figure~\ref{fig:2w_experiment} illustrate the experiment scenario with both the real and compressed time.
|
||||
|
||||
The data capture follows the same setup as presented in the first case study.
|
||||
A power measurement device is placed in series with the main power cable of the machine (a NUC micro-pc).
|
||||
The measurement devices captures the power consumption at 10 kilo-sampls per seconds.
|
||||
The pre-processing step downsamples the trace to 20 samples per seconds using a median filter.
|
||||
This step greatly reduces the measurement noise and the processing time, and increases the consistency of the results.
|
||||
The final sampling rate of 20 samples per seconds was selected empirically to be about one order of magnitude highter than the typical length of the patterns to detect (around 5 seconds).
|
||||
|
||||
For each comrpessed day of experiment (4 hours segment, thereafter refered as days), the \gls{mad} performs state detection and returns a label vector.
|
||||
This label vector associate a label to each sample of the power trace following the mapping: -1 is UNKNOWN, 0 is SLEEP, 1 is IDLE, 2 is HIGH and 3 is REBOOT.
|
||||
|
||||
Many rules can be imagined to describe the expected and unwanted behavior of a machine.
|
||||
System administrators can define highly specific rules to detect specific attacks or to match the typicall acticities of their infrastructure.
|
||||
We selected 4 rules (see Table~\ref{tab:rules}) that are representative of common threats on companies or administrations's \gls{it} infrastructures.
|
||||
These rules are not exhaustive and are merely an example of the potential of converting power cosumption traces to actionable data.
|
||||
The rules are formaly defined using the \gls{stl} syntax which is bespoke for describing variable patterns with temporal components.\cn
|
||||
|
||||
\begin{table*}
|
||||
\centering
|
||||
\begin{tabular}{p{0.03\textwidth} | p{0.20\textwidth} | p{0.47\textwidth} | p{0.20\textwidth}}
|
||||
Rule & Description & STL Formula & Threat\\
|
||||
\toprule
|
||||
1 & "SLEEP" state only & $R_1 := \square_{[0,1h]\cup [2h40,3h20]}(SLEEP=1)$ & Machine takeover, Botnet, Rogue Employee\\
|
||||
2 & Exactly one occurence of "REBOOT" & $R_2 := \lozenge(REBOOT_{[t]}=1) \cup (\neg \square_{[,2h40]}(REBOOT=1)$ & \gls{apt}, Backdoors\\
|
||||
3 & No "HIGH" state for more than 30s. & $R_3 := \square (HIGH_{[t_0]}=1 \rightarrow \lozenge_{[t_0,t_0+30s]}(HIGH_{[t]}=0))$ & CryptoMining Malware, Ransomware, BotNet\\
|
||||
4 & No "REBOOT" occurence. & $R_4 := \neg \square_{[1h,2h40]}(REBOOT_{[t]}=1)$ & Malware Installation\\
|
||||
\bottomrule
|
||||
\end{tabular}
|
||||
\caption{Characteristics of the machines in the evaluation dataset.}
|
||||
\label{tab:rules}
|
||||
\end{table*}
|
||||
\agd{add MITRE references for each threat}
|
||||
\agd{fix stl formulas to use labels and not states name}
|
||||
|
||||
|
||||
|
||||
\subsection{Dataset}
|
||||
|
||||
\subsection{Results}
|
||||
|
||||
\section{Discussion}\label{sec:discussion}
|
||||
In this section we highlight specific aspects of the proposed solution.
|
||||
|
|
@ -619,6 +684,8 @@ Although there are more operations to perform to evaluate all possible windows a
|
|||
Over all the datasets considered, the time for \gls{mad} was, on average, 14\% higher than the time for the \gls{1nn}.
|
||||
\gls{mad} is also slower than \gls{svm} and faster than \gls{mlp}, but comparison to other methods is less relevant as computation time is highly sensitive to implementation, and no optimization was attempted.
|
||||
Finally, because \gls{mad} is distance-based and window-based, parallelization is naturally applicable and can significantly reduce the processing time.
|
||||
\agd{add subsection or bold titles to discussions topic, add discussion about why a simple threshold does not work}
|
||||
|
||||
|
||||
\section{Conclusion}
|
||||
We present \gls{mad}, a novel solution to enable high-level security policy enforcement from side channel information.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue