add attacker model

procver/ACNS/acronyms.tex

@@ -18,4 +18,8 @@
     short={CPU},
     long={Central Processing Unit}
 }
+\DeclareAcronym{ilp}{
+    short={ILP},
+    long={Instantaneous List of Processes}
+}
 

procver/ACNS/main.tex

@@ -149,10 +149,59 @@ The nature of the divergence can further inform about the nature of the tamperin
 
 \section{Related Work}
 
+\subsection{Evasion Technics}
+% Evasion technics
+
+\subsection{Countermeasures}
+% HIDS countermeasures
+% Present the current technics for detecting process list tampering.
+% Point out that they are all host-based
+
+\subsection{Side-Channel Correlation}
+% Usage of side-channel for correlating system's state
+%
+
 \section{Problem Statement}
 
+The main problem that this study proposes to tack can be described as follows:
+
+\begin{center}
+    Given the list of processes and their state and the power consumption of the \ac{cpu} over the same time periode, identify any tampering of the process list.
+\end{center}
+
+The list of processes over time $P = \{p_0,p_1\dots,p_{n-1}\}$ is a nested data object where each item $p_i$ contains all listed processes at timestamp $i$ named the \ac{ilp}.
+Each \ac{ilp} contains the name and state of each process present on the machine at a point in time.
+From capture to utilization in the prediction model, the process list $P$ undergo a number of transformation to reorganise the information for learning.
+See Section~\ref{sec:preprocessing} for technical details about the process list processing.
+
+The power consumption trace --- also named power trace --- is a univariate time series representing the measured power consumption of the \ac{cpu} over time.
+
 \subsection{Attacker Model}
 
+% Capabilities
+This study assumes a powerfull attacker with complete remote access to the monitored machine.
+We suppose that the attacker previously established remote access and can use this access at will and without risking detection.
+For example, the attacker could have recovered legitimate credentials for a local account on the machine.
+Moreover, the attacker is assumed to enjoy unrestricted access to the machine with the highest priviledge level.
+No operation on the machine is impossible to the attacker.
+
+The only limitation of the attacker is pysical access to the power measurement system.
+This mechanism may be additional hardware installed in a machine or built-in by the manufacturer.
+In any case, the attacker does not have access to the internal components responsible for measuring, processing, or sending the power consumption to the verification machine.
+
+However, the attacker can gain access to other components of the machine.
+For example, it is expected that the attacker can attack storage devices and boot a different \ac{os} than expected.
+
+% Goals
+The goal of the attacker is outside the scope of this study.
+The only expected intention of the attacker is to remain stealthy against \ac{ids}.
+To acieve stealth, the attacker will employ evasion technics to hide or masquerade its malicious processes using any method available to them.
+
+
+% Knowledge: The attacker may know about the monitoring system.
+This study assumes that teh attacker is aware that the proposed defense mechanism in installed on the machine.
+There is no part of the proposed approach that should remain secret to achieve its full potential.
+
 \section{Proposed Approach}
 
 \section{Case Studies}