grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add rules overview

Browse source
This commit is contained in:
Arthur Grisel-Davy 2023-10-09 11:44:07 -04:00
parent 450c1c6702
commit edfba9c1e9
2 changed files with 276 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

250
DSD/qrs/presentation/images/rules_pipeline.svg Normal file
View file

@ -0,0 +1,250 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
version="1.1"
id="svg1"
width="1025.976"
height="463.41357"
viewBox="0 0 1025.976 463.41355"
xml:space="preserve"
sodipodi:docname="rules_pipeline.svg"
inkscape:version="1.3 (0e150ed6c4, 2023-07-21)"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg"><sodipodi:namedview
id="namedview1"
pagecolor="#ffffff"
bordercolor="#eeeeee"
borderopacity="1"
inkscape:showpageshadow="0"
inkscape:pageopacity="0"
inkscape:pagecheckerboard="0"
inkscape:deskcolor="#d1d1d1"
showgrid="false"
inkscape:zoom="0.87184312"
inkscape:cx="720.88657"
inkscape:cy="311.98273"
inkscape:window-width="1920"
inkscape:window-height="1026"
inkscape:window-x="1920"
inkscape:window-y="26"
inkscape:window-maximized="1"
inkscape:current-layer="svg1" /><defs
id="defs1"><marker
style="overflow:visible"
id="marker2"
refX="0"
refY="0"
orient="auto-start-reverse"
inkscape:stockid="Triangle arrow"
markerWidth="1"
markerHeight="1"
viewBox="0 0 1 1"
inkscape:isstock="true"
inkscape:collect="always"
preserveAspectRatio="xMidYMid"><path
transform="scale(0.5)"
style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
d="M 5.77,0 -2.88,5 V -5 Z"
id="path2" /></marker><marker
style="overflow:visible"
id="marker123"
refX="0"
refY="0"
orient="auto-start-reverse"
markerWidth="1"
markerHeight="1"
viewBox="0 0 1 1"
preserveAspectRatio="xMidYMid"><path
transform="scale(0.5)"
style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
d="M 5.77,0 -2.88,5 V -5 Z"
id="path123" /></marker><marker
style="overflow:visible"
id="Triangle"
refX="0"
refY="0"
orient="auto-start-reverse"
markerWidth="1"
markerHeight="1"
viewBox="0 0 1 1"
preserveAspectRatio="xMidYMid"><path
transform="scale(0.5)"
style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
d="M 5.77,0 -2.88,5 V -5 Z"
id="path135" /></marker></defs><rect
style="fill:#cccccc;stroke:#1a1a1a;stroke-width:1.00157;stroke-linecap:square;stroke-linejoin:round"
id="rect1"
width="155.47696"
height="82.999123"
x="305.81116"
y="116.59639"
ry="3.8013713" /><text
xml:space="preserve"
style="font-weight:bold;font-size:26.4567px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text, Bold';letter-spacing:-1.1px;word-spacing:0px"
x="331.96521"
y="167.28966"
id="text1"><tspan
sodipodi:role="line"
id="tspan1"
x="331.96521"
y="167.28966">Machine</tspan></text><path
style="fill:none;stroke:#000000;stroke-width:1.88976;stroke-linecap:butt;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#marker2)"
d="M 83.606868,155.87164 H 287.95379"
id="path1" /><path
style="fill:#00aad4;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 55.499228,114.92489 -24.902765,42.63796 h 19.59105 L 37.1326,192.79207 67.163658,151.38862 H 47.820015 Z"
id="path3" /><path
style="fill:none;stroke:#000000;stroke-width:1.88976;stroke-linecap:butt;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#marker2)"
d="M 163.82084,165.73921 V 291.85826 H 359.03729"
id="path4"
sodipodi:nodetypes="ccc" /><rect
style="fill:#cccccc;stroke:#1a1a1a;stroke-width:1.00157;stroke-linecap:square;stroke-linejoin:round"
id="rect4"
width="155.47696"
height="82.999123"
x="379.51022"
y="251.2881"
ry="3.8013713" /><text
xml:space="preserve"
style="font-weight:bold;font-size:26.4567px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text, Bold';letter-spacing:-1.1px;word-spacing:0px"
x="425.38364"
y="301.5448"
id="text4"><tspan
sodipodi:role="line"
id="tspan4"
x="425.38364"
y="301.5448">MAD</tspan></text><circle
style="fill:none;stroke:#000000;stroke-width:1.88976;stroke-linecap:square;stroke-linejoin:round;stroke-dasharray:none"
id="path5"
cx="163.98962"
cy="156.00865"
r="9.732029" /><path
style="fill:none;stroke:#000000;stroke-width:1.88976;stroke-linecap:butt;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#marker123)"
d="m 534.98723,292.78767 h 47.41725 V 59.997666 h 52.95156"
id="path6"
sodipodi:nodetypes="cccc" /><text
xml:space="preserve"
style="font-weight:bold;font-size:26.4567px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text, Bold';letter-spacing:-1.1px;word-spacing:0px"
x="654.99951"
y="71.695892"
id="text6"><tspan
sodipodi:role="line"
id="tspan6"
x="654.99951"
y="71.695892">A</tspan><tspan
sodipodi:role="line"
x="654.99951"
y="104.76677"
id="tspan7">A</tspan><tspan
sodipodi:role="line"
x="654.99951"
y="137.83765"
id="tspan8">A</tspan><tspan
sodipodi:role="line"
x="654.99951"
y="170.90851"
id="tspan9">B</tspan><tspan
sodipodi:role="line"
x="654.99951"
y="203.97939"
id="tspan10">C</tspan><tspan
sodipodi:role="line"
x="654.99951"
y="237.05026"
id="tspan17" /><tspan
sodipodi:role="line"
x="654.99951"
y="270.12112"
id="tspan11">B</tspan><tspan
sodipodi:role="line"
x="654.99951"
y="303.19202"
id="tspan12">A</tspan><tspan
sodipodi:role="line"
x="654.99951"
y="336.26288"
id="tspan13">A</tspan><tspan
sodipodi:role="line"
x="654.99951"
y="369.33377"
id="tspan14">C</tspan><tspan
sodipodi:role="line"
x="654.99951"
y="402.40463"
id="tspan15">C</tspan><tspan
sodipodi:role="line"
x="654.99951"
y="435.47549"
id="tspan16">C</tspan></text><g
id="g18"
transform="matrix(0.71223704,0,0,0.71223704,56.464278,52.818129)"><circle
style="fill:#000000;stroke:none;stroke-width:1.88976;stroke-linecap:square;stroke-linejoin:round;stroke-dasharray:none"
id="path17"
cx="852.59021"
cy="235.10136"
r="3.3945713" /><circle
style="fill:#000000;stroke:none;stroke-width:1.88976;stroke-linecap:square;stroke-linejoin:round;stroke-dasharray:none"
id="circle18"
cx="852.59021"
cy="246.2905"
r="3.3945713" /><circle
style="fill:#000000;stroke:none;stroke-width:1.88976;stroke-linecap:square;stroke-linejoin:round;stroke-dasharray:none"
id="circle17"
cx="852.59021"
cy="257.47961"
r="3.3945713" /></g><path
style="fill:none;stroke:#000000;stroke-width:1.88976;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 671.69811,48.219117 h 21.58976 V 442.37114 h -21.58976"
id="path24"
sodipodi:nodetypes="cccc" /><rect
style="fill:#cccccc;stroke:#1a1a1a;stroke-width:1.00157;stroke-linecap:square;stroke-linejoin:round"
id="rect24"
width="181.72498"
height="64.86097"
x="749.76605"
y="194.95602"
ry="3.8013713" /><text
xml:space="preserve"
style="font-weight:bold;font-size:26.4567px;line-height:1.25;font-family:'STIX Two Text';-inkscape-font-specification:'STIX Two Text, Bold';letter-spacing:-1.1px;word-spacing:0px;white-space:pre;inline-size:154.826"
x="837.95343"
y="242.44753"
id="text24"
transform="translate(-75.16877,-5.8805403)"><tspan
x="837.95343"
y="242.44753"
id="tspan2">Rule Checker</tspan></text><path
style="fill:none;stroke:#000000;stroke-width:1.88976378;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;stroke-dasharray:none;marker-end:url(#marker123)"
d="m 693.28787,227.38651 h 43.52222"
id="path25" /><path
style="fill:none;stroke:#000000;stroke-width:1.88976378;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;stroke-dasharray:none;marker-end:url(#marker2)"
d="m 840.62854,259.81699 v 52.38067 h 66.63063"
id="path26" /><g
id="g34"
transform="matrix(0.59445949,0,0,0.59445949,359.75571,61.139312)"><path
style="fill:none;stroke:#000000;stroke-width:3.77953;stroke-linecap:round;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1"
d="m 1017.5645,447.51488 20.3562,-77.04038"
id="path27"
sodipodi:nodetypes="cc" /><path
id="path28"
style="fill:#d40055;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 1063.4831,367.88466 c -6.7998,0.094 -16.0449,1.29243 -25.5624,2.58984 l -7.2071,25.27344 c 8.7055,-1.79545 20.382,-2.80363 27.4754,-2.02963 6.159,0.67205 8.5773,2.90792 8.4171,4.47243 -0.4162,4.06622 -13.7294,4.69888 -11.6659,6.32673 8.7963,6.93937 21.5167,3.28271 32.6718,1.01367 l 7.2071,-25.27539 c -11.1552,2.26904 -26.8188,13.22171 -23.6407,2.47782 0,0 3.1816,-10.66727 3.1993,-10.81571 0.3716,-3.10529 -4.0948,-4.12716 -10.8946,-4.0332 z"
sodipodi:nodetypes="sccsssccsss" /><path
style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 1074.3777,371.91786 -7.7716,26.27288"
id="path31" /></g><g
id="g35"
transform="matrix(0.59445949,0,0,0.59445949,352.72164,61.497809)"><path
style="fill:#71c837;stroke:#000000;stroke-width:3.77953;stroke-linecap:round;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1"
d="M 1016.1124,447.51488 995.75628,370.4745"
id="path32"
sodipodi:nodetypes="cc" /><path
id="path33"
style="fill:#71c837;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 970.19381,367.88466 c 6.7998,0.094 16.04493,1.29243 25.56247,2.58984 l 7.20702,25.27344 c -8.70544,-1.79545 -20.38196,-2.80363 -27.47539,-2.02963 -6.159,0.67205 -8.5773,2.90792 -8.4171,4.47243 0.4162,4.06622 13.7294,4.69888 11.66593,6.32673 -8.79633,6.93937 -21.51673,3.28271 -32.67178,1.01367 l -7.2071,-25.27539 c 11.1552,2.26904 26.81875,13.22171 23.64067,2.47782 0,0 -3.18156,-10.66727 -3.19932,-10.81571 -0.37159,-3.10529 4.0948,-4.12716 10.8946,-4.0332 z"
sodipodi:nodetypes="sccsssccsss" /><path
style="fill:#71c837;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 959.29921,371.91786 7.7716,26.27288"
id="path34" /></g></svg>
Side by side

After

Width:  |  Height:  |  Size: 11 KiB

32
DSD/qrs/presentation/presentation.typ
View file

@ -118,20 +118,40 @@
// add overview of the experiment pipeline // add overview of the experiment pipeline
] ]
#slide(title: "Case Study 2")[
#figure(
image("images/2w_experiment.svg", width: 100%)
)
#slide(title: "Case Study 2")[
#image("images/rules_pipeline.svg", width:100%)
] ]
#slide(title: "Case Study 2 - Results")[
#slide(title: "Case Study 2")[
#align(center)[
#image("images/2w_experiment.svg", width: 90%)
#tablex(
columns: (auto, auto, auto),
auto-vlines: false,
repeat-header: false,
align: (left+horizon,right+horizon,right+horizon),
[#text(weight:"bold")[Rule ID]], [#text(weight: "bold")[Rule]], [#text(weight: "bold")[Threat]],
[1], ["SLEEP" state only], [Machine takeover, Botnet, Rogue employee],
[2], [No "SLEEP" for more than 8m], [System malfunction],
[3], [One "REBOOT"], [APT, Backdoors],
[4], [No "HIGH" for more than 30s], [Crypto mining, Ransomware, Botnet],
)
]
]
#slide(title: "Case Study 2")[
#figure( #figure(
image("images/preds.svg", height: 100%) image("images/preds.svg", height: 100%)
) )
] ]
#slide(title: "Futur Work")[]
#slide(title: "Futur Work")[
]
#slide(title: "Conclusion")[ #slide(title: "Conclusion")[
] ]