deneir/BPV/emsoft2022/article.tex

% Specificity of WIP paper:
% Limited to 2 pages.
% Deadline is June 11 AOE.
% Still publish like a regular paper.
% Title must have the 'Work-in-Progress:' prefix.
% Double blind review, single round.
% Short presentation + poster during conference.

%% bare_conf.tex
%% V1.4b
%% 2015/08/26
%% by Michael Shell
%% See:
%% http://www.michaelshell.org/
%% for current contact information.
%%
%% This is a skeleton file demonstrating the use of IEEEtran.cls
%% (requires IEEEtran.cls version 1.8b or later) with an IEEE
%% conference paper.
%%
%% Support sites:
%% http://www.michaelshell.org/tex/ieeetran/
%% http://www.ctan.org/pkg/ieeetran
%% and
%% http://www.ieee.org/

%%*************************************************************************
%% Legal Notice:
%% This code is offered as-is without any warranty either expressed or
%% implied; without even the implied warranty of MERCHANTABILITY or
%% FITNESS FOR A PARTICULAR PURPOSE! 
%% User assumes all risk.
%% In no event shall the IEEE or any contributor to this code be liable for
%% any damages or losses, including, but not limited to, incidental,
%% consequential, or any other damages, resulting from the use or misuse
%% of any information contained here.
%%
%% All comments are the opinions of their respective authors and are not
%% necessarily endorsed by the IEEE.
%%
%% This work is distributed under the LaTeX Project Public License (LPPL)
%% ( http://www.latex-project.org/ ) version 1.3, and may be freely used,
%% distributed and modified. A copy of the LPPL, version 1.3, is included
%% in the base LaTeX documentation of all distributions of LaTeX released
%% 2003/12/01 or later.
%% Retain all contribution notices and credits.
%% ** Modified files should be clearly indicated as such, including  **
%% ** renaming them and changing author support contact information. **
%%*************************************************************************


% *** Authors should verify (and, if needed, correct) their LaTeX system  ***
% *** with the testflow diagnostic prior to trusting their LaTeX platform ***
% *** with production work. The IEEE's font choices and paper sizes can   ***
% *** trigger bugs that do not appear when using other class files.       ***                          ***
% The testflow support page is at:
% http://www.michaelshell.org/tex/testflow/



\documentclass[conference, a4paper]{IEEEtran}
% Some Computer Society conferences also require the compsoc mode option,
% but others use the standard conference format.
%
% If IEEEtran.cls has not been installed into the LaTeX system files,
% manually specify the path to it like:
% \documentclass[conference]{../sty/IEEEtran}

\usepackage[toc,acronym,abbreviations,nonumberlist,nogroupskip]{glossaries-extra}
\usepackage{numprint}
\usepackage{tabularx}
\usepackage{multirow}
\usepackage[skip=0.5\baselineskip]{caption}
\usepackage[bottom=42mm,top=18mm,left=12.9mm, right=12.9mm]{geometry}
% margin selected from this reference schema for A4 paper: http://www.ieee-ies.org/images/files/conferences/ieee-pages-and-margins-2016.pdf
% Removed a few mm from the bottom margin to make it fit.
\usepackage[pdftex]{graphicx}
\usepackage[hidelinks]{hyperref}
\usepackage{soul}
\usepackage{algorithm}
\usepackage{algpseudocode}
\usepackage{booktabs}
\input{acronyms}



% Some very useful LaTeX packages include:
% (uncomment the ones you want to load)


% *** MISC UTILITY PACKAGES ***
%
%\usepackage{ifpdf}
% Heiko Oberdiek's ifpdf.sty is very useful if you need conditional
% compilation based on whether the output is pdf or dvi.
% usage:
% \ifpdf
%   % pdf code
% \else
%   % dvi code
% \fi
% The latest version of ifpdf.sty can be obtained from:
% http://www.ctan.org/pkg/ifpdf
% Also, note that IEEEtran.cls V1.7 and later provides a builtin
% \ifCLASSINFOpdf conditional that works the same way.
% When switching from latex to pdflatex and vice-versa, the compiler may
% have to be run twice to clear warning/error messages.






% *** CITATION PACKAGES ***
%
%\usepackage{cite}
% cite.sty was written by Donald Arseneau
% V1.6 and later of IEEEtran pre-defines the format of the cite.sty package
%~\cite{} output to follow that of the IEEE. Loading the cite package will
% result in citation numbers being automatically sorted and properly
% "compressed/ranged". e.g., [1], [9], [2], [7], [5], [6] without using
% cite.sty will become [1], [2], [5]--[7], [9] using cite.sty. cite.sty's
%~\cite will automatically add leading space, if needed. Use cite.sty's
% noadjust option (cite.sty V3.8 and later) if you want to turn this off
% such as if a citation ever needs to be enclosed in parenthesis.
% cite.sty is already installed on most LaTeX systems. Be sure and use
% version 5.0 (2009-03-20) and later if using hyperref.sty.
% The latest version can be obtained at:
% http://www.ctan.org/pkg/cite
% The documentation is contained in the cite.sty file itself.






% *** GRAPHICS RELATED PACKAGES ***
%
\ifCLASSINFOpdf
  % \usepackage[pdftex]{graphicx}
  % declare the path(s) where your graphic files are
  % \graphicspath{{../pdf/}{../jpeg/}}
  % and their extensions so you won't have to specify these with
  % every instance of \includegraphics
  % \DeclareGraphicsExtensions{.pdf,.jpeg,.png}
\else
  % or other class option (dvipsone, dvipdf, if not using dvips). graphicx
  % will default to the driver specified in the system graphics.cfg if no
  % driver is specified.
  % \usepackage[dvips]{graphicx}
  % declare the path(s) where your graphic files are
  % \graphicspath{{../eps/}}
  % and their extensions so you won't have to specify these with
  % every instance of \includegraphics
  % \DeclareGraphicsExtensions{.eps}
\fi
% graphicx was written by David Carlisle and Sebastian Rahtz. It is
% required if you want graphics, photos, etc. graphicx.sty is already
% installed on most LaTeX systems. The latest version and documentation
% can be obtained at: 
% http://www.ctan.org/pkg/graphicx
% Another good source of documentation is "Using Imported Graphics in
% LaTeX2e" by Keith Reckdahl which can be found at:
% http://www.ctan.org/pkg/epslatex
%
% latex, and pdflatex in dvi mode, support graphics in encapsulated
% postscript (.eps) format. pdflatex in pdf mode supports graphics
% in .pdf, .jpeg, .png and .mps (metapost) formats. Users should ensure
% that all non-photo figures use a vector format (.eps, .pdf, .mps) and
% not a bitmapped formats (.jpeg, .png). The IEEE frowns on bitmapped formats
% which can result in "jaggedy"/blurry rendering of lines and letters as
% well as large increases in file sizes.
%
% You can find documentation about the pdfTeX application at:
% http://www.tug.org/applications/pdftex





% *** MATH PACKAGES ***
%
%\usepackage{amsmath}
% A popular package from the American Mathematical Society that provides
% many useful and powerful commands for dealing with mathematics.
%
% Note that the amsmath package sets \interdisplaylinepenalty to 10000
% thus preventing page breaks from occurring within multiline equations. Use:
%\interdisplaylinepenalty=2500
% after loading amsmath to restore such page breaks as IEEEtran.cls normally
% does. amsmath.sty is already installed on most LaTeX systems. The latest
% version and documentation can be obtained at:
% http://www.ctan.org/pkg/amsmath





% *** SPECIALIZED LIST PACKAGES ***
%
%\usepackage{algorithmic}
% algorithmic.sty was written by Peter Williams and Rogerio Brito.
% This package provides an algorithmic environment fo describing algorithms.
% You can use the algorithmic environment in-text or within a figure
% environment to provide for a floating algorithm. Do NOT use the algorithm
% floating environment provided by algorithm.sty (by the same authors) or
% algorithm2e.sty (by Christophe Fiorio) as the IEEE does not use dedicated
% algorithm float types and packages that provide these will not provide
% correct IEEE style captions. The latest version and documentation of
% algorithmic.sty can be obtained at:
% http://www.ctan.org/pkg/algorithms
% Also of interest may be the (relatively newer and more customizable)
% algorithmicx.sty package by Szasz Janos:
% http://www.ctan.org/pkg/algorithmicx




% *** ALIGNMENT PACKAGES ***
%
%\usepackage{array}
% Frank Mittelbach's and David Carlisle's array.sty patches and improves
% the standard LaTeX2e array and tabular environments to provide better
% appearance and additional user controls. As the default LaTeX2e table
% generation code is lacking to the point of almost being broken with
% respect to the quality of the end results, all users are strongly
% advised to use an enhanced (at the very least that provided by array.sty)
% set of table tools. array.sty is already installed on most systems. The
% latest version and documentation can be obtained at:
% http://www.ctan.org/pkg/array


% IEEEtran contains the IEEEeqnarray family of commands that can be used to
% generate multiline equations as well as matrices, tables, etc., of high
% quality.




% *** SUBFIGURE PACKAGES ***
%\ifCLASSOPTIONcompsoc
%  \usepackage[caption=false,font=normalsize,labelfont=sf,textfont=sf]{subfig}
%\else
%  \usepackage[caption=false,font=footnotesize]{subfig}
%\fi
% subfig.sty, written by Steven Douglas Cochran, is the modern replacement
% for subfigure.sty, the latter of which is no longer maintained and is
% incompatible with some LaTeX packages including fixltx2e. However,
% subfig.sty requires and automatically loads Axel Sommerfeldt's caption.sty
% which will override IEEEtran.cls' handling of captions and this will result
% in non-IEEE style figure/table captions. To prevent this problem, be sure
% and invoke subfig.sty's "caption=false" package option (available since
% subfig.sty version 1.3, 2005/06/28) as this is will preserve IEEEtran.cls
% handling of captions.
% Note that the Computer Society format requires a larger sans serif font
% than the serif footnote size font used in traditional IEEE formatting
% and thus the need to invoke different subfig.sty package options depending
% on whether compsoc mode has been enabled.
%
% The latest version and documentation of subfig.sty can be obtained at:
% http://www.ctan.org/pkg/subfig




% *** FLOAT PACKAGES ***
%
%\usepackage{fixltx2e}
% fixltx2e, the successor to the earlier fix2col.sty, was written by
% Frank Mittelbach and David Carlisle. This package corrects a few problems
% in the LaTeX2e kernel, the most notable of which is that in current
% LaTeX2e releases, the ordering of single and double column floats is not
% guaranteed to be preserved. Thus, an unpatched LaTeX2e can allow a
% single column figure to be placed prior to an earlier double column
% figure.
% Be aware that LaTeX2e kernels dated 2015 and later have fixltx2e.sty's
% corrections already built into the system in which case a warning will
% be issued if an attempt is made to load fixltx2e.sty as it is no longer
% needed.
% The latest version and documentation can be found at:
% http://www.ctan.org/pkg/fixltx2e


%\usepackage{stfloats}
% stfloats.sty was written by Sigitas Tolusis. This package gives LaTeX2e
% the ability to do double column floats at the bottom of the page as well
% as the top. (e.g., "\begin{figure*}[!b]" is not normally possible in
% LaTeX2e). It also provides a command:
%\fnbelowfloat
% to enable the placement of footnotes below bottom floats (the standard
% LaTeX2e kernel puts them above bottom floats). This is an invasive package
% which rewrites many portions of the LaTeX2e float routines. It may not work
% with other packages that modify the LaTeX2e float routines. The latest
% version and documentation can be obtained at:
% http://www.ctan.org/pkg/stfloats
% Do not use the stfloats baselinefloat ability as the IEEE does not allow
% \baselineskip to stretch. Authors submitting work to the IEEE should note
% that the IEEE rarely uses double column equations and that authors should try
% to avoid such use. Do not be tempted to use the cuted.sty or midfloat.sty
% packages (also by Sigitas Tolusis) as the IEEE does not format its papers in
% such ways.
% Do not attempt to use stfloats with fixltx2e as they are incompatible.
% Instead, use Morten Hogholm'a dblfloatfix which combines the features
% of both fixltx2e and stfloats:
%
% \usepackage{dblfloatfix}
% The latest version can be found at:
% http://www.ctan.org/pkg/dblfloatfix




% *** PDF, URL AND HYPERLINK PACKAGES ***
%
%\usepackage{url}
% url.sty was written by Donald Arseneau. It provides better support for
% handling and breaking URLs. url.sty is already installed on most LaTeX
% systems. The latest version and documentation can be obtained at:
% http://www.ctan.org/pkg/url
% Basically, \url{my_url_here}.




% *** Do not adjust lengths that control margins, column widths, etc. ***
% *** Do not use packages that alter fonts (such as pslatex).         ***
% There should be no need to do such things with IEEEtran.cls V1.6 and later.
% (Unless specifically asked to do so by the journal or conference you plan
% to submit to, of course. )


% correct bad hyphenation here
%\hyphenation{op-tical net-works semi-conduc-tor}
\usepackage{xcolor}
\usepackage{hyperref}
\usepackage{amssymb}
\newcommand\agd[1]{{\color{red}$\bigstar$}\footnote{agd: #1}}
\newcommand\an[1]{{\color{blue}$\bigstar$}\footnote{an: #1}}
\newcommand\oi[1]{{\color{orange}$\bigstar$}\footnote{oi: #1}}
\newcommand\spabs[1]{{\color{cyan}$\bigstar$}\footnote{spabs: #1}}
\newcommand\amb[1]{{\color{purple}$\bigstar$}\footnote{amb: #1}}
\newcommand\cb[1]{{\color{green}$\bigstar$}\footnote{cb: #1}}

\newcommand{\cn}{{\color{purple}[citation needed]}}

\renewcommand{\labelenumii}{\theenumii}
\renewcommand{\theenumii}{\theenumi.\arabic{enumii}.}

\hyphenpenalty=10000


% ============================ REVIEW and CHANGES =======================
% Add emphasis that this is a novel approach and that the current firmware verification methods have some limitations
% Change title and document to remove references to firmware and prefer "boot sequence verification"
% Fix reference to dataset (maybe footnote is better) and provide step-by-step description of the capture process
% Justify value for parameters.
% Refactor the explanation of AIM and IQR. it is not clear enough
% Add a mention on how the method we propose should be used (as part of a SOAR)


\begin{document}
%
% paper title
% Titles are generally capitalized except for words such as a, an, and, as,
% at, but, by, for, in, nor, of, on, or, the, to and up, which are usually
% not capitalized unless they are the first or last word of the title.
% Linebreaks \\ can be used within to get better formatting as desired.
% Do not put math or special symbols in the title.
\title{Work-in-Progress: Boot Sequence Integrity Verification with Power Analysis}


% author names and affiliations
% use a multiple column layout for up to three different
% affiliations
\author{
\IEEEauthorblockN{Arthur Grisel-Davy, Amrita Milan Bhogayata, Srijan Pabbi, Apurva Narayan, Sebastian Fischmeister}\\

%\vspace{0.1cm}

\IEEEauthorblockA{Department of Electrical and Computer Engineering\\
University of Waterloo. Waterloo, Ontario, Canada\\
Email: agriseld@uwaterloo.ca}
}

% conference papers do not typically use \thanks and this command
% is locked out in conference mode. If really needed, such as for
% the acknowledgment of grants, issue a \IEEEoverridecommandlockouts
% after \documentclass

% for over three affiliations, or if they all won't fit within the width
% of the page, use this alternative format:
% 
%\author{\IEEEauthorblockN{Michael Shell\IEEEauthorrefmark{1},
%Homer Simpson\IEEEauthorrefmark{2},
%James Kirk\IEEEauthorrefmark{3}, 
%Montgomery Scott\IEEEauthorrefmark{3} and
%Eldon Tyrell\IEEEauthorrefmark{4}}
%\IEEEauthorblockA{\IEEEauthorrefmark{1}School of Electrical and Computer Engineering\\
%Georgia Institute of Technology,
%Atlanta, Georgia 30332--0250\\ Email: see http://www.michaelshell.org/contact.html}
%\IEEEauthorblockA{\IEEEauthorrefmark{2}Twentieth Century Fox, Springfield, USA\\
%Email: homer@thesimpsons.com}
%\IEEEauthorblockA{\IEEEauthorrefmark{3}Starfleet Academy, San Francisco, California 96678-2391\\
%Telephone: (800) 555--1212, Fax: (888) 555--1212}
%\IEEEauthorblockA{\IEEEauthorrefmark{4}Tyrell Inc., 123 Replicant Street, Los Angeles, California 90210--4321}}




% use for special paper notices
%\IEEEspecialpapernotice{(Invited Paper)}




% make the title area
\maketitle

% As a general rule, do not put math, special symbols or citations
% in the abstract
\begin{abstract}
The current security mechanisms for embedded systems often rely on \gls{ids} running on the system itself. This provides the detector with relevant internal resources but also exposes it to being bypassed by an attacker. If the host is compromised, its IDS can not be trusted anymore and becomes useless. Power consumption offers an accurate and trusted representation of the system's state that can be leveraged to verify its integrity during the boot sequence. We present a novel \gls{ids} that uses the side-channel power consumption of a target device to protect it against various firmware and hardware attacks. The proposed \gls{bpv} uses a combination of rule-based and machine-learning-based side-channel analysis to monitor and evaluate the integrity of different networking equipment with an overall accuracy of \numprint{0.942}. The \gls{bpv} is part of a new layer of cybersecurity mechanisms that leverage the physical emissions of devices for protection.

\end{abstract}

% no keywords




% For peer review papers, you can put extra information on the cover
% page as needed:
% \ifCLASSOPTIONpeerreview
% \begin{center} \bfseries EDICS Category: 3-BBND \end{center}
% \fi
%
% For peerreview papers, this IEEEtran command inserts a page break and
% creates the second title. It will be ignored for other modes.
\IEEEpeerreviewmaketitle
\glsresetall % reset acronyms

\section{Introduction}
The boot sequence of an embedded system contains many security-critical operations. Two examples are loading the firmware and activating hardware components. Firmware loading can be vulnerable to many attacks~\cite{CVE-2019-19642,CVE-2020-15046}, including downgrading firmware, loading malicious firmware, and cancelling firmware updates. Hardware components also provides a means of entry for attackers who can leverage malicious peripherals~\cite{rubber_ducky}, for traffic-sniffing, key-logging, or altering the system's behaviour.

%Over the years, many solutions have been proposed to mitigate these issues. The first and most common countermeasure is verifying the integrity of the firmware before applying an update or before booting up the machine. The methods to verify a firmware typically include but are not limited to cryptography~\cite{firmware_crypto}, blockchain technology~\cite{firmware_blockchain}~\cite{firmware_blockchain_2} or direct data comparison~\cite{firmware_data}. Depending on the complexity, the manufacturer can provide a tag~\cite{firmware_sign} of the firmware or encrypt it to provide trust that it is genuine. The integrity verification can also be performed at run-time as part of the firmware itself or with dedicated hardware~\cite{trustanchor}.

The standard countermeasures to firmware and hardware attacks~\cite{firmware_data} share the common flaw of being performed by the protected machine itself, allowing an attacker to bypass them after infecting the machine. \glspl{ids} face a trade-off between accessing relevant information and keeping the detection mechanism separated from the target machine. Our solution addresses this trade-off by leveraging unforgeable side-channel information.
%\footnote{good place to show that you know related work: while other approaches use software isolation [...] or virtual machines [,,,], our solution ...} 

%\subsection{Contributions}
This paper presents a novel solution for firmware verification using side-channel analysis. Building on the assumption that every security mechanism operating on a host is vulnerable to being bypassed and that any deviation from a normal boot sequence operation is a reason for concern, we propose to use the device's power consumption signature during the boot sequence to assess its integrity. The integrity evaluation leverages unforgeable power consumption data collected independently of the host. A distance-based outlier detector can learn the expected pattern and detect any variation in a new boot sequence. Our solution can detect various attacks centred around firmware manipulation. This novel detector is versatile, retrofittable to any embedded system, and requires a theoretic minimum of four training examples, well below current data requirements for state-of-the-art methods \cite{ismail2019deep}.

%\subsection{Threat Model}\label{threat}
Many hardware and firmware attacks leverage machine-specific designs to provide an access point to the attacker. This paper focuses on attacks relying on firmware modifications, but the method for detecting hardware modifications remains the same. Because the firmware is responsible for the initialization of the components, the low-level communications, and some in-depth security features, executing adversary code in place of the expected firmware is a powerful capability~\cite{mitre}. A firmware modification is defined as deploying a new firmware code. Modifications include implementing custom functions, removing security features, or changing the firmware for a different version (downgrade or upgrade), as well as bypassing firmware procedures via hardware tampering. Any loading of a non-approved firmware (including a maliciously modified one) is considered an attack. This type of attack can result in the attacker gaining full control of the device.


%\subsection{Related Work}
Manufacturers have implemented different security mechanisms to guarantee the integrity of the firmware. The first and most common is to cryptographically sign, or compute a checksum of the code. This method suffers many possible bypasses, even with dedicated hardware~\cite{thrangrycats}.

Historically, \gls{sca} is mainly used for attacks. However, defense is also a promising application for this technology with runtime anomaly detection~\cite{timing} or specific attack detection~\cite{DTU}. These mechanisms are powerful at protecting systems that cannot host security software.

\section{Boot Process Verifier}\label{feature_eng}
To enable firmware verification, we design a training and testing pipeline that performs anomaly detection on a boot-up sequence power trace. A boot-up power trace is a time series corresponding to the power consumption of the machine during one complete boot-up sequence. The \gls{bpv} takes as input a power trace and verifies its validity against valid boot-up traces (see Figure \ref{fig:overview}).
The \gls{iqr} is a measure of dispersion of samples. It is based on the first and third quartiles and defined as $IQR = Q_3 - Q_1$ with $Q_3$ the third quartile and $Q_1$ the first quartile. This value is commonly used~\cite{han2011data} to detect outliers as a more robust alternative to the $3\sigma$ interval of a Gaussian distribution. The training phase consists in first computing the \gls{iqr} of the Euclidean distances from each training trace to their average. Then, the distance threshold takes the value $Q3 + 1.5\times IQR$. The distance of each new trace to the reference average is computed and compared to the threshold in the detection phase. If the distance is above the pre-computed threshold, the new trace is considered anomalous.

\begin{figure}[t]
    \centering
    \includegraphics[width=0.9\linewidth]{images/illustration.pdf}
    \caption{Overview of the Boot Process Verifier pipeline.}
    \label{fig:overview}
    \vspace{-0.4cm}
\end{figure}

\section{Experiment}\label{experiment}
To verify the performance of the proposed detector, we designed an experiment to detect firmware modifications on networking devices. These devices are bespoke for transmitting information as fast as possible. We consider four machines representing consumer-available products for different prices and performances: Asus Router RT-N12 D1, Linksys Router MR8300 v1.1, TP-Link Switch T1500G-10PS, HP Switch Procurve 2650 J4899B. As part of the experiment, each device undergoes firmware modifications using OpenWRT for the routers and downgraded firmware for the switches.

%\subsection{Experimental Setup}
We use a hardware device~\cite{hidden} placed in series with the power cable of the target device. The capture box's shunt resistor generates a voltage drop representative of the global power consumption of the machine. This voltage drop value is recorded at a sampling rate of \numprint[KSPS]{10}. A managed \gls{pdu} enables turning each machine ON or OFF automatically. To account for randomness and gather representative boot-up sequences of the device, we performed \numprint{500} boot iterations per machine and per firmware version. The complete dataset is publicly available~\cite{dataset}.

The output of each measurement is a $\approx 24$ hours power trace containing $500$ boot-up sequence event. A threshold-based algorithm extracts the boot-up sequences from the complete trace. The algorithm leverages the rising edge at the start of the boot sequence to detect the start time accurately. We use two hyperparameters $T$ the consumption threshold, and $L$ the length of the boot-up sequence controls the detection and are tuned per machine. When a sample crosses the threshold on a rising edge, the next $L$ samples are saved as a boot-up sequence. The value of $T$ is taken just above the maximum consumption when the machine is off in order to be crossed during the initial consumption rise. The boot time $L$ is around \numprint[s]{20} and the choice of the value is discussed in \ref{results}. The extracted traces are resampled at $50ms$ using a median aggregator, and median and average filters are applied to remove noises that could falsely trigger the detection.

\subsection{Results}\label{results}
Table~\ref{tab:results} shows the experimental results. For each machine, we compute the distance threshold using ten known-good traces and classify ten normal and ten abnormal traces. The procedure is repeated 20 times, and the results averaged per machine. We compute the overall $F_1$ score using arithmetic mean.

\begin{table}[h]
    \centering
    \begin{tabular}{l|c|c}
        \textbf{Machine} & \textbf{Detection $F_1$ Score} & \textbf{Overall $F_1$ Score}\\
        \hline
        TP-Link switch & 0.866 & \multirow{4}{*}{0.942}\\
        HP switch & 0.983 &\\
        Asus router & 1 &\\
        Linksys router & 0.921 &\\
    \end{tabular}
    \caption{Results of detection.}
    \label{tab:results}
\end{table}

Two hyper-parameters require tuning to achieve the best performance. The length of the extracted sequences needs to cover the whole boot-up while including no post-boot operations that introduce noise. Because the \gls{iqr} method is based on quartiles, a theoretical minimum of four traces is required. Collecting additional traces offers a more robust \gls{iqr} threshold placement, but too many traces ($>20$) offer marginal improvements as the boot-up sequence is usually consistent. Other parameters, such as sampling rate or pre-processing values, do not show to significantly affect the results.


\section{Conclusion}\label{conclusion}
This study illustrates the application of side-channel analysis to detect firmware attacks. The proposed side-channel-based \gls{ids} can reliably detect firmware tampering from the power consumption trace. Moreover, distance-based models leveraged in this study allow minimal training data and time requirements. Deploying this technology to production networking equipment requires minimal downtime and hardware intrusion. Finally, it applies to any clientless equipment.


% trigger a \newpage just before the given reference
% number - used to balance the columns on the last page
% adjust value as needed - may need to be readjusted if
% the document is modified later
%\IEEEtriggeratref{8}
% The "triggered" command can be changed if desired:
%\IEEEtriggercmd{\enlargethispage{-5in}}

% references section

% can use a bibliography generated by BibTeX as a .bbl file
% BibTeX documentation can be easily obtained at:
% http://mirror.ctan.org/biblio/bibtex/contrib/doc/
% The IEEEtran BibTeX style support page is at:
% http://www.michaelshell.org/tex/ieeetran/bibtex/
%\bibliographystyle{IEEEtran}
% argument is your BibTeX string definitions and bibliography database(s)
%\bibliography{IEEEabrv,../bib/paper}

% <OR> manually copy in the resultant .bbl file
% set second argument of \begin to the number of references
% (used to reserve space for the reference number labels box)
\bibliography{bibli} 
\bibliographystyle{ieeetr}




% that's all folks
\end{document}