\documentclass[aspectratio=169,10pt]{beamer} \usetheme[progressbar=head,numbering=fraction,sectionpage=none]{metropolis} \usepackage{graphicx} \usepackage{ulem} \usepackage{xcolor} \usepackage[scale=2]{ccicons} \usepackage{pgfplots} \usepackage{numprint} \usepackage{booktabs} \usepgfplotslibrary{dateplot} \usepackage{hyperref} \usepackage{multirow} \usepackage{tcolorbox} \usepackage{array} \usepackage{xspace} \title{Side-channel Based Runtime Intrusion Detection for Network Equipment} \subtitle{Arthur Grisel-Davy, Goksen U. Guler, Julian Dickert, Philippe Vibien, Waleed Khan, Jack Morgan, Carlos Moreno, Sebastian Fischmeister.} \date{} \author{Arthur Grisel-Davy, agriseld@uwaterloo.ca} \institute{University of Waterloo, Canada} \renewcommand{\thempfootnote}{\ifcase\value{mpfootnote}\or\textasteriskcentered\or\textdagger\or\textdaggerdbl\fi} \begin{document} \maketitle \begin{frame}{Introduction} \begin{center} {\LARGE We cannot entrust machines to assess their own integrity.}\\ \vspace{1cm} \includegraphics[width=0.9\textwidth]{images/trust.pdf} \end{center} \end{frame} \begin{frame}{Introduction} \begin{center} {\LARGE Process assessement requires process-related information.} \end{center} \end{frame} \begin{frame}{Introduction} \begin{center} {\LARGE Get information without machine cooperation\\ $\downarrow$\\ Side-Channel Analysis} \end{center} \end{frame} \begin{frame}{Common IDS Solutions} \begin{center} \includegraphics[width=\textwidth]{images/main_illustration_1.pdf} \end{center} \end{frame} \begin{frame}{Common IDS Solutions} \begin{center} \includegraphics[width=\textwidth]{images/main_illustration_2.pdf} \end{center} \end{frame} \begin{frame}{Common IDS Solutions} \begin{center} \includegraphics[width=\textwidth]{images/main_illustration_3.pdf} \end{center} \end{frame} \begin{frame}{Common IDS Solutions} \begin{center} \includegraphics[width=\textwidth]{images/main_illustration_4.pdf} \end{center} \end{frame} \begin{frame}{Threat Model} \only<1>{\begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black, colbacktitle=orange!75!black,title=Firmware Manipulation] Change settings, Upgrade/Downgrade firmware, Replace firmware. \tcblower Machine takeover, Advanced Persistent Threats (APT). \end{tcolorbox} \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Runtime Monitoring \end{tcolorbox} \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Hardware Tampering \end{tcolorbox} } \only<2>{ \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Firmware Manipulation \end{tcolorbox} \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black, colbacktitle=orange!75!black,title=Runtime Monitoring] Log tampering, Login (brute force/dictionary) attacks. \tcblower Intrusion, Covert operations. \end{tcolorbox} \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Hardware Tampering \end{tcolorbox} } \only<3>{ \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Firmware Manipulation \end{tcolorbox} \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Runtime Monitoring \end{tcolorbox} \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black, colbacktitle=orange!75!black,title=Hardware Tampering] Installation/Removal of peripherals. \tcblower MAC flooding attacks. \end{tcolorbox} } \end{frame} \begin{frame}{Experiment Family I - Firmware Manipulation} \begin{center} \includegraphics[height=0.9\textheight]{images/Firmware_Comparison_TD_direct.pdf} \end{center} \end{frame} \begin{frame}{Experiment Family I - Firmware Manipulation} Experiment 1: Classifying Firmware Version \begin{table}[ht] \centering \begin{tabular}{lccc} \toprule \textbf{Data} & \textbf{Model} & \textbf{Macro F1 Score} & \textbf{Accuracy} \tabularnewline \midrule \multirow{2}*{DC Time Domain} & RFC & \textbf{\numprint[\%]{100}} & \numprint[\%]{100} \tabularnewline & SVM & \numprint[\%]{96.8} & \numprint[\%]{99.3}\tabularnewline \midrule \multirow{2}*{AC Time Domain}& RFC & \textbf{\numprint[\%]{87.4}} & \numprint[\%]{98.9} \tabularnewline & SVM & \numprint[\%]{75.8} & \numprint[\%]{95.5} \tabularnewline \midrule \multirow{2}*{DC Frequency Domain} & RFC & \textbf{\numprint[\%]{97.6}} & \numprint[\%]{99.8} \tabularnewline & SVM & \numprint[\%]{95.3} & \numprint[\%]{96.0} \tabularnewline \bottomrule \end{tabular} \caption{Comparison between the different algorithms for firmware classification.} \label{tab:fw-results} \end{table} \end{frame} \begin{frame}{Experiment Family I - Firmware Manipulation} Experiment 2: Detecting changes in subsequent firmware traces. \begin{center} \includegraphics[height=0.8\textheight]{images/fam_I_exp_2.pdf} \end{center} \end{frame} \begin{frame}{Experiment Family II - Run-Time Monitoring} \begin{center} \includegraphics[height=0.9\textheight]{images/time_domain_ssh.pdf} \end{center} \end{frame} \begin{frame}{Experiment Family II - Runtime Monitoring} Experiment 1: Detecting SSH Login Attempts \begin{table}[ht] \begin{center} \begin{tabular}{cccccccc} \toprule \textbf{Domain} & \textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time Domain}} & \tabularnewline \midrule \multirow{3}*{Time Domain} & RFC & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{0.6} & \numprint[\%]{14} \tabularnewline & SVM & \numprint[\%]{95} & \numprint[\%]{97} & \textbf{\numprint[\%]{96}} & \numprint[\%]{98} & \numprint[\%]{0.8} & \numprint[\%]{8} \tabularnewline & 1D~CNN & \numprint[\%]{94} & \numprint[\%]{93} & \numprint[\%]{93} & \numprint[\%]{96} & \numprint[\%]{2} & \numprint[\%]{9} \tabularnewline \midrule %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Frequency Domain}} & \tabularnewline \multirow{3}*{Frequency Domain} & RFC & \numprint[\%]{89} & \numprint[\%]{67} & \numprint[\%]{72} & \numprint[\%]{88} & \numprint[\%]{12} & \numprint[\%]{8} \tabularnewline & 1D~CNN & \numprint[\%]{90} & \numprint[\%]{90} & \textbf{\numprint[\%]{90}} & \numprint[\%]{94} & \numprint[\%]{3} & \numprint[\%]{17} \tabularnewline \midrule %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time + Frequency Domain}} & \tabularnewline Time + Frequency & 1D~CNN & \numprint[\%]{89} & \numprint[\%]{95} & \textbf{\numprint[\%]{92}} & \numprint[\%]{95} & \numprint[\%]{1} & \numprint[\%]{20} \tabularnewline \bottomrule \end{tabular} \end{center} \caption{Comparison between the different algorithms for detecting SSH login attempts.} \label{tab:ssh-precision-comparison} \end{table} \end{frame} \begin{frame}{Experiment Famili II - Runtime Monitoring} Experiment 2: Classifying SSH Login Attemps \begin{table}[ht] \begin{center} \begin{tabular}{ccccccc} \toprule \textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline \midrule & \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time Domain}} & \tabularnewline \midrule RFC & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{96.7} & \numprint[\%]{12} & \numprint[\%]{8} \tabularnewline SVM & \numprint[\%]{99} & \numprint[\%]{99} & \textbf{\numprint[\%]{99}} & \numprint[\%]{98.5} & \numprint[\%]{1} & \numprint[\%]{1.5} \tabularnewline 1D~CNN & \numprint[\%]{98.5} & \numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{1} & \numprint[\%]{2} \tabularnewline \bottomrule \end{tabular} \end{center} \caption{Comparison between the different algorithms for classifying SSH login attempts.} \label{tab:ssh-classification-precision-comparison} \end{table} \end{frame} \begin{frame}{Experiment Family III - Hardware Tampering} \begin{center} \includegraphics[height=\textheight]{images/switch.jpg} \end{center} \end{frame} \begin{frame}{Experiment Family III - Hardware Tampering} \begin{center} \includegraphics[width=\textwidth]{images/detect_change.pdf} \end{center} \end{frame} \begin{frame}{Experiment Family III - Hardware Tampering} Experiment 1: Identifying the Number of Expansion Modules \begin{table}[ht] \begin{center} \begin{tabular}{ccccc} \toprule \textbf{Input Data} & \textbf{Model} & \textbf{Accuracy} & \textbf{Recall}\tabularnewline \midrule DC & SVM & \numprint[\%]{100} & \numprint[\%]{100}\tabularnewline DC & KNN & \textbf{\numprint[\%]{100}} & \numprint[\%]{100}\tabularnewline DC & SVM & \numprint[\%]{99.5} & \numprint[\%]{99.45}\tabularnewline \bottomrule \end{tabular} \end{center} \caption{Comparison between the different models for hardware detection with a stratified 10-fold cross validation setup.} \label{tab:hardware-results} \end{table} \end{frame} \begin{frame}{Conclusion} \only<1>{ \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black, colbacktitle=orange!75!black,title=Advantages of Physics-Based IDS] \begin{itemize} \item Host-independance \item Fail-safe design \end{itemize} \end{tcolorbox} \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black, colbacktitle=orange!75!black,title=Capabilities] \begin{itemize} \item Boot process assessement (published and submited work)\footnote{Work-in-Progress: Boot Sequence Integrity Verification with Power Analysis, EMSOFT 22}. \item Run-time monitoring / Log verification. (submited work) \item Hardware tampering detection. \end{itemize} \end{tcolorbox} } \end{frame} \begin{frame}{Thank You} Paper: Side-channel Based Runtime Intrusion Detection for Network Equipment\\ Contact: \textbf{agriseld@uwaterloo.ca} \end{frame} \end{document}