grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add attacker model

Browse source
This commit is contained in:
Arthur 2024-11-29 15:23:21 +01:00
parent 458d172716
commit f5ad734a15
2 changed files with 53 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

49
procver/ACNS/main.tex
View file

@ -149,10 +149,59 @@ The nature of the divergence can further inform about the nature of the tamperin
\section{Related Work}
\subsection{Evasion Technics}
% Evasion technics
\subsection{Countermeasures}
% HIDS countermeasures
% Present the current technics for detecting process list tampering.
% Point out that they are all host-based
\subsection{Side-Channel Correlation}
% Usage of side-channel for correlating system's state
%
\section{Problem Statement}
The main problem that this study proposes to tack can be described as follows:
\begin{center}
Given the list of processes and their state and the power consumption of the \ac{cpu} over the same time periode, identify any tampering of the process list.
\end{center}
The list of processes over time $P = \{p_0,p_1\dots,p_{n-1}\}$ is a nested data object where each item $p_i$ contains all listed processes at timestamp $i$ named the \ac{ilp}.
Each \ac{ilp} contains the name and state of each process present on the machine at a point in time.
From capture to utilization in the prediction model, the process list $P$ undergo a number of transformation to reorganise the information for learning.
See Section~\ref{sec:preprocessing} for technical details about the process list processing.
The power consumption trace --- also named power trace --- is a univariate time series representing the measured power consumption of the \ac{cpu} over time.
\subsection{Attacker Model}
% Capabilities
This study assumes a powerfull attacker with complete remote access to the monitored machine.
We suppose that the attacker previously established remote access and can use this access at will and without risking detection.
For example, the attacker could have recovered legitimate credentials for a local account on the machine.
Moreover, the attacker is assumed to enjoy unrestricted access to the machine with the highest priviledge level.
No operation on the machine is impossible to the attacker.
The only limitation of the attacker is pysical access to the power measurement system.
This mechanism may be additional hardware installed in a machine or built-in by the manufacturer.
In any case, the attacker does not have access to the internal components responsible for measuring, processing, or sending the power consumption to the verification machine.
However, the attacker can gain access to other components of the machine.
For example, it is expected that the attacker can attack storage devices and boot a different \ac{os} than expected.
% Goals
The goal of the attacker is outside the scope of this study.
The only expected intention of the attacker is to remain stealthy against \ac{ids}.
To acieve stealth, the attacker will employ evasion technics to hide or masquerade its malicious processes using any method available to them.
% Knowledge: The attacker may know about the monitoring system.
This study assumes that teh attacker is aware that the proposed defense mechanism in installed on the machine.
There is no part of the proposed approach that should remain secret to achieve its full potential.
\section{Proposed Approach}
\section{Case Studies}