#import "@preview/polylux:0.3.1": * #import themes.metropolis: * #show: metropolis-theme.with( footer: [CC BY-NC-SA] ) #set text(font: "STIX Two Text", weight: "light", size: 20pt) #show math.equation: set text(font: "STIX Two Text") #set strong(delta: 100) #set par(justify: true) #title-slide( author: [Arthur Grisel-Davy], title: "Seminar: Process-Power Consistency as Sanity Check", subtitle: "Subtitle", date: "September 2024", extra: "" ) #slide(title: "State of the IDS")[ // Most IDS rely on host-based information // Process List is a very common default info to verify #only(1)[#align(center)[#image("images/hids_redscan.png", width:100%)]] #only(2)[#align(center)[#image("images/hids_malwarebyte.png", width:100%)]] #only(3)[#align(center)[#image("images/hids_windows.png", width:100%)]] #only(4)[#align(center)[#image("images/hids_falcon.png", width:100%)]] ] #slide(title:"State of the IDS")[ // Process masquerading is trivialy posible and used by many attacks (Mitre AttCK list) #line-by-line[ - #text(weight:"bold")[Known Attacks] #cite(label("mitre_masquerade"), supplement:"MITRE"): AcroRD32.exe (Adobe), kb-10233.exe (Windows Update), mfevtpse.exe (McAfee). - #text(weight:"bold")[Technics:] - #box(baseline: 60%, height:2em, image("images/linux.svg", height:100%)): Bind Mounts @mount, #text(fill:red)[find more] - #box(baseline: 60%, height:2em, image("images/windows.svg", height:100%)): msdtc.exe , #text(fill:red)[find more] ] ] #slide(title:"State of the IDS")[ // Countermeasure to process masquerading Listed by MITRE|ATT&CK: - Monitor OS API Calls (e.g. forks) - Monitor process creation source. Listed by Red Canary: - Heuristic on process properties (name, location, etc.) #uncover(2)[#align(center)[#text(fill:red, weight:"bold")[All Host-Based Methods!]]] ] #slide(title:"State of the IDS")[ #align(center)[ You would not blindly trust the saying of a hostage, they might be speaking under threat. #uncover(2)[ #sym.arrow You should not trust data comming from a the device to protect, it might have been tampered with. ] ] ] #slide(title:"Process List Verification")[ // We can't stop using the process list, so let's try to verify it // Power as a trusted source of information #only(1)[#align(center)[#image("images/wein_1.svg", height:100%)]] #only(2)[#align(center)[#image("images/wein_2.svg", height:100%)]] #only(3)[#align(center)[#image("images/wein_3.svg", height:100%)]] ] #slide(title:"Power Side-Channel")[ // Why is power trusted // Why is it correlated with the process list // Why is it the best/most practical side-channel Power is: - Easy to measure (at high sampling rate) - Position independant - Ubiquitus - Scaling from global to granular ] #slide(title: "Problem Statement")[ #align(center)[Given a list of #text(blue)[processes] over time and the #text(orange)[power consumption] of a machine, detect tampering to the list of processes.] ] #slide(title:"Input Data")[ // Setup of the experiment // What data to gather // Log data // Power data (comparison hardware/software) // Resulting dataset #only(1)[#image("images/data_collection_1.svg", width:100%)] #only(2)[#image("images/data_collection_2.svg", width:100%)] ] #slide(title:"Input Data - Power")[ - Cable current #sym.arrow current clamp #sym.arrow ADC #sym.arrow server - Capure: 10ksps - Downsample: 2 SPS with average and median aggregation. #text(red)[check the specifics] ] #slide(title: "Input Data - Processes")[ #image("images/data_collection_3.svg", width:100%) ] #slide(title: "Input Data - Processes")[ #for i in range(10){ [#only(i+1)[#image("images/processes_"+str(i+1)+".svg", height:100%)]] } ] #slide(title:"Dataset")[ #only(1)[#align(center)[#image("images/dataset.svg", height:100%)]] #for i in range(3){ [#only(i+1)[#image("images/dataset_zoom_details_"+str(i+1)+".svg", height:100%)]] } ] #slide(title:"Proposed Approach")[ #only(1)[#align(center)[#image("images/equation_1.svg", width:100%)]] #only(2)[#align(center)[#image("images/equation_2.svg", width:100%)]] #only(3)[#align(center)[#image("images/equation_3.svg", width:100%)]] ] #slide(title:"Proposed Approach - model")[ #only(1)[#align(center)[#image("images/model_1.svg", width:100%)]] #only(2)[#align(center)[#image("images/model_2.svg", width:100%)]] #only(3)[#align(center)[#image("images/model_3.svg", width:100%)]] ] #slide(title:"Evaluation - Baseline")[ #align(center)[#image("images/baseline.svg", height:100%)] ] #slide(title:"Evaluation - Baseline")[ #align(center)[#image("images/preds_baseline.svg", height:100%)] ] #slide(title:"Evaluation - Attack")[ #only(1)[#align(center)[#image("images/preds_attacks_stress.svg", height:100%)]] #only(1)[#align(center)[#image("images/preds_attacks_stress-ng-matrix.svg", height:100%)]] ] #slide(title:"Future Developements")[ #bibliography("biblio.yml") ]