update Mastersthesis.pdf and main.tex to refine content, improve clarity, and...

update Mastersthesis.pdf and main.tex to refine content, improve clarity, and remove outdated references

update Mastersthesis.pdf and main.tex to refine content, improve clarity, and...
3d4fd1e1 · Aida Nikkhah Nasab · 17bb29b9 · 3d4fd1e1 · 3d4fd1e1 · 17bb29b9
Commit 3d4fd1e1 authored 3 weeks ago by Aida Nikkhah Nasab
--- a/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf
+++ b/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf
--- a/Thesis_Docs/main.tex
+++ b/Thesis_Docs/main.tex
@@ -708,28 +708,28 @@ The final step combines the results from the FFT and ACF steps to confirm malici
 \begin{figure}
    \centering
    \includegraphics[width=\textwidth]{../Thesis_Docs/media/candidates.png}
-    \caption{Frequency Spectrum with FFT \& ACF Candidates. The x-axis represents frequency (Hz), and the y-axis represents amplitude. The figure shows candidates for the domains "fpc.mesedge.net", "m4v4r4c5.stackpathcdn.com", and "beacon7.example.com"}
+    \caption{Frequency Spectrum with FFT \& ACF Candidates. The x-axis represents frequency (Hz), and the y-axis represents amplitude. The figure shows candidates for the domains "m4v4r4c5.stackpathcdn.com", and "beacon7.example.com"}
    \label{fig:combinedall}
 \end{figure}

-Figure \ref{fig:combinedall} presents the analysis of three selected URLs "fpc.mesedge.net", "m4v4r4c5.stackpathcdn.com", and "beacon7.example.com", derived from both real and synthetic data. The first URL represents a non-beaconing behavior observed in real data, meaning that no periodic transmission pattern is present. The second URL, also extracted from real data, exhibits a clear beaconing behavior. The third URL corresponds to a synthetic beacon, artificially generated to simulate a periodic transmission pattern. 
-
-The x-axis represents the frequency range, corresponding to different time intervals, while the y-axis indicates the amplitude of the detected signals. The beacon, derived from real data, exhibits periodic behavior with a frequency of approximately 0.1 Hz and a transmission interval of 10 seconds. Similarly, the synthetic beacon shows candidate frequencies at 0.05 Hz and 0.15 Hz. However, the peak at 0.05 Hz indicates that the URL exhibits beaconing behavior with a periodicity of 20 seconds. Additionally, no periodic beaconing behavior is detected for the non-beacon URL.
+Figure \ref{fig:combinedall} presents the analysis of two selected URLs "m4v4r4c5.stackpathcdn.com", and "beacon7.example.com", derived from both real and synthetic data. The first URL, extracted from real data, exhibits a clear beaconing behavior. The second URL corresponds to a synthetic beacon, artificially generated to simulate a periodic transmission pattern. 

+The x-axis represents the frequency range, corresponding to different time intervals, while the y-axis indicates the amplitude of the detected signals. The beacon, derived from real data, exhibits periodic behavior with a frequency of approximately 0.1 Hz and a transmission interval of 10 seconds. Similarly, the synthetic beacon shows candidate frequencies at 0.05 Hz and 0.15 Hz. However, the peak at 0.05 Hz indicates that the URL exhibits beaconing behavior with a periodicity of 20 seconds.Conversely, the non-beaconing URL "fpc.mesedge.net" was also selected, and the algorithm was applied to it, but it did not yield any results. This analysis demonstrates the framework's ability to accurately detect beaconing behavior in both real and synthetic datasets, providing a reliable method for identifying malicious activities in network traffic.

 \begin{table}
    \centering
-    \caption{Beaconing Data Candidates from Real and Beaconing Data}
+    \caption{ Data Candidates from Real and Artificial Data}
    \label{tab:candidates}
    \resizebox{\textwidth}{!}{%
-    \begin{tabular}{lcc}
+    \begin{tabular}{lccc}
        \toprule
-        \textbf{Attribute} & \textbf{Candidate 1} & \textbf{Candidate 2} \\
+        \textbf{Attribute} & \textbf{Candidate 1} & \textbf{Candidate 2} & \textbf{Candidate 3} \\
        \midrule
-        Host IP addresses          & 127.0.0.1          & 10.16.102.224 \\
-        URLs with beaconing behavior & beacon7.example.com & m4v4r4c5.stackpathcdn.com \\
-        Frequencies (\(\sim\)Hz)     & 0.05 \& 0.15       & 0.1 \\
-        Amplitude                  & 0.014              & 0.024 \\
+        Host IP addresses          & 127.0.0.1          & 10.16.102.224 & 10.100.59.132 \\
+        URLs                       & beacon7.example.com & m4v4r4c5.stackpathcdn.com & fpc.mesedge.net \\
+        Frequencies (\(\sim\)Hz)   & 0.05 \& 0.15       & 0.1 & - \\
+        Amplitude                  & 0.014              & 0.024 & - \\
+        Is Beacon                  & Yes                & Yes & No \\
        \bottomrule
    \end{tabular}%
    }
@@ -737,9 +737,7 @@ The x-axis represents the frequency range, corresponding to different time inter

 \bigskip

-Table \ref{tab:candidates} presents candidate data obtained from both real network traces and beaconing analysis. The table is organized into three columns: the first lists the measured attributes, including host IP addresses, URLs exhibiting beaconing behavior, observed frequencies (in Hertz), and amplitude values of the periodic signals. The subsequent columns represent two distinct candidates. Candidate 1 is characterized by the host IP address "127.0.0.1", a URL "beacon7.example.com", frequencies "0.05 \& 0.15" Hz (indicating multiple frequency components), and maximum amplitude of 0.014. Candidate 2, on the other hand, features the host IP address "10.16.102.224", the URL "m4v4r4c5.stackpathcdn.com", a single frequency component at 0.1 Hz, and maximum amplitude of 0.024. Such candidates are important because they alert analysts directly by flagging URLs with beaconing behavior, thereby providing actionable intelligence for further investigation.
-
-By applying the detection algorithm to this dataset and analyzing the output, it becomes evident that the algorithm effectively identifies periodic signals in both real and synthetic beaconing behaviors. The results highlight the robustness of the method, demonstrating its ability to distinguish between beaconing and non-beaconing activity while accurately capturing different periodic transmission intervals.
+Table \ref{tab:candidates} presents candidate data obtained from both real network traces and beaconing analysis. The table is organized into four columns: the first lists the measured attributes, including host IP addresses, URLs, observed frequencies (in Hertz), amplitude, and Is Beacon values of the periodic signals. The subsequent columns represent three distinct candidates. Candidate 1 is characterized by the host IP address "127.0.0.1", a URL "beacon7.example.com", frequencies "0.05 \& 0.15" Hz (indicating multiple frequency components), and a maximum amplitude of 0.014. Candidate 2 features the host IP address "10.16.102.224", the URL "m4v4r4c5.stackpathcdn.com", a single frequency component at 0.1 Hz, and a maximum amplitude of 0.024. Candidate 3, on the other hand, is associated with the host IP address "10.100.59.132", the URL "fpc.mesedge.net", and does not exhibit significant periodic frequencies or amplitudes, as indicated by the "-" symbols. last row presents that which URL is detected as a beaconing behavior. By applying the detection algorithm to this dataset and analyzing the output, it becomes evident that the algorithm effectively identifies periodic signals in both real and synthetic beaconing behaviors. The results highlight the robustness of the method, demonstrating its ability to distinguish between beaconing and non-beaconing activity while accurately capturing different periodic transmission intervals.

 \section{Discussion}


--- a/Thesis_Docs/media/avg_day_night.png
+++ b/Thesis_Docs/media/avg_day_night.png
--- a/Thesis_Docs/media/candidates.png
+++ b/Thesis_Docs/media/candidates.png
--- a/Thesis_Docs/media/datasetchart.png
+++ b/Thesis_Docs/media/datasetchart.png
--- a/Thesis_Docs/media/maps.png
+++ b/Thesis_Docs/media/maps.png