From f5ad734a158341123e06861b84ecbac5b1012928 Mon Sep 17 00:00:00 2001 From: Arthur Date: Fri, 29 Nov 2024 15:23:21 +0100 Subject: [PATCH] add attacker model --- procver/ACNS/acronyms.tex | 4 ++++ procver/ACNS/main.tex | 49 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) diff --git a/procver/ACNS/acronyms.tex b/procver/ACNS/acronyms.tex index 1e27e09..8f10e8d 100644 --- a/procver/ACNS/acronyms.tex +++ b/procver/ACNS/acronyms.tex @@ -18,4 +18,8 @@ short={CPU}, long={Central Processing Unit} } +\DeclareAcronym{ilp}{ + short={ILP}, + long={Instantaneous List of Processes} +} diff --git a/procver/ACNS/main.tex b/procver/ACNS/main.tex index fbb0459..40fe311 100644 --- a/procver/ACNS/main.tex +++ b/procver/ACNS/main.tex @@ -149,10 +149,59 @@ The nature of the divergence can further inform about the nature of the tamperin \section{Related Work} +\subsection{Evasion Technics} +% Evasion technics + +\subsection{Countermeasures} +% HIDS countermeasures +% Present the current technics for detecting process list tampering. +% Point out that they are all host-based + +\subsection{Side-Channel Correlation} +% Usage of side-channel for correlating system's state +% + \section{Problem Statement} +The main problem that this study proposes to tack can be described as follows: + +\begin{center} + Given the list of processes and their state and the power consumption of the \ac{cpu} over the same time periode, identify any tampering of the process list. +\end{center} + +The list of processes over time $P = \{p_0,p_1\dots,p_{n-1}\}$ is a nested data object where each item $p_i$ contains all listed processes at timestamp $i$ named the \ac{ilp}. +Each \ac{ilp} contains the name and state of each process present on the machine at a point in time. +From capture to utilization in the prediction model, the process list $P$ undergo a number of transformation to reorganise the information for learning. +See Section~\ref{sec:preprocessing} for technical details about the process list processing. + +The power consumption trace --- also named power trace --- is a univariate time series representing the measured power consumption of the \ac{cpu} over time. + \subsection{Attacker Model} +% Capabilities +This study assumes a powerfull attacker with complete remote access to the monitored machine. +We suppose that the attacker previously established remote access and can use this access at will and without risking detection. +For example, the attacker could have recovered legitimate credentials for a local account on the machine. +Moreover, the attacker is assumed to enjoy unrestricted access to the machine with the highest priviledge level. +No operation on the machine is impossible to the attacker. + +The only limitation of the attacker is pysical access to the power measurement system. +This mechanism may be additional hardware installed in a machine or built-in by the manufacturer. +In any case, the attacker does not have access to the internal components responsible for measuring, processing, or sending the power consumption to the verification machine. + +However, the attacker can gain access to other components of the machine. +For example, it is expected that the attacker can attack storage devices and boot a different \ac{os} than expected. + +% Goals +The goal of the attacker is outside the scope of this study. +The only expected intention of the attacker is to remain stealthy against \ac{ids}. +To acieve stealth, the attacker will employ evasion technics to hide or masquerade its malicious processes using any method available to them. + + +% Knowledge: The attacker may know about the monitoring system. +This study assumes that teh attacker is aware that the proposed defense mechanism in installed on the machine. +There is no part of the proposed approach that should remain secret to achieve its full potential. + \section{Proposed Approach} \section{Case Studies}