#import "@preview/polylux:0.3.1": * #import themes.metropolis: * #show: metropolis-theme.with( footer: [CC BY-NC-SA] ) #set text(font: "STIX Two Text", weight: "light", size: 20pt) #show math.equation: set text(font: "STIX Two Text") #set strong(delta: 100) #set par(justify: true) #title-slide( author: [Arthur Grisel-Davy], title: "Process List Verification with Power Analysis", subtitle: "Subtitle", date: "September 2024", extra: "" ) #slide(title: "State of the IDS")[ // Most IDS rely on host-based information // Process List is a very common default info to verify #only(1)[#align(center)[#image("images/hids_redscan.png", width:100%)]] #only(2)[#align(center)[#image("images/hids_malwarebyte.png", width:100%)]] #only(3)[#align(center)[#image("images/hids_windows.png", width:100%)]] #only(4)[#align(center)[#image("images/hids_falcon.png", width:100%)]] ] #slide(title:"State of the IDS")[ // Process masquerading is trivialy posible and used by many attacks (Mitre AttCK list) #text(weight:"bold")[Known Attacks:] - AcroRD32.exe (Adobe), kb-10233.exe (Windows Update), mfevtpse.exe (McAfee). - Azazel Rootkit - Adore-ng Rootkit - DLL Injections (in explorer.exe) - Direct Kernel Object Manipulation (FU Rootkit) - Hooking System Calls (t0rn Rootkit) ] #slide(title:"State of the IDS")[ #align(center)[ You would not blindly trust the saying of a hostage, they might be speaking under threat. #uncover(2)[ #sym.arrow You should not trust data comming from a the device to protect, it might have been tampered with. ] ] ] #slide(title:"Process List Verification")[ // We can't stop using the process list, so let's try to verify it // Power as a trusted source of information #only(1)[#align(center)[#image("images/wein_1.svg", height:100%)]] #only(2)[#align(center)[#image("images/wein_2.svg", height:100%)]] #only(3)[#align(center)[#image("images/wein_3.svg", height:100%)]] ] #slide(title:"Power Side-Channel")[ // Why is power trusted // Why is it correlated with the process list // Why is it the best/most practical side-channel Power is: - Easy & cheap to measure (at high sampling rate) - Position independant - Ubiquitous // - Scaling from global to granular ] #slide(title: "Problem Statement")[ #align(center)[Given a list of #text(blue)[processes] over time and the #text(orange)[power consumption] of a machine, detect tampering to the list of processes.] ] #slide(title:"Input Data")[ // Setup of the experiment // What data to gather // Log data // Power data (comparison hardware/software) // Resulting dataset #only(1)[#image("images/data_collection_1.svg", width:100%)] #only(2)[#image("images/data_collection_2.svg", width:100%)] ] #slide(title:"Input Data - Power")[ - Cable current #sym.arrow current clamp #sym.arrow ADC #sym.arrow server - Capure: 10ksps - Downsample: 2 SPS with average and median aggregation. ] #slide(title: "Input Data - Processes")[ #image("images/data_collection_3.svg", width:100%) ] #slide(title: "Input Data - Processes")[ #for i in range(10){ [#only(i+1)[#image("images/processes_"+str(i+1)+".svg", height:100%)]] } ] #slide(title:"Dataset")[ #only(1)[#align(center)[#image("images/dataset.svg", height:100%)]] #for i in range(3){ [#only(i+1)[#image("images/dataset_zoom_details_"+str(i+1)+".svg", height:100%)]] } ] #slide(title:"Proposed Approach")[ #only(1)[#align(center)[#image("images/equation_1.svg", width:100%)]] #only(2)[#align(center)[#image("images/equation_2.svg", width:100%)]] #only(3)[#align(center)[#image("images/equation_3.svg", width:100%)]] ] #slide(title:"Proposed Approach - model")[ #only(1)[#align(center)[#image("images/model_1.svg", width:100%)]] #only(2)[#align(center)[#image("images/model_2.svg", width:100%)]] #only(3)[#align(center)[#image("images/model_3.svg", width:100%)]] ] #slide(title:"Evaluation - Baseline")[ #align(center)[#image("images/baseline.svg", height:100%)] ] #slide(title:"Evaluation - Baseline")[ #align(center)[#image("images/preds_baseline.svg", height:100%)] ] #slide(title:"Evaluation - Attack")[ #only(1)[#align(center)[#image("images/preds_attacks_stress.svg", height:100%)]] #only(1)[#align(center)[#image("images/preds_attacks_stress-ng-matrix.svg", height:100%)]] ] #slide(title:"Evaluation - Successful Attack")[ #align(center)[#image("images/preds_attacks_fusermount3.svg", height:100%)] ] #slide(title:"Evaluation - All Processes MSE")[ #align(center)[#image("images/attack_mse.svg", height:100%)] ] #slide(title:"Alternative Approach - Decomposed Power Trace")[ // schematic of the overview #for i in range(5){ [#only(i+2)[#image("images/decomposed_"+str(i+1)+".svg", height:100%)]] } ] #slide(title:"Alternative Approach - Decomposed Power Trace")[ #only(1)[#align(center)[#image("images/number_values_state.svg", height:100%)]] #only(2)[#align(center)[#image("images/states_ts.svg", height:100%)]] ] #slide(title:"Conclusion and Future Works")[ #text(weight:"bold")[Conclusion:] - Exploitable relationship processes-power - Many applicable methods #sym.arrow robustness - Large range of targets #uncover(2)[ #text(weight:"bold")[Next Steps:] - Collect more and better data - Try methods on other devices - Developp a benchmark for attack detection - Decomposition Approach - Extract process information from decomposed abnormal time series - Benchmark against MLP approach ] ]