diff --git a/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf b/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf
index 14354d409c2613043b3def1597bb0495265f3ec7..c8029d1f5d3a398f794dbf79819bbf1d6f482dd3 100644
Binary files a/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf and b/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf differ
diff --git a/Thesis_Docs/main.tex b/Thesis_Docs/main.tex
index 4c39d73ccaa2ff18b0391dc31f6c621499911f84..63efe44c461647da52556953002a84b12b651a91 100644
--- a/Thesis_Docs/main.tex
+++ b/Thesis_Docs/main.tex
@@ -708,28 +708,28 @@ The final step combines the results from the FFT and ACF steps to confirm malici
\begin{figure}
\centering
\includegraphics[width=\textwidth]{../Thesis_Docs/media/candidates.png}
- \caption{Frequency Spectrum with FFT \& ACF Candidates. The x-axis represents frequency (Hz), and the y-axis represents amplitude. The figure shows candidates for the domains "fpc.mesedge.net", "m4v4r4c5.stackpathcdn.com", and "beacon7.example.com"}
+ \caption{Frequency Spectrum with FFT \& ACF Candidates. The x-axis represents frequency (Hz), and the y-axis represents amplitude. The figure shows candidates for the domains "m4v4r4c5.stackpathcdn.com", and "beacon7.example.com"}
\label{fig:combinedall}
\end{figure}
-Figure \ref{fig:combinedall} presents the analysis of three selected URLs "fpc.mesedge.net", "m4v4r4c5.stackpathcdn.com", and "beacon7.example.com", derived from both real and synthetic data. The first URL represents a non-beaconing behavior observed in real data, meaning that no periodic transmission pattern is present. The second URL, also extracted from real data, exhibits a clear beaconing behavior. The third URL corresponds to a synthetic beacon, artificially generated to simulate a periodic transmission pattern.
-
-The x-axis represents the frequency range, corresponding to different time intervals, while the y-axis indicates the amplitude of the detected signals. The beacon, derived from real data, exhibits periodic behavior with a frequency of approximately 0.1 Hz and a transmission interval of 10 seconds. Similarly, the synthetic beacon shows candidate frequencies at 0.05 Hz and 0.15 Hz. However, the peak at 0.05 Hz indicates that the URL exhibits beaconing behavior with a periodicity of 20 seconds. Additionally, no periodic beaconing behavior is detected for the non-beacon URL.
+Figure \ref{fig:combinedall} presents the analysis of two selected URLs "m4v4r4c5.stackpathcdn.com", and "beacon7.example.com", derived from both real and synthetic data. The first URL, extracted from real data, exhibits a clear beaconing behavior. The second URL corresponds to a synthetic beacon, artificially generated to simulate a periodic transmission pattern.
+The x-axis represents the frequency range, corresponding to different time intervals, while the y-axis indicates the amplitude of the detected signals. The beacon, derived from real data, exhibits periodic behavior with a frequency of approximately 0.1 Hz and a transmission interval of 10 seconds. Similarly, the synthetic beacon shows candidate frequencies at 0.05 Hz and 0.15 Hz. However, the peak at 0.05 Hz indicates that the URL exhibits beaconing behavior with a periodicity of 20 seconds.Conversely, the non-beaconing URL "fpc.mesedge.net" was also selected, and the algorithm was applied to it, but it did not yield any results. This analysis demonstrates the framework's ability to accurately detect beaconing behavior in both real and synthetic datasets, providing a reliable method for identifying malicious activities in network traffic.
\begin{table}
\centering
- \caption{Beaconing Data Candidates from Real and Beaconing Data}
+ \caption{ Data Candidates from Real and Artificial Data}
\label{tab:candidates}
\resizebox{\textwidth}{!}{%
- \begin{tabular}{lcc}
+ \begin{tabular}{lccc}
\toprule
- \textbf{Attribute} & \textbf{Candidate 1} & \textbf{Candidate 2} \\
+ \textbf{Attribute} & \textbf{Candidate 1} & \textbf{Candidate 2} & \textbf{Candidate 3} \\
\midrule
- Host IP addresses & 127.0.0.1 & 10.16.102.224 \\
- URLs with beaconing behavior & beacon7.example.com & m4v4r4c5.stackpathcdn.com \\
- Frequencies (\(\sim\)Hz) & 0.05 \& 0.15 & 0.1 \\
- Amplitude & 0.014 & 0.024 \\
+ Host IP addresses & 127.0.0.1 & 10.16.102.224 & 10.100.59.132 \\
+ URLs & beacon7.example.com & m4v4r4c5.stackpathcdn.com & fpc.mesedge.net \\
+ Frequencies (\(\sim\)Hz) & 0.05 \& 0.15 & 0.1 & - \\
+ Amplitude & 0.014 & 0.024 & - \\
+ Is Beacon & Yes & Yes & No \\
\bottomrule
\end{tabular}%
}
@@ -737,9 +737,7 @@ The x-axis represents the frequency range, corresponding to different time inter
\bigskip
-Table \ref{tab:candidates} presents candidate data obtained from both real network traces and beaconing analysis. The table is organized into three columns: the first lists the measured attributes, including host IP addresses, URLs exhibiting beaconing behavior, observed frequencies (in Hertz), and amplitude values of the periodic signals. The subsequent columns represent two distinct candidates. Candidate 1 is characterized by the host IP address "127.0.0.1", a URL "beacon7.example.com", frequencies "0.05 \& 0.15" Hz (indicating multiple frequency components), and maximum amplitude of 0.014. Candidate 2, on the other hand, features the host IP address "10.16.102.224", the URL "m4v4r4c5.stackpathcdn.com", a single frequency component at 0.1 Hz, and maximum amplitude of 0.024. Such candidates are important because they alert analysts directly by flagging URLs with beaconing behavior, thereby providing actionable intelligence for further investigation.
-
-By applying the detection algorithm to this dataset and analyzing the output, it becomes evident that the algorithm effectively identifies periodic signals in both real and synthetic beaconing behaviors. The results highlight the robustness of the method, demonstrating its ability to distinguish between beaconing and non-beaconing activity while accurately capturing different periodic transmission intervals.
+Table \ref{tab:candidates} presents candidate data obtained from both real network traces and beaconing analysis. The table is organized into four columns: the first lists the measured attributes, including host IP addresses, URLs, observed frequencies (in Hertz), amplitude, and Is Beacon values of the periodic signals. The subsequent columns represent three distinct candidates. Candidate 1 is characterized by the host IP address "127.0.0.1", a URL "beacon7.example.com", frequencies "0.05 \& 0.15" Hz (indicating multiple frequency components), and a maximum amplitude of 0.014. Candidate 2 features the host IP address "10.16.102.224", the URL "m4v4r4c5.stackpathcdn.com", a single frequency component at 0.1 Hz, and a maximum amplitude of 0.024. Candidate 3, on the other hand, is associated with the host IP address "10.100.59.132", the URL "fpc.mesedge.net", and does not exhibit significant periodic frequencies or amplitudes, as indicated by the "-" symbols. last row presents that which URL is detected as a beaconing behavior. By applying the detection algorithm to this dataset and analyzing the output, it becomes evident that the algorithm effectively identifies periodic signals in both real and synthetic beaconing behaviors. The results highlight the robustness of the method, demonstrating its ability to distinguish between beaconing and non-beaconing activity while accurately capturing different periodic transmission intervals.
\section{Discussion}
diff --git a/Thesis_Docs/media/avg_day_night.png b/Thesis_Docs/media/avg_day_night.png
deleted file mode 100644
index 18e137bbceae15f42e36566485e39533567bbb37..0000000000000000000000000000000000000000
Binary files a/Thesis_Docs/media/avg_day_night.png and /dev/null differ
diff --git a/Thesis_Docs/media/candidates.png b/Thesis_Docs/media/candidates.png
index 83724b8dc3052f072f4738beca45e2a7acb3f568..d788041af7fbd52e020b543043ffa20c661bf1bc 100644
Binary files a/Thesis_Docs/media/candidates.png and b/Thesis_Docs/media/candidates.png differ
diff --git a/Thesis_Docs/media/datasetchart.png b/Thesis_Docs/media/datasetchart.png
deleted file mode 100644
index a756111b89a710c386bdc6f17b2cb74661f89a01..0000000000000000000000000000000000000000
Binary files a/Thesis_Docs/media/datasetchart.png and /dev/null differ
diff --git a/Thesis_Docs/media/maps.png b/Thesis_Docs/media/maps.png
deleted file mode 100644
index 6116b8560693837dc59e72ac45902c48cbb9c96e..0000000000000000000000000000000000000000
Binary files a/Thesis_Docs/media/maps.png and /dev/null differ