From edfba9c1e9e4b08e0596d6628fccd7bae388fa59 Mon Sep 17 00:00:00 2001
From: Arthur Grisel-Davy <grisel-davy@crans.org>
Date: Mon, 9 Oct 2023 11:44:07 -0400
Subject: [PATCH] add rules overview

---
 .../presentation/images/rules_pipeline.svg    | 250 ++++++++++++++++++
 DSD/qrs/presentation/presentation.typ         |  32 ++-
 2 files changed, 276 insertions(+), 6 deletions(-)
 create mode 100644 DSD/qrs/presentation/images/rules_pipeline.svg

diff --git a/DSD/qrs/presentation/images/rules_pipeline.svg b/DSD/qrs/presentation/images/rules_pipeline.svg
new file mode 100644
index 0000000..be38969
--- /dev/null
+++ b/DSD/qrs/presentation/images/rules_pipeline.svg
@@ -0,0 +1,250 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   version="1.1"
+   id="svg1"
+   width="1025.976"
+   height="463.41357"
+   viewBox="0 0 1025.976 463.41355"
+   xml:space="preserve"
+   sodipodi:docname="rules_pipeline.svg"
+   inkscape:version="1.3 (0e150ed6c4, 2023-07-21)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><sodipodi:namedview
+     id="namedview1"
+     pagecolor="#ffffff"
+     bordercolor="#eeeeee"
+     borderopacity="1"
+     inkscape:showpageshadow="0"
+     inkscape:pageopacity="0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false"
+     inkscape:zoom="0.87184312"
+     inkscape:cx="720.88657"
+     inkscape:cy="311.98273"
+     inkscape:window-width="1920"
+     inkscape:window-height="1026"
+     inkscape:window-x="1920"
+     inkscape:window-y="26"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg1" /><defs
+     id="defs1"><marker
+       style="overflow:visible"
+       id="marker2"
+       refX="0"
+       refY="0"
+       orient="auto-start-reverse"
+       inkscape:stockid="Triangle arrow"
+       markerWidth="1"
+       markerHeight="1"
+       viewBox="0 0 1 1"
+       inkscape:isstock="true"
+       inkscape:collect="always"
+       preserveAspectRatio="xMidYMid"><path
+         transform="scale(0.5)"
+         style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
+         d="M 5.77,0 -2.88,5 V -5 Z"
+         id="path2" /></marker><marker
+       style="overflow:visible"
+       id="marker123"
+       refX="0"
+       refY="0"
+       orient="auto-start-reverse"
+       markerWidth="1"
+       markerHeight="1"
+       viewBox="0 0 1 1"
+       preserveAspectRatio="xMidYMid"><path
+         transform="scale(0.5)"
+         style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
+         d="M 5.77,0 -2.88,5 V -5 Z"
+         id="path123" /></marker><marker
+       style="overflow:visible"
+       id="Triangle"
+       refX="0"
+       refY="0"
+       orient="auto-start-reverse"
+       markerWidth="1"
+       markerHeight="1"
+       viewBox="0 0 1 1"
+       preserveAspectRatio="xMidYMid"><path
+         transform="scale(0.5)"
+         style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
+         d="M 5.77,0 -2.88,5 V -5 Z"
+         id="path135" /></marker></defs><rect
+     style="fill:#cccccc;stroke:#1a1a1a;stroke-width:1.00157;stroke-linecap:square;stroke-linejoin:round"
+     id="rect1"
+     width="155.47696"
+     height="82.999123"
+     x="305.81116"
+     y="116.59639"
+     ry="3.8013713" /><text
+     xml:space="preserve"
+     style="font-weight:bold;font-size:26.4567px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text, Bold';letter-spacing:-1.1px;word-spacing:0px"
+     x="331.96521"
+     y="167.28966"
+     id="text1"><tspan
+       sodipodi:role="line"
+       id="tspan1"
+       x="331.96521"
+       y="167.28966">Machine</tspan></text><path
+     style="fill:none;stroke:#000000;stroke-width:1.88976;stroke-linecap:butt;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#marker2)"
+     d="M 83.606868,155.87164 H 287.95379"
+     id="path1" /><path
+     style="fill:#00aad4;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+     d="m 55.499228,114.92489 -24.902765,42.63796 h 19.59105 L 37.1326,192.79207 67.163658,151.38862 H 47.820015 Z"
+     id="path3" /><path
+     style="fill:none;stroke:#000000;stroke-width:1.88976;stroke-linecap:butt;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#marker2)"
+     d="M 163.82084,165.73921 V 291.85826 H 359.03729"
+     id="path4"
+     sodipodi:nodetypes="ccc" /><rect
+     style="fill:#cccccc;stroke:#1a1a1a;stroke-width:1.00157;stroke-linecap:square;stroke-linejoin:round"
+     id="rect4"
+     width="155.47696"
+     height="82.999123"
+     x="379.51022"
+     y="251.2881"
+     ry="3.8013713" /><text
+     xml:space="preserve"
+     style="font-weight:bold;font-size:26.4567px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text, Bold';letter-spacing:-1.1px;word-spacing:0px"
+     x="425.38364"
+     y="301.5448"
+     id="text4"><tspan
+       sodipodi:role="line"
+       id="tspan4"
+       x="425.38364"
+       y="301.5448">MAD</tspan></text><circle
+     style="fill:none;stroke:#000000;stroke-width:1.88976;stroke-linecap:square;stroke-linejoin:round;stroke-dasharray:none"
+     id="path5"
+     cx="163.98962"
+     cy="156.00865"
+     r="9.732029" /><path
+     style="fill:none;stroke:#000000;stroke-width:1.88976;stroke-linecap:butt;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#marker123)"
+     d="m 534.98723,292.78767 h 47.41725 V 59.997666 h 52.95156"
+     id="path6"
+     sodipodi:nodetypes="cccc" /><text
+     xml:space="preserve"
+     style="font-weight:bold;font-size:26.4567px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text, Bold';letter-spacing:-1.1px;word-spacing:0px"
+     x="654.99951"
+     y="71.695892"
+     id="text6"><tspan
+       sodipodi:role="line"
+       id="tspan6"
+       x="654.99951"
+       y="71.695892">A</tspan><tspan
+       sodipodi:role="line"
+       x="654.99951"
+       y="104.76677"
+       id="tspan7">A</tspan><tspan
+       sodipodi:role="line"
+       x="654.99951"
+       y="137.83765"
+       id="tspan8">A</tspan><tspan
+       sodipodi:role="line"
+       x="654.99951"
+       y="170.90851"
+       id="tspan9">B</tspan><tspan
+       sodipodi:role="line"
+       x="654.99951"
+       y="203.97939"
+       id="tspan10">C</tspan><tspan
+       sodipodi:role="line"
+       x="654.99951"
+       y="237.05026"
+       id="tspan17" /><tspan
+       sodipodi:role="line"
+       x="654.99951"
+       y="270.12112"
+       id="tspan11">B</tspan><tspan
+       sodipodi:role="line"
+       x="654.99951"
+       y="303.19202"
+       id="tspan12">A</tspan><tspan
+       sodipodi:role="line"
+       x="654.99951"
+       y="336.26288"
+       id="tspan13">A</tspan><tspan
+       sodipodi:role="line"
+       x="654.99951"
+       y="369.33377"
+       id="tspan14">C</tspan><tspan
+       sodipodi:role="line"
+       x="654.99951"
+       y="402.40463"
+       id="tspan15">C</tspan><tspan
+       sodipodi:role="line"
+       x="654.99951"
+       y="435.47549"
+       id="tspan16">C</tspan></text><g
+     id="g18"
+     transform="matrix(0.71223704,0,0,0.71223704,56.464278,52.818129)"><circle
+       style="fill:#000000;stroke:none;stroke-width:1.88976;stroke-linecap:square;stroke-linejoin:round;stroke-dasharray:none"
+       id="path17"
+       cx="852.59021"
+       cy="235.10136"
+       r="3.3945713" /><circle
+       style="fill:#000000;stroke:none;stroke-width:1.88976;stroke-linecap:square;stroke-linejoin:round;stroke-dasharray:none"
+       id="circle18"
+       cx="852.59021"
+       cy="246.2905"
+       r="3.3945713" /><circle
+       style="fill:#000000;stroke:none;stroke-width:1.88976;stroke-linecap:square;stroke-linejoin:round;stroke-dasharray:none"
+       id="circle17"
+       cx="852.59021"
+       cy="257.47961"
+       r="3.3945713" /></g><path
+     style="fill:none;stroke:#000000;stroke-width:1.88976;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+     d="m 671.69811,48.219117 h 21.58976 V 442.37114 h -21.58976"
+     id="path24"
+     sodipodi:nodetypes="cccc" /><rect
+     style="fill:#cccccc;stroke:#1a1a1a;stroke-width:1.00157;stroke-linecap:square;stroke-linejoin:round"
+     id="rect24"
+     width="181.72498"
+     height="64.86097"
+     x="749.76605"
+     y="194.95602"
+     ry="3.8013713" /><text
+     xml:space="preserve"
+     style="font-weight:bold;font-size:26.4567px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text, Bold';letter-spacing:-1.1px;word-spacing:0px;white-space:pre;inline-size:154.826"
+     x="837.95343"
+     y="242.44753"
+     id="text24"
+     transform="translate(-75.16877,-5.8805403)"><tspan
+       x="837.95343"
+       y="242.44753"
+       id="tspan2">Rule Checker</tspan></text><path
+     style="fill:none;stroke:#000000;stroke-width:1.88976378;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;stroke-dasharray:none;marker-end:url(#marker123)"
+     d="m 693.28787,227.38651 h 43.52222"
+     id="path25" /><path
+     style="fill:none;stroke:#000000;stroke-width:1.88976378;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;stroke-dasharray:none;marker-end:url(#marker2)"
+     d="m 840.62854,259.81699 v 52.38067 h 66.63063"
+     id="path26" /><g
+     id="g34"
+     transform="matrix(0.59445949,0,0,0.59445949,359.75571,61.139312)"><path
+       style="fill:none;stroke:#000000;stroke-width:3.77953;stroke-linecap:round;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1"
+       d="m 1017.5645,447.51488 20.3562,-77.04038"
+       id="path27"
+       sodipodi:nodetypes="cc" /><path
+       id="path28"
+       style="fill:#d40055;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       d="m 1063.4831,367.88466 c -6.7998,0.094 -16.0449,1.29243 -25.5624,2.58984 l -7.2071,25.27344 c 8.7055,-1.79545 20.382,-2.80363 27.4754,-2.02963 6.159,0.67205 8.5773,2.90792 8.4171,4.47243 -0.4162,4.06622 -13.7294,4.69888 -11.6659,6.32673 8.7963,6.93937 21.5167,3.28271 32.6718,1.01367 l 7.2071,-25.27539 c -11.1552,2.26904 -26.8188,13.22171 -23.6407,2.47782 0,0 3.1816,-10.66727 3.1993,-10.81571 0.3716,-3.10529 -4.0948,-4.12716 -10.8946,-4.0332 z"
+       sodipodi:nodetypes="sccsssccsss" /><path
+       style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       d="m 1074.3777,371.91786 -7.7716,26.27288"
+       id="path31" /></g><g
+     id="g35"
+     transform="matrix(0.59445949,0,0,0.59445949,352.72164,61.497809)"><path
+       style="fill:#71c837;stroke:#000000;stroke-width:3.77953;stroke-linecap:round;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1"
+       d="M 1016.1124,447.51488 995.75628,370.4745"
+       id="path32"
+       sodipodi:nodetypes="cc" /><path
+       id="path33"
+       style="fill:#71c837;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       d="m 970.19381,367.88466 c 6.7998,0.094 16.04493,1.29243 25.56247,2.58984 l 7.20702,25.27344 c -8.70544,-1.79545 -20.38196,-2.80363 -27.47539,-2.02963 -6.159,0.67205 -8.5773,2.90792 -8.4171,4.47243 0.4162,4.06622 13.7294,4.69888 11.66593,6.32673 -8.79633,6.93937 -21.51673,3.28271 -32.67178,1.01367 l -7.2071,-25.27539 c 11.1552,2.26904 26.81875,13.22171 23.64067,2.47782 0,0 -3.18156,-10.66727 -3.19932,-10.81571 -0.37159,-3.10529 4.0948,-4.12716 10.8946,-4.0332 z"
+       sodipodi:nodetypes="sccsssccsss" /><path
+       style="fill:#71c837;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       d="m 959.29921,371.91786 7.7716,26.27288"
+       id="path34" /></g></svg>
diff --git a/DSD/qrs/presentation/presentation.typ b/DSD/qrs/presentation/presentation.typ
index e869a3c..58b5b31 100644
--- a/DSD/qrs/presentation/presentation.typ
+++ b/DSD/qrs/presentation/presentation.typ
@@ -118,20 +118,40 @@
 // add overview of the experiment pipeline
 ]
 
-#slide(title: "Case Study 2")[
-#figure(
-        image("images/2w_experiment.svg", width: 100%)
-    )
 
+#slide(title: "Case Study 2")[
+#image("images/rules_pipeline.svg", width:100%)
 ]
-#slide(title: "Case Study 2 - Results")[
+
+#slide(title: "Case Study 2")[
+#align(center)[
+#image("images/2w_experiment.svg", width: 90%)
+
+#tablex(
+    columns: (auto, auto, auto),
+    auto-vlines: false,
+    repeat-header: false,
+    align: (left+horizon,right+horizon,right+horizon),
+    [#text(weight:"bold")[Rule ID]], [#text(weight: "bold")[Rule]], [#text(weight: "bold")[Threat]],
+    [1], ["SLEEP" state only], [Machine takeover, Botnet, Rogue employee],
+    [2], [No "SLEEP" for more than 8m], [System malfunction],
+    [3], [One "REBOOT"], [APT, Backdoors],
+    [4], [No "HIGH" for more than 30s], [Crypto mining, Ransomware, Botnet],
+)
+]
+]
+
+
+#slide(title: "Case Study 2")[
 #figure(
         image("images/preds.svg", height: 100%)
     )
 
 ]
 
-#slide(title: "Futur Work")[]
+
+#slide(title: "Futur Work")[
+]
 
 #slide(title: "Conclusion")[
 ]