grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
deneir/EET1/MLCS_conference/presentation.tex
Arthur Grisel-Davy f4eec6ea31 back up to date
2023-09-24 19:19:06 -04:00

293 lines
11 KiB
TeX
Raw Blame History

\documentclass[aspectratio=169,10pt]{beamer}
\usetheme[progressbar=head,numbering=fraction,sectionpage=none]{metropolis}
\usepackage{graphicx}
\usepackage{ulem}
\usepackage{xcolor}
\usepackage[scale=2]{ccicons}
\usepackage{pgfplots}
\usepackage{numprint}
\usepackage{booktabs}
\usepgfplotslibrary{dateplot}
\usepackage{hyperref}
\usepackage{multirow}
\usepackage{tcolorbox}
\usepackage{array}
\usepackage{xspace}
\title{Side-channel Based Runtime Intrusion Detection for Network Equipment}
\subtitle{Arthur Grisel-Davy, Goksen U. Guler, Julian Dickert, Philippe Vibien, Waleed Khan, Jack Morgan, Carlos Moreno, Sebastian Fischmeister.}
\date{}
\author{Arthur Grisel-Davy, agriseld@uwaterloo.ca}
\institute{University of Waterloo, Canada}
\renewcommand{\thempfootnote}{\ifcase\value{mpfootnote}\or\textasteriskcentered\or\textdagger\or\textdaggerdbl\fi}
\begin{document}
\maketitle
\begin{frame}{Introduction}
\begin{center}
{\LARGE We cannot entrust machines to assess their own integrity.}\\
\vspace{1cm}
\includegraphics[width=0.9\textwidth]{images/trust.pdf}
\end{center}
\end{frame}
\begin{frame}{Introduction}
\begin{center}
{\LARGE Process assessement requires process-related information.}
\end{center}
\end{frame}
\begin{frame}{Introduction}
\begin{center}
{\LARGE Get information without machine cooperation\\
$\downarrow$\\
Side-Channel Analysis}
\end{center}
\end{frame}
\begin{frame}{Common IDS Solutions}
\begin{center}
\includegraphics[width=\textwidth]{images/main_illustration_1.pdf}
\end{center}
\end{frame}
\begin{frame}{Common IDS Solutions}
\begin{center}
\includegraphics[width=\textwidth]{images/main_illustration_2.pdf}
\end{center}
\end{frame}
\begin{frame}{Common IDS Solutions}
\begin{center}
\includegraphics[width=\textwidth]{images/main_illustration_3.pdf}
\end{center}
\end{frame}
\begin{frame}{Common IDS Solutions}
\begin{center}
\includegraphics[width=\textwidth]{images/main_illustration_4.pdf}
\end{center}
\end{frame}
\begin{frame}{Threat Model}
\only<1>{\begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black,
colbacktitle=orange!75!black,title=Firmware Manipulation]
Change settings, Upgrade/Downgrade firmware, Replace firmware.
\tcblower
Machine takeover, Advanced Persistent Threats (APT).
\end{tcolorbox}
\begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
Runtime Monitoring
\end{tcolorbox}
\begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
Hardware Tampering
\end{tcolorbox}
}
\only<2>{
\begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
Firmware Manipulation
\end{tcolorbox}
\begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black,
colbacktitle=orange!75!black,title=Runtime Monitoring]
Log tampering, Login (brute force/dictionary) attacks.
\tcblower
Intrusion, Covert operations.
\end{tcolorbox}
\begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
Hardware Tampering
\end{tcolorbox}
}
\only<3>{
\begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
Firmware Manipulation
\end{tcolorbox}
\begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
Runtime Monitoring
\end{tcolorbox}
\begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black,
colbacktitle=orange!75!black,title=Hardware Tampering]
Installation/Removal of peripherals.
\tcblower
MAC flooding attacks.
\end{tcolorbox}
}
\end{frame}
\begin{frame}{Experiment Family I - Firmware Manipulation}
\begin{center}
\includegraphics[height=0.9\textheight]{images/Firmware_Comparison_TD_direct.pdf}
\end{center}
\end{frame}
\begin{frame}{Experiment Family I - Firmware Manipulation}
Experiment 1: Classifying Firmware Version
\begin{table}[ht]
\centering
\begin{tabular}{lccc}
\toprule
\textbf{Data} & \textbf{Model} & \textbf{Macro F1 Score} & \textbf{Accuracy} \tabularnewline
\midrule
\multirow{2}*{DC Time Domain} & RFC & \textbf{\numprint[\%]{100}} & \numprint[\%]{100} \tabularnewline
& SVM & \numprint[\%]{96.8} & \numprint[\%]{99.3}\tabularnewline
\midrule
\multirow{2}*{AC Time Domain}& RFC & \textbf{\numprint[\%]{87.4}} & \numprint[\%]{98.9} \tabularnewline
& SVM & \numprint[\%]{75.8} & \numprint[\%]{95.5} \tabularnewline
\midrule
\multirow{2}*{DC Frequency Domain} & RFC & \textbf{\numprint[\%]{97.6}} & \numprint[\%]{99.8} \tabularnewline
& SVM & \numprint[\%]{95.3} & \numprint[\%]{96.0} \tabularnewline
\bottomrule
\end{tabular}
\caption{Comparison between the different algorithms for firmware classification.}
\label{tab:fw-results}
\end{table}
\end{frame}
\begin{frame}{Experiment Family I - Firmware Manipulation}
Experiment 2: Detecting changes in subsequent firmware traces.
\begin{center}
\includegraphics[height=0.8\textheight]{images/fam_I_exp_2.pdf}
\end{center}
\end{frame}
\begin{frame}{Experiment Family II - Run-Time Monitoring}
\begin{center}
\includegraphics[height=0.9\textheight]{images/time_domain_ssh.pdf}
\end{center}
\end{frame}
\begin{frame}{Experiment Family II - Runtime Monitoring}
Experiment 1: Detecting SSH Login Attempts
\begin{table}[ht]
\begin{center}
\begin{tabular}{cccccccc}
\toprule
\textbf{Domain} & \textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline
%& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time Domain}} & \tabularnewline
\midrule
\multirow{3}*{Time Domain} & RFC & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{0.6} & \numprint[\%]{14} \tabularnewline
& SVM & \numprint[\%]{95} & \numprint[\%]{97} & \textbf{\numprint[\%]{96}} & \numprint[\%]{98} & \numprint[\%]{0.8} & \numprint[\%]{8} \tabularnewline
& 1D~CNN & \numprint[\%]{94} & \numprint[\%]{93} & \numprint[\%]{93} & \numprint[\%]{96} & \numprint[\%]{2} & \numprint[\%]{9} \tabularnewline
\midrule
%& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Frequency Domain}} & \tabularnewline
\multirow{3}*{Frequency Domain} & RFC & \numprint[\%]{89} & \numprint[\%]{67} & \numprint[\%]{72} &
\numprint[\%]{88} &
\numprint[\%]{12} &
\numprint[\%]{8} \tabularnewline
& 1D~CNN &
\numprint[\%]{90} & \numprint[\%]{90} & \textbf{\numprint[\%]{90}} & \numprint[\%]{94} &
\numprint[\%]{3} &
\numprint[\%]{17} \tabularnewline
\midrule
%& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time + Frequency Domain}} & \tabularnewline
Time + Frequency & 1D~CNN & \numprint[\%]{89} &
\numprint[\%]{95} &
\textbf{\numprint[\%]{92}} &
\numprint[\%]{95} &
\numprint[\%]{1} &
\numprint[\%]{20} \tabularnewline
\bottomrule
\end{tabular}
\end{center}
\caption{Comparison between the different algorithms for detecting SSH login attempts.}
\label{tab:ssh-precision-comparison}
\end{table}
\end{frame}
\begin{frame}{Experiment Famili II - Runtime Monitoring}
Experiment 2: Classifying SSH Login Attemps
\begin{table}[ht]
\begin{center}
\begin{tabular}{ccccccc}
\toprule
\textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline
\midrule
& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time Domain}} & \tabularnewline
\midrule
RFC & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{96.7} & \numprint[\%]{12} & \numprint[\%]{8} \tabularnewline
SVM & \numprint[\%]{99} & \numprint[\%]{99} & \textbf{\numprint[\%]{99}} & \numprint[\%]{98.5} &
\numprint[\%]{1} &
\numprint[\%]{1.5} \tabularnewline
1D~CNN & \numprint[\%]{98.5} &
\numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{1} & \numprint[\%]{2} \tabularnewline
\bottomrule
\end{tabular}
\end{center}
\caption{Comparison between the different algorithms for classifying SSH login attempts.}
\label{tab:ssh-classification-precision-comparison}
\end{table}
\end{frame}
\begin{frame}{Experiment Family III - Hardware Tampering}
\begin{center}
\includegraphics[height=\textheight]{images/switch.jpg}
\end{center}
\end{frame}
\begin{frame}{Experiment Family III - Hardware Tampering}
\begin{center}
\includegraphics[width=\textwidth]{images/detect_change.pdf}
\end{center}
\end{frame}
\begin{frame}{Experiment Family III - Hardware Tampering}
Experiment 1: Identifying the Number of Expansion Modules
\begin{table}[ht]
\begin{center}
\begin{tabular}{ccccc}
\toprule
\textbf{Input Data} & \textbf{Model} & \textbf{Accuracy} & \textbf{Recall}\tabularnewline
\midrule
DC & SVM & \numprint[\%]{100} & \numprint[\%]{100}\tabularnewline
DC & KNN & \textbf{\numprint[\%]{100}} & \numprint[\%]{100}\tabularnewline
DC & SVM & \numprint[\%]{99.5} & \numprint[\%]{99.45}\tabularnewline
\bottomrule
\end{tabular}
\end{center}
\caption{Comparison between the different models for hardware detection with a stratified 10-fold cross validation setup.}
\label{tab:hardware-results}
\end{table}
\end{frame}
\begin{frame}{Conclusion}
\only<1>{
\begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black,
colbacktitle=orange!75!black,title=Advantages of Physics-Based IDS]
\begin{itemize}
\item Host-independance
\item Fail-safe design
\end{itemize}
\end{tcolorbox}
\begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black,
colbacktitle=orange!75!black,title=Capabilities]
\begin{itemize}
\item Boot process assessement (published and submited work)\footnote{Work-in-Progress: Boot Sequence Integrity Verification with Power Analysis, EMSOFT 22}.
\item Run-time monitoring / Log verification. (submited work)
\item Hardware tampering detection.
\end{itemize}
\end{tcolorbox}
}
\end{frame}
\begin{frame}{Thank You}
Paper: Side-channel Based Runtime Intrusion Detection for Network Equipment\\
Contact: \textbf{agriseld@uwaterloo.ca}
\end{frame}
\end{document}
Reference in a new issue View git blame Copy permalink