\documentclass[aspectratio=169,10pt]{beamer} \usetheme[progressbar=head,numbering=fraction,sectionpage=none]{metropolis} \usepackage{graphicx} \usepackage{ulem} \usepackage{xcolor} \usepackage[scale=2]{ccicons} \usepackage{pgfplots} \usepackage{numprint} \usepackage{booktabs} \usepgfplotslibrary{dateplot} \usepackage{hyperref} \usepackage{multirow} \usepackage{tcolorbox} \usepackage{array} \usepackage{xspace} \title{Side-channel Based Runtime Intrusion Detection for Network Equipment} \subtitle{} \date{} \author{Arthur Grisel-Davy} \institute{University of Waterloo, Canada} \renewcommand{\thempfootnote}{\ifcase\value{mpfootnote}\or\textasteriskcentered\or\textdagger\or\textdaggerdbl\fi} \begin{document} \maketitle \begin{frame}{Introduction} \begin{center} {\LARGE We cannot entrust machines to assess their own integrity.}\\ \vspace{1.5cm} {\LARGE Integrity assessement require access to relevant information.} \end{center} \end{frame} \begin{frame}{Common IDS Solution} \begin{center} \includegraphics[width=\textwidth]{images/main_illustration_1.pdf} \end{center} \end{frame} \begin{frame}{Common IDS Solution} \begin{center} \includegraphics[width=\textwidth]{images/main_illustration_2.pdf} \end{center} \end{frame} \begin{frame}{Common IDS Solution} \begin{center} \includegraphics[width=\textwidth]{images/main_illustration_3.pdf} \end{center} \end{frame} \begin{frame}{Common IDS Solution} \begin{center} \includegraphics[width=\textwidth]{images/main_illustration_4.pdf} \end{center} \end{frame} \begin{frame}{Threat Model} \only<1>{\begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black, colbacktitle=orange!75!black,title=Firmware Manipulation] Change settings, upgrade/downgrade firmware, Replace firmware. \tcblower Machine takeover, Advanced Persistent Threats. \end{tcolorbox} \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Runtime Monitoring \end{tcolorbox} \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Hardware Tampering \end{tcolorbox} } \only<2>{ \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Firmware Manipulation \end{tcolorbox} \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black, colbacktitle=orange!75!black,title=Runtime Monitoring] Log tampering, login (brute force/dictionary) attacks. \tcblower Intrusion, Covert operations. \end{tcolorbox} \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Runtim Monitoring \end{tcolorbox} } \only<3>{ \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Firmware Manipulation \end{tcolorbox} \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white] Runtim Monitoring \end{tcolorbox} \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black, colbacktitle=orange!75!black,title=Hardware Tampering] Installation/removal of peripherals. \tcblower MAC Flooding attacks. \end{tcolorbox} } \end{frame} \begin{frame}{Experiment Family I - Firmware Manipulation} \begin{center} \includegraphics[height=0.9\textheight]{images/Firmware_Comparison_TD_direct.pdf} \end{center} \end{frame} \begin{frame}{Experiment Family I - Firmware Manipulation} Experiment 1: Classifying Firmware Version \begin{table}[ht] \centering \begin{tabular}{lccc} \toprule \textbf{Data} & \textbf{Model} & \textbf{Macro F1 Score} & \textbf{Accuracy} \tabularnewline \midrule \multirow{2}*{DC Time Domain} & RFC & \numprint[\%]{100} & \numprint[\%]{100} \tabularnewline & SVM & \numprint[\%]{96.8} & \numprint[\%]{99.3}\tabularnewline \midrule \multirow{2}*{AC Time Domain}& RFC & \numprint[\%]{87.4} & \numprint[\%]{98.9} \tabularnewline & SVM & \numprint[\%]{75.8} & \numprint[\%]{95.5} \tabularnewline \midrule \multirow{2}*{DC Frequency Domain} & RFC & \numprint[\%]{97.6} & \numprint[\%]{99.8} \tabularnewline & SVM & \numprint[\%]{95.3} & \numprint[\%]{96.0} \tabularnewline \bottomrule \end{tabular} \caption{Comparison between the different algorithms for firmware classification.} \label{tab:fw-results} \end{table} \end{frame} \begin{frame}{Experiment Family I - Firmware Manipulation} Experiment 2: Detecting Firmware Change \end{frame} \begin{frame}{Experiment Family II - Run-Time Monitoring} \begin{center} \includegraphics[height=0.9\textheight]{images/time_domain_ssh.pdf} \end{center} \end{frame} \begin{frame}{Experiment Family II - Runtime Monitoring} Experiment 1: Detecting SSH Login Attempts \begin{table}[ht] \begin{center} \begin{tabular}{ccccccc} \toprule \textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline \midrule %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Time Domain}} & \tabularnewline \midrule RFC & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{0.6} & \numprint[\%]{14} \tabularnewline SVM & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{96} & \numprint[\%]{98} & \numprint[\%]{0.8} & \numprint[\%]{8} \tabularnewline 1D~CNN & \numprint[\%]{94} & \numprint[\%]{93} & \numprint[\%]{93} & \numprint[\%]{96} & \numprint[\%]{2} & \numprint[\%]{9} \tabularnewline \midrule %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Frequency Domain}} & \tabularnewline \midrule RFC & \numprint[\%]{89} & \numprint[\%]{67} & \numprint[\%]{72} & \numprint[\%]{88} & \numprint[\%]{12} & \numprint[\%]{8} \tabularnewline SVM & -- & -- & -- & -- & -- & -- \tabularnewline 1D~CNN & \numprint[\%]{90} & \numprint[\%]{90} & \numprint[\%]{90} & \numprint[\%]{94} & \numprint[\%]{3} & \numprint[\%]{17} \tabularnewline \midrule %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Time + Frequency Domain}} & \tabularnewline \midrule 1D~CNN & \numprint[\%]{89} & \numprint[\%]{95} & \numprint[\%]{92} & \numprint[\%]{95} & \numprint[\%]{1} & \numprint[\%]{20} \tabularnewline \bottomrule \end{tabular} \end{center} \caption{Comparison between the different algorithms for detecting SSH login attempts.} \label{tab:ssh-precision-comparison} \end{table} \end{frame} \begin{frame}{Experiment Famili II - Runtime Monitoring} Experiment 2: Classifying SSH Login Attemps \begin{table}[ht] \begin{center} \begin{tabular}{ccccccc} \toprule \textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline \midrule & \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time Domain}} & \tabularnewline \midrule RFC & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{96.7} & \numprint[\%]{12} & \numprint[\%]{8} \tabularnewline SVM & \numprint[\%]{99} & \numprint[\%]{99} & \numprint[\%]{99} & \numprint[\%]{98.5} & \numprint[\%]{1} & \numprint[\%]{1.5} \tabularnewline 1D~CNN & \numprint[\%]{98.5} & \numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{1} & \numprint[\%]{2} \tabularnewline \bottomrule \end{tabular} \end{center} \caption{Comparison between the different algorithms for classifying SSH login attempts.} \label{tab:ssh-classification-precision-comparison} \end{table} \end{frame} \begin{frame}{Experiment Family III - Hardware Tampering} \begin{center} \includegraphics[height=\textheight]{images/switch.jpg} \end{center} \end{frame} \begin{frame}{Experiment Family III - Hardware Tampering} \begin{center} \includegraphics[width=\textwidth]{images/detect_change.pdf} \end{center} \end{frame} \begin{frame}{Experiment Family III - Hardware Tampering} Experiment 1: Identifying the Number of Expansion Modules \begin{table}[ht] \begin{center} \begin{tabular}{ccccc} \toprule \textbf{Input Data} & \textbf{Model} & \textbf{Accuracy} & \textbf{Recall}\tabularnewline \midrule DC & SVM & \numprint[\%]{100} & \numprint[\%]{100}\tabularnewline DC & KNN & \numprint[\%]{100} & \numprint[\%]{100}\tabularnewline DC & SVM & \numprint[\%]{99.5} & \numprint[\%]{99.45}\tabularnewline \bottomrule \end{tabular} \end{center} \caption{Comparison between the different models for hardware detection with a stratified 10-fold cross validation setup.} \label{tab:hardware-results} \end{table} \end{frame} \begin{frame}{Conclusion} \only<1>{ \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black, colbacktitle=orange!75!black,title=Advantages of Physics-Based IDS] \begin{itemize} \item Host-independance \item Trustworthy input data \item \end{itemize} \end{tcolorbox} \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black, colbacktitle=orange!75!black,title=Capabilities] \begin{itemize} \item Boot Process Assessement \footnote{Work-in-Progress: Boot Sequence Integrity Verification with Power Analysis, EMSOFT 22}. \item Run-time Monitoring / Log Verification. \item Hardware Tampering Detection. \end{itemize} \end{tcolorbox} } \end{frame} \end{document}