deneir/PhD/seminar/seminar.typ

#import "@preview/polylux:0.3.1": *
#import themes.metropolis: *

#show: metropolis-theme.with(
  footer: [CC BY-NC-SA]
)

#set text(font: "STIX Two Text", weight: "light", size: 20pt)
#show math.equation: set text(font: "STIX Two Text")
#set strong(delta: 100)
#set par(justify: true)

#title-slide(
  author: [Arthur Grisel-Davy],
  title: "Seminar: Process-Power Consistency as Sanity Check",
  subtitle: "Subtitle",
  date: "September 2024",
  extra: ""
)

#slide(title: "State of the IDS")[
  // Most IDS rely on host-based information
  // Process List is a very common default info to verify
#only(1)[#align(center)[#image("images/hids_redscan.png", width:100%)]]
#only(2)[#align(center)[#image("images/hids_malwarebyte.png", width:100%)]]
#only(3)[#align(center)[#image("images/hids_windows.png", width:100%)]]
#only(4)[#align(center)[#image("images/hids_falcon.png", width:100%)]]
]
#slide(title:"State of the IDS")[
  // Process masquerading is trivialy posible and used by many attacks (Mitre AttCK list)

#line-by-line[
- #text(weight:"bold")[Known Attacks] #cite(label("mitre_masquerade"), supplement:"MITRE"): AcroRD32.exe (Adobe), kb-10233.exe (Windows Update), mfevtpse.exe (McAfee).
- #text(weight:"bold")[Technics:]
 - #box(baseline: 60%, height:2em, image("images/linux.svg", height:100%)): Bind Mounts @mount, #text(fill:red)[find more]


 - #box(baseline: 60%, height:2em, image("images/windows.svg", height:100%)): msdtc.exe , #text(fill:red)[find more]
]

]


#slide(title:"State of the IDS")[
  // Countermeasure to process masquerading
Listed by MITRE|ATT&CK:
- Monitor OS API Calls (e.g. forks)
- Monitor process creation source.
Listed by Red Canary:
- Heuristic on process properties (name, location, etc.)

#uncover(2)[#align(center)[#text(fill:red, weight:"bold")[All Host-Based Methods!]]]
]

#slide(title:"State of the IDS")[
  #align(center)[
You would not blindly trust the saying of a hostage, they might be speaking under threat.

#uncover(2)[
#sym.arrow

You should not trust data comming from a the device to protect, it might have been tampered with.
]
]
]

#slide(title:"Process List Verification")[
// We can't stop using the process list, so let's try to verify it
// Power as a trusted source of information
#only(1)[#align(center)[#image("images/wein_1.svg", height:100%)]]
#only(2)[#align(center)[#image("images/wein_2.svg", height:100%)]]
#only(3)[#align(center)[#image("images/wein_3.svg", height:100%)]]

]

#slide(title:"Power Side-Channel")[
// Why is power trusted
// Why is it correlated with the process list
// Why is it the best/most practical side-channel
Power is: 
- Easy to measure (at high sampling rate)
- Position independant
- Ubiquitus
- Scaling from global to granular
]

#slide(title: "Problem Statement")[
#align(center)[Given a list of #text(blue)[processes] over time and the #text(orange)[power consumption] of a machine, detect tampering to the list of processes.]
]

#slide(title:"Input Data")[
// Setup of the experiment
// What data to gather
    // Log data
    // Power data (comparison hardware/software)
// Resulting dataset
#only(1)[#image("images/data_collection_1.svg", width:100%)]
#only(2)[#image("images/data_collection_2.svg", width:100%)]
]

#slide(title:"Input Data - Power")[
- Cable current #sym.arrow current clamp #sym.arrow ADC #sym.arrow server
- Capure: 10ksps
- Downsample: 2 SPS with average and median aggregation. #text(red)[check the specifics]
]

#slide(title:"Problem Statement")[
]


#slide(title: "Input Data - Power")[
]

#slide(title: "Input Data - Processes")[
]

#slide(title: "Process List")[

]


#slide(title:"Proposed Approach")[
#only(1)[#align(center)[#image("images/equation_1.svg", width:100%)]]
#only(2)[#align(center)[#image("images/equation_2.svg", width:100%)]]
]

#slide(title:"Evaluation")[
]

#slide(title:"Future Developements")[
#bibliography("biblio.yml")
]