177 lines
5.3 KiB
Typst
177 lines
5.3 KiB
Typst
#import "@preview/polylux:0.3.1": *
|
|
#import themes.metropolis: *
|
|
|
|
#show: metropolis-theme.with(
|
|
footer: [CC BY-NC-SA]
|
|
)
|
|
|
|
#set text(font: "STIX Two Text", weight: "light", size: 20pt)
|
|
#show math.equation: set text(font: "STIX Two Text")
|
|
#set strong(delta: 100)
|
|
#set par(justify: true)
|
|
|
|
#title-slide(
|
|
author: [Arthur Grisel-Davy],
|
|
title: "Process List Verification With Power Analysis",
|
|
subtitle: "",
|
|
date: "September 2024",
|
|
extra: ""
|
|
)
|
|
|
|
#slide(title: "State of the IDS")[
|
|
// Most IDS rely on host-based information
|
|
// Process List is a very common default info to verify
|
|
#only(1)[#align(center)[#image("images/hids_redscan.png", width:100%)]]
|
|
#only(2)[#align(center)[#image("images/hids_malwarebyte.png", width:100%)]]
|
|
#only(3)[#align(center)[#image("images/hids_windows.png", width:100%)]]
|
|
#only(4)[#align(center)[#image("images/hids_falcon.png", width:100%)]]
|
|
]
|
|
#slide(title:"State of the IDS")[
|
|
// Process masquerading is trivialy posible and used by many attacks (Mitre AttCK list)
|
|
|
|
#text(weight:"bold")[Known Attacks:]
|
|
- AcroRD32.exe (Adobe), kb-10233.exe (Windows Update), mfevtpse.exe (McAfee).
|
|
- Azazel Rootkit
|
|
- Adore-ng Rootkit
|
|
- DLL Injections (in explorer.exe)
|
|
- Direct Kernel Object Manipulation (FU Rootkit)
|
|
- Hooking System Calls (t0rn Rootkit)
|
|
]
|
|
|
|
|
|
#slide(title:"State of the IDS")[
|
|
#align(center)[
|
|
You would not blindly trust the saying of a hostage, they might be speaking under threat.
|
|
|
|
#uncover(2)[
|
|
#sym.arrow
|
|
|
|
You should not trust data comming from a the device to protect, it might have been tampered with.
|
|
]
|
|
]
|
|
]
|
|
|
|
#slide(title:"Process List Verification")[
|
|
// We can't stop using the process list, so let's try to verify it
|
|
// Power as a trusted source of information
|
|
#only(1)[#align(center)[#image("images/wein_1.svg", height:100%)]]
|
|
#only(2)[#align(center)[#image("images/wein_2.svg", height:100%)]]
|
|
#only(3)[#align(center)[#image("images/wein_3.svg", height:100%)]]
|
|
|
|
]
|
|
|
|
#slide(title:"Power Side-Channel")[
|
|
// Why is power trusted
|
|
// Why is it correlated with the process list
|
|
// Why is it the best/most practical side-channel
|
|
Power is:
|
|
- Easy & cheap to measure (at high sampling rate)
|
|
- Position independant
|
|
- Ubiquitous
|
|
// - Scaling from global to granular
|
|
]
|
|
|
|
#slide(title: "Problem Statement")[
|
|
#align(center)[Given a list of #text(blue)[processes] over time and the #text(orange)[power consumption] of a machine, detect tampering to the list of processes.]
|
|
]
|
|
|
|
#slide(title:"Input Data")[
|
|
// Setup of the experiment
|
|
// What data to gather
|
|
// Log data
|
|
// Power data (comparison hardware/software)
|
|
// Resulting dataset
|
|
#only(1)[#image("images/data_collection_1.svg", width:100%)]
|
|
#only(2)[#image("images/data_collection_2.svg", width:100%)]
|
|
]
|
|
|
|
#slide(title:"Input Data - Power")[
|
|
- Cable current #sym.arrow current clamp #sym.arrow ADC #sym.arrow server
|
|
- Capure: 10ksps
|
|
- Downsample: 2 SPS with average and median aggregation.
|
|
]
|
|
|
|
|
|
#slide(title: "Input Data - Processes")[
|
|
#image("images/data_collection_3.svg", width:100%)
|
|
]
|
|
|
|
#slide(title: "Input Data - Processes")[
|
|
|
|
#for i in range(10){
|
|
[#only(i+1)[#image("images/processes_"+str(i+1)+".svg", height:100%)]]
|
|
}
|
|
|
|
]
|
|
|
|
#slide(title:"Dataset")[
|
|
#only(1)[#align(center)[#image("images/dataset.svg", height:100%)]]
|
|
|
|
#for i in range(3){
|
|
[#only(i+1)[#image("images/dataset_zoom_details_"+str(i+1)+".svg", height:100%)]]
|
|
}
|
|
]
|
|
|
|
|
|
#slide(title:"Proposed Approach")[
|
|
#only(1)[#align(center)[#image("images/equation_1.svg", width:100%)]]
|
|
#only(2)[#align(center)[#image("images/equation_2.svg", width:100%)]]
|
|
#only(3)[#align(center)[#image("images/equation_3.svg", width:100%)]]
|
|
]
|
|
|
|
#slide(title:"Proposed Approach - Model")[
|
|
#only(1)[#align(center)[#image("images/model_1.svg", width:100%)]]
|
|
#only(2)[#align(center)[#image("images/model_2.svg", width:100%)]]
|
|
#only(3)[#align(center)[#image("images/model_3.svg", width:100%)]]
|
|
]
|
|
|
|
|
|
#slide(title:"Evaluation - Baseline")[
|
|
#align(center)[#image("images/baseline.svg", height:100%)]
|
|
]
|
|
#slide(title:"Evaluation - Baseline")[
|
|
#align(center)[#image("images/preds_baseline.svg", height:100%)]
|
|
]
|
|
|
|
#slide(title:"Evaluation - Attack")[
|
|
#only(1)[#align(center)[#image("images/preds_attacks_stress.svg", height:100%)]]
|
|
#only(1)[#align(center)[#image("images/preds_attacks_stress-ng-matrix.svg", height:100%)]]
|
|
]
|
|
|
|
#slide(title:"Evaluation - Successful Attack")[
|
|
#align(center)[#image("images/preds_attacks_fusermount3.svg", height:100%)]
|
|
]
|
|
|
|
#slide(title:"Evaluation - All Processes MSE")[
|
|
#align(center)[#image("images/attack_mse.svg", height:100%)]
|
|
]
|
|
|
|
#slide(title:"Alternative Approach - Decomposed Power Trace")[
|
|
// schematic of the overview
|
|
|
|
#for i in range(5){
|
|
[#only(i+2)[#image("images/decomposed_"+str(i+1)+".svg", height:100%)]]
|
|
}
|
|
]
|
|
#slide(title:"Alternative Approach - Decomposed Power Trace")[
|
|
#only(1)[#align(center)[#image("images/number_values_state.svg", height:100%)]]
|
|
#only(2)[#align(center)[#image("images/states_ts.svg", height:100%)]]
|
|
]
|
|
|
|
#slide(title:"Conclusion and Future Works")[
|
|
|
|
#text(weight:"bold")[Conclusion:]
|
|
- Exploitable relationship processes-power
|
|
- Many applicable methods #sym.arrow robustness
|
|
- Large range of targets
|
|
|
|
#uncover(2)[
|
|
#text(weight:"bold")[Next Steps:]
|
|
- Collect more and better data
|
|
- Try methods on other devices
|
|
- Develop a benchmark for attack detection
|
|
- Decomposition approach
|
|
- Extract process information from decomposed abnormal time series
|
|
- Benchmark against MLP approach
|
|
]
|
|
]
|