143 lines
4.4 KiB
Typst
143 lines
4.4 KiB
Typst
#import "@preview/polylux:0.3.1": *
|
|
#import themes.metropolis: *
|
|
|
|
#show: metropolis-theme.with(
|
|
footer: [CC BY-NC-SA]
|
|
)
|
|
|
|
#set text(font: "STIX Two Text", weight: "light", size: 20pt)
|
|
#show math.equation: set text(font: "STIX Two Text")
|
|
#set strong(delta: 100)
|
|
#set par(justify: true)
|
|
|
|
#title-slide(
|
|
author: [Arthur Grisel-Davy],
|
|
title: "Seminar: Process-Power Consistency as Sanity Check",
|
|
subtitle: "Subtitle",
|
|
date: "September 2024",
|
|
extra: ""
|
|
)
|
|
|
|
#slide(title: "State of the IDS")[
|
|
// Most IDS rely on host-based information
|
|
// Process List is a very common default info to verify
|
|
#only(1)[#align(center)[#image("images/hids_redscan.png", width:100%)]]
|
|
#only(2)[#align(center)[#image("images/hids_malwarebyte.png", width:100%)]]
|
|
#only(3)[#align(center)[#image("images/hids_windows.png", width:100%)]]
|
|
#only(4)[#align(center)[#image("images/hids_falcon.png", width:100%)]]
|
|
]
|
|
#slide(title:"State of the IDS")[
|
|
// Process masquerading is trivialy posible and used by many attacks (Mitre AttCK list)
|
|
|
|
#line-by-line[
|
|
- #text(weight:"bold")[Known Attacks] #cite(label("mitre_masquerade"), supplement:"MITRE"): AcroRD32.exe (Adobe), kb-10233.exe (Windows Update), mfevtpse.exe (McAfee).
|
|
- #text(weight:"bold")[Technics:]
|
|
- #box(baseline: 60%, height:2em, image("images/linux.svg", height:100%)): Bind Mounts @mount, #text(fill:red)[find more]
|
|
|
|
|
|
- #box(baseline: 60%, height:2em, image("images/windows.svg", height:100%)): msdtc.exe , #text(fill:red)[find more]
|
|
]
|
|
|
|
]
|
|
|
|
|
|
#slide(title:"State of the IDS")[
|
|
// Countermeasure to process masquerading
|
|
Listed by MITRE|ATT&CK:
|
|
- Monitor OS API Calls (e.g. forks)
|
|
- Monitor process creation source.
|
|
Listed by Red Canary:
|
|
- Heuristic on process properties (name, location, etc.)
|
|
|
|
#uncover(2)[#align(center)[#text(fill:red, weight:"bold")[All Host-Based Methods!]]]
|
|
]
|
|
|
|
#slide(title:"State of the IDS")[
|
|
#align(center)[
|
|
You would not blindly trust the saying of a hostage, they might be speaking under threat.
|
|
|
|
#uncover(2)[
|
|
#sym.arrow
|
|
|
|
You should not trust data comming from a the device to protect, it might have been tampered with.
|
|
]
|
|
]
|
|
]
|
|
|
|
#slide(title:"Process List Verification")[
|
|
// We can't stop using the process list, so let's try to verify it
|
|
// Power as a trusted source of information
|
|
#only(1)[#align(center)[#image("images/wein_1.svg", height:100%)]]
|
|
#only(2)[#align(center)[#image("images/wein_2.svg", height:100%)]]
|
|
#only(3)[#align(center)[#image("images/wein_3.svg", height:100%)]]
|
|
|
|
]
|
|
|
|
#slide(title:"Power Side-Channel")[
|
|
// Why is power trusted
|
|
// Why is it correlated with the process list
|
|
// Why is it the best/most practical side-channel
|
|
Power is:
|
|
- Easy to measure (at high sampling rate)
|
|
- Position independant
|
|
- Ubiquitus
|
|
- Scaling from global to granular
|
|
]
|
|
|
|
#slide(title: "Problem Statement")[
|
|
#align(center)[Given a list of #text(blue)[processes] over time and the #text(orange)[power consumption] of a machine, detect tampering to the list of processes.]
|
|
]
|
|
|
|
#slide(title:"Input Data")[
|
|
// Setup of the experiment
|
|
// What data to gather
|
|
// Log data
|
|
// Power data (comparison hardware/software)
|
|
// Resulting dataset
|
|
#only(1)[#image("images/data_collection_1.svg", width:100%)]
|
|
#only(2)[#image("images/data_collection_2.svg", width:100%)]
|
|
]
|
|
|
|
#slide(title:"Input Data - Power")[
|
|
- Cable current #sym.arrow current clamp #sym.arrow ADC #sym.arrow server
|
|
- Capure: 10ksps
|
|
- Downsample: 2 SPS with average and median aggregation. #text(red)[check the specifics]
|
|
]
|
|
|
|
|
|
#slide(title: "Input Data - Processes")[
|
|
#image("images/data_collection_3.svg", width:100%)
|
|
]
|
|
|
|
#slide(title: "Input Data - Processes")[
|
|
|
|
#let array = range(10)
|
|
#for i in array{
|
|
[#only(i+1)[#image("images/processes_"+str(i+1)+".svg", height:100%)]]
|
|
}
|
|
|
|
]
|
|
|
|
|
|
#slide(title:"Proposed Approach")[
|
|
#only(1)[#align(center)[#image("images/equation_1.svg", width:100%)]]
|
|
#only(2)[#align(center)[#image("images/equation_2.svg", width:100%)]]
|
|
#only(3)[#align(center)[#image("images/equation_3.svg", width:100%)]]
|
|
]
|
|
|
|
#slide(title:"Proposed Approach - model")[
|
|
#only(1)[#align(center)[#image("images/model_1.svg", width:100%)]]
|
|
#only(2)[#align(center)[#image("images/model_2.svg", width:100%)]]
|
|
#only(3)[#align(center)[#image("images/model_3.svg", width:100%)]]
|
|
]
|
|
|
|
#slide(title:"Evaluation - Baseline")[
|
|
#align(center)[#image("images/baseline.svg", height:100%)]
|
|
]
|
|
#slide(title:"Evaluation - Baseline")[
|
|
// add visualisation of the prediction to see what is good/wrong
|
|
]
|
|
|
|
#slide(title:"Future Developements")[
|
|
#bibliography("biblio.yml")
|
|
]
|