#import "@preview/polylux:0.3.1": *
#import themes.metropolis: *
#import "@preview/tablex:0.0.5": tablex, hlinex, vlinex, colspanx, rowspanx

#show: metropolis-theme.with(
  footer: [CC BY-SA 4.0 Arthur Grisel-Davy]
)

#set text(font: "Fira Sans", weight: "light", size: 20pt)
#show math.equation: set text(font: "Fira Math")
#set strong(delta: 100)
#set par(justify: true)

#title-slide(
  author: [Arthur Grisel-Davy, Sebastian Fischmeister],
  title: text(size: 30pt, weight: 500)[MAD: One-Shot Machine Activity Detector for Physics-Based Cyber Security],
  subtitle: "",
  date: "University of Waterloo",
  extra: "agriseld@uwaterloo.ca"
)

//#slide(title: "Table of contents")[
//  #metropolis-outline
//]

#slide(title: "Introduction")[
    #only(1)[#figure(image("images/wein_p1.svg", height: 100%))]
    #only(2)[#figure(image("images/wein_p2.svg", height: 100%))]
    #only(3)[#figure(image("images/wein_p3.svg", height: 100%))]
    #only(4)[#figure(image("images/wein_p4.svg", height: 100%))]
    #only(5)[#figure(image("images/wein_p5.svg", height: 100%))]
]


#slide(title: "Problem Statement")[
#align(center)[Given a #text(fill: blue, weight:400 )[discretized time series $t$] and a #text(fill: red, weight:400)[set of patterns $P=\{P_1, dots.h, P_n\}$], identify a mapping $m: NN arrow.r P union lambda$ such that every sample $t[i]$ maps to a pattern in $P union lambda$ with the condition that the sample #text(fill: purple, weight: 400)[matches] an occurrence of the pattern in $t$.]
]

//#slide(title: "Proposed Approach")[
//    #only(1)[#figure(image("images/aproach_p1.svg", width: 100%))]
//    #only(2)[#figure(image("images/aproach_p2.svg", width: 100%))]
//    #only(3)[#figure(image("images/aproach_p3.svg", width: 100%))]
//    #only(4)[#figure(image("images/aproach_p4.svg", width: 100%))]
//    #only(5)[#figure(image("images/aproach_p5.svg", width: 100%))]
//    #only(6)[#figure(image("images/aproach_p6.svg", width: 100%))]
//    #only(7)[#figure(image("images/aproach_p7.svg", width: 100%))]
//    #only(8)[#figure(image("images/aproach_p8.svg", width: 100%))]
//    #only(9)[#figure(image("images/aproach_p9.svg", width: 100%))]
//]


#slide(title: "Proposed Approcah")[
#align(center)[
#text(weight: "bold")[Metric:] The distance between a sample and a pattern is the minimum normalized distance between the pattern and any pattern-length substring that includes the samples.
#v(1cm)
#text(weight: "bold")[Decision:] Each sample receives the label of the closest training pattern.
]
]

//#slide(title: "2D Interpretation")[
//    
//    #only(1)[#figure(image("images/2d_p1.svg", width: 100%))]
//    #only(2)[#figure(image("images/2d_p2.svg", width: 100%))]
//    #only(3)[#figure(image("images/2d_p3.svg", width: 100%))]
//    #only(4)[#figure(image("images/2d_p4.svg", width: 100%))]
//    #only(5)[#figure(image("images/2d_p5.svg", width: 100%))]
//]

#slide(title: "Question")[
#align(center)[Should the algorithm #text(weight: "bold")[always] choose a label?]
]

#slide(title: "2D Interpretation")[
    
    #figure(image("images/2d_p6.svg", width: 100%))
]

#slide(title: "Parameter "+sym.alpha)[
    #figure(
        image("images/areas.svg", width: 100%)
    )
#align(center)[With $alpha lt.triple 2$, the algorithm acquire novelty-detection capability.]
]

#slide(title: "Performance Metric")[
#figure(
        image("images/metric.svg", width: 100%)
    )
]


#slide(title: "Case Study 1")[

#align(center)[
#figure(
tablex(
    columns: (auto, auto, auto),
    auto-vlines: false,
    repeat-header: false,
    align: (left+horizon,right+horizon,right+horizon),
    [#text(weight:"bold")[Dataset]], [#text(weight: "bold")[Length]], [#text(weight: "bold")[Number of Occurences]],
    [NUCPC-0], [22700], [11],
    [NUCPC-1], [7307], [8],
    [Generated], [15540], [18],
    [WAP-ASUS], [26880], [18],
    [WAP-LINKSYS], [22604], [18],
    [REFIT-H4A4], [5366], [17],
    [REFIT-H4A1], [100000], [142]
),
caption: "Results of the case study 1",
supplement: none,
)
]

]
#slide(title: "Case Study 1 - Results")[
#figure(
        image("images/dsd_acc.svg", height: 100%)
    )
]


#slide(title: "Case Study 2")[
#image("images/rules_pipeline.svg", width:100%)
]

#slide(title: "Case Study 2")[
#align(center)[
#image("images/2w_experiment.svg", width: 90%)

#tablex(
    columns: (auto, auto, auto),
    auto-vlines: false,
    repeat-header: false,
    align: (left+horizon,right+horizon,right+horizon),
    [#text(weight:"bold")[Rule ID]], [#text(weight: "bold")[Rule]], [#text(weight: "bold")[Threat]],
    [1], ["SLEEP" state only], [Machine takeover, Botnet, Rogue employee],
    [2], [No "SLEEP" for more than 8m], [System malfunction],
    [3], [One "REBOOT"], [APT, Backdoors],
    [4], [No "HIGH" for more than 30s], [Crypto mining, Ransomware, Botnet],
)
]
]


#slide(title: "Case Study 2")[
#figure(
        image("images/preds.svg", height: 100%)
    )
]

#slide(title: "Case Study 2 - Results")[
#align(center)[
#figure(
tablex(
    columns: (auto, auto, auto),
    auto-vlines: false,
    repeat-header: false,
    align: (left+horizon,right+horizon,right+horizon),
    [#text(weight:"bold")[Rule]], [#text(weight: "bold")[Violation Ratio]], [#text(weight: "bold")[Micro-$F_1$]],
    [Night Sleep], [0.33], [1.0],
    [Work Hours], [0.3], [1.0],
    [Reboot], [0.48], [1.0],
    [No Long High], [0.75], [1.0],
),
caption: "Results of the case study 2",
supplement: none,
)
]
]

#slide(title: "Future Work")[
- Automatic Training (Patterns Extraction) #pause
- Multivariate Support
]

#focus-slide()[
    Log Verification
]