deneir/EET1/MLCS_conference/presentation.tex

\documentclass[aspectratio=169,10pt]{beamer}
\usetheme[progressbar=head,numbering=fraction,sectionpage=none]{metropolis}

\usepackage{graphicx}
\usepackage{ulem}
\usepackage{xcolor}
\usepackage[scale=2]{ccicons}
\usepackage{pgfplots}
\usepackage{numprint}
\usepackage{booktabs}
\usepgfplotslibrary{dateplot}
\usepackage{hyperref}
\usepackage{multirow}
\usepackage{tcolorbox}
\usepackage{array}
\usepackage{xspace}

\title{Side-channel Based Runtime Intrusion Detection for Network Equipment}
\subtitle{}
\date{}
\author{Arthur Grisel-Davy}
\institute{University of Waterloo, Canada}

\renewcommand{\thempfootnote}{\ifcase\value{mpfootnote}\or\textasteriskcentered\or\textdagger\or\textdaggerdbl\fi}

\begin{document}

\maketitle

\begin{frame}{Introduction}
    \begin{center}
        {\LARGE We cannot entrust machines to assess their own integrity.}\\
        \vspace{1.5cm}
        {\LARGE Integrity assessement require access to relevant information.}
    \end{center}
\end{frame}

\begin{frame}{Common IDS Solution}
    \begin{center}
        \includegraphics[width=\textwidth]{images/main_illustration_1.pdf}
    \end{center}
\end{frame}
\begin{frame}{Common IDS Solution}
    \begin{center}
        \includegraphics[width=\textwidth]{images/main_illustration_2.pdf}
    \end{center}
\end{frame}
\begin{frame}{Common IDS Solution}
    \begin{center}
        \includegraphics[width=\textwidth]{images/main_illustration_3.pdf}
    \end{center}
\end{frame}
\begin{frame}{Common IDS Solution}
    \begin{center}
        \includegraphics[width=\textwidth]{images/main_illustration_4.pdf}
    \end{center}
\end{frame}

\begin{frame}{Threat Model}
            \only<1>{\begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black,
  colbacktitle=orange!75!black,title=Firmware Manipulation]
                Change settings, upgrade/downgrade firmware, Replace firmware.
                \tcblower
                Machine takeover, Advanced Persistent Threats.
            \end{tcolorbox}
            
            \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
                Runtime Monitoring
            \end{tcolorbox}
            \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
                Hardware Tampering
            \end{tcolorbox}
            }
            
            \only<2>{
            \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
                Firmware Manipulation
            \end{tcolorbox}

            \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black,
  colbacktitle=orange!75!black,title=Runtime Monitoring]
                Log tampering, login (brute force/dictionary) attacks.
                \tcblower
                Intrusion, Covert operations.
            \end{tcolorbox}


            \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
                Runtim Monitoring
            \end{tcolorbox}
            }

            \only<3>{
            \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
                Firmware Manipulation
            \end{tcolorbox}
            \begin{tcolorbox}[colback=orange!75!black,colframe=orange!50!black, coltext=white]
                Runtim Monitoring
            \end{tcolorbox}

            \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black,
  colbacktitle=orange!75!black,title=Hardware Tampering]
                Installation/removal of peripherals.
                \tcblower
                MAC Flooding attacks.
            \end{tcolorbox}
        }

\end{frame}

\begin{frame}{Experiment Family I - Firmware Manipulation}
    \begin{center}
        \includegraphics[height=0.9\textheight]{images/Firmware_Comparison_TD_direct.pdf}
    \end{center}
\end{frame}

\begin{frame}{Experiment Family I - Firmware Manipulation}
Experiment 1: Classifying Firmware Version
\begin{table}[ht]
    \centering
    \begin{tabular}{lccc}
        \toprule
        \textbf{Data} & \textbf{Model} & \textbf{Macro F1 Score} & \textbf{Accuracy} \tabularnewline
        \midrule
        \multirow{2}*{DC Time Domain} & RFC & \numprint[\%]{100}  & \numprint[\%]{100} \tabularnewline
        & SVM & \numprint[\%]{96.8} & \numprint[\%]{99.3}\tabularnewline
        \midrule
        \multirow{2}*{AC Time Domain}& RFC & \numprint[\%]{87.4}  & \numprint[\%]{98.9} \tabularnewline
        & SVM & \numprint[\%]{75.8} & \numprint[\%]{95.5} \tabularnewline
        \midrule
        \multirow{2}*{DC Frequency Domain} & RFC & \numprint[\%]{97.6} & \numprint[\%]{99.8} \tabularnewline
        & SVM & \numprint[\%]{95.3} & \numprint[\%]{96.0} \tabularnewline
        \bottomrule
    \end{tabular}
    \caption{Comparison between the different algorithms for firmware classification.}
    \label{tab:fw-results}
\end{table}
\end{frame}

\begin{frame}{Experiment Family I - Firmware Manipulation}
Experiment 2: Detecting Firmware Change
\end{frame}


\begin{frame}{Experiment Family II - Run-Time Monitoring}
    \begin{center}
        \includegraphics[height=0.9\textheight]{images/time_domain_ssh.pdf}
    \end{center}
\end{frame}

\begin{frame}{Experiment Family II - Runtime Monitoring}
Experiment 1: Detecting SSH Login Attempts
\begin{table}[ht]
    \begin{center}

    \begin{tabular}{ccccccc}
        \toprule
        \textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline
        \midrule
        %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Time Domain}} & \tabularnewline
        \midrule
        RFC & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{0.6} & \numprint[\%]{14} \tabularnewline
        SVM & \numprint[\%]{95} & \numprint[\%]{97} & \numprint[\%]{96} & \numprint[\%]{98} & \numprint[\%]{0.8} & \numprint[\%]{8} \tabularnewline
        1D~CNN & \numprint[\%]{94} & \numprint[\%]{93} & \numprint[\%]{93} & \numprint[\%]{96} & \numprint[\%]{2} & \numprint[\%]{9} \tabularnewline
        \midrule
        %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Frequency Domain}} & \tabularnewline
        \midrule
        RFC & \numprint[\%]{89} & \numprint[\%]{67} & \numprint[\%]{72} &
        \numprint[\%]{88} &
        \numprint[\%]{12} &
        \numprint[\%]{8} \tabularnewline
        SVM & -- & -- & -- & -- & -- & --  \tabularnewline
        1D~CNN &
        \numprint[\%]{90} & \numprint[\%]{90} & \numprint[\%]{90} & \numprint[\%]{94} &
        \numprint[\%]{3} &
        \numprint[\%]{17} \tabularnewline
        \midrule
        %& \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}Y}{\textbf{Time + Frequency Domain}} & \tabularnewline
        \midrule
        1D~CNN & \numprint[\%]{89} &
        \numprint[\%]{95} &
        \numprint[\%]{92} &
        \numprint[\%]{95} &
        \numprint[\%]{1} &
        \numprint[\%]{20} \tabularnewline
        \bottomrule
    \end{tabular}

    \end{center}
    \caption{Comparison between the different algorithms for detecting SSH login attempts.}
    \label{tab:ssh-precision-comparison}
\end{table}
\end{frame}

\begin{frame}{Experiment Famili II - Runtime Monitoring}
    Experiment 2: Classifying SSH Login Attemps
    \begin{table}[ht]
    \begin{center}
    \begin{tabular}{ccccccc}
        \toprule
        \textbf{Model} & \textbf{Precision} & \textbf{Recall} & \textbf{F1 Score} & \textbf{Accuracy} & \textbf{FPR} & \textbf{FNR} \tabularnewline
        \midrule
        & \multicolumn{5}{>{\hsize=\dimexpr5\hsize+5\tabcolsep+\arrayrulewidth\relax}c}{\textbf{Time Domain}} & \tabularnewline
        \midrule
        RFC & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{97} & \numprint[\%]{96.7} & \numprint[\%]{12} & \numprint[\%]{8} \tabularnewline
        SVM & \numprint[\%]{99} & \numprint[\%]{99} & \numprint[\%]{99} & \numprint[\%]{98.5} &
        \numprint[\%]{1} &
        \numprint[\%]{1.5}  \tabularnewline
        1D~CNN & \numprint[\%]{98.5} &
        \numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{98} & \numprint[\%]{1} & \numprint[\%]{2}  \tabularnewline
        \bottomrule
    \end{tabular}
    \end{center}
    \caption{Comparison between the different algorithms for classifying SSH login attempts.}
    \label{tab:ssh-classification-precision-comparison}
\end{table}
\end{frame}

\begin{frame}{Experiment Family III - Hardware Tampering}
    \begin{center}
        \includegraphics[height=\textheight]{images/switch.jpg}
    \end{center}
\end{frame}

\begin{frame}{Experiment Family III - Hardware Tampering}
    \begin{center}
        \includegraphics[width=\textwidth]{images/detect_change.pdf}
    \end{center}
\end{frame}

\begin{frame}{Experiment Family III - Hardware Tampering}
    Experiment 1: Identifying the Number of Expansion Modules
    \begin{table}[ht]
    \begin{center}
    \begin{tabular}{ccccc}
        \toprule
        \textbf{Input Data} & \textbf{Model} & \textbf{Accuracy} & \textbf{Recall}\tabularnewline
        \midrule
         DC & SVM & \numprint[\%]{100} & \numprint[\%]{100}\tabularnewline
         DC & KNN & \numprint[\%]{100} & \numprint[\%]{100}\tabularnewline
         DC & SVM & \numprint[\%]{99.5} & \numprint[\%]{99.45}\tabularnewline
        \bottomrule
    \end{tabular}
    \end{center}
    \caption{Comparison between the different models for hardware detection with a stratified 10-fold cross validation setup.}
    \label{tab:hardware-results}
\end{table}
\end{frame}

\begin{frame}{Conclusion}
    \only<1>{
 \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black,
    colbacktitle=orange!75!black,title=Advantages of Physics-Based IDS]
        \begin{itemize}
            \item Host-independance
            \item Trustworthy input data
            \item 
        \end{itemize}
    \end{tcolorbox}
    
    \begin{tcolorbox}[colback=orange!5!white,colframe=orange!50!black,
    colbacktitle=orange!75!black,title=Capabilities]
        \begin{itemize}
            \item Boot Process Assessement \footnote{Work-in-Progress: Boot Sequence Integrity Verification with Power Analysis, EMSOFT 22}.

            \item Run-time Monitoring / Log Verification.
            \item Hardware Tampering Detection.
        \end{itemize}
    \end{tcolorbox}
    }
\end{frame}

\end{document}