diff --git a/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf b/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf
index 118fa2583762296419ec8e0cf8c4f55921008ad6..71dfbb342aa4d45dff1f56a06c2fdd2810906086 100644
Binary files a/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf and b/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf differ
diff --git a/Thesis_Docs/main.tex b/Thesis_Docs/main.tex
index a4dbdf8b16b793fe1daf871277fe22cc3b97b18e..bed4356f78b38e1e616da073e1d1ef1c3e8a1d5e 100644
--- a/Thesis_Docs/main.tex
+++ b/Thesis_Docs/main.tex
@@ -660,7 +660,7 @@ A multi-stage processing pipeline has been developed to isolate genuine periodic
 
 \begin{enumerate}
     \item \textbf{Bandpass Filtering:} \\
-    The initial stage involves preprocessing the raw time-series data to remove extraneous noise while preserving the essential periodic components. A zero-phase bandpass filter is applied to the data, ensuring that unwanted frequency components are suppressed without introducing phase distortions. This filtering step is critical as it isolates the frequency range where the periodic signals are expected to reside, thereby laying the foundation for subsequent analysis.
+    The initial stage involves preprocessing the raw time-series data to remove extraneous noise while preserving the essential periodic components. A bandpass filter is applied to the data, ensuring that unwanted frequency components are suppressed without introducing phase distortions. This filtering step is critical as it isolates the frequency range where the periodic signals are expected to reside, thereby laying the foundation for subsequent analysis.
 
     \item \textbf{Permutation-Based FFT Thresholding:} \\
     Following filtering, the signal is transformed into the frequency domain using a Fast Fourier Transform (FFT). In order to distinguish significant periodic components from random noise, a dynamic threshold is computed. This threshold is derived by repeatedly randomizing the filtered data and analyzing the resulting spectral amplitudes. The underlying idea is that random permutations will destroy any inherent periodicity; therefore, frequency components in the original signal that exceed the thresholdâ€”determined based on a high confidence levelâ€”are likely to represent true periodic behavior.
@@ -674,7 +674,7 @@ A multi-stage processing pipeline has been developed to isolate genuine periodic
 
 This multi-stage pipeline represents a significant advancement in the detection of beaconing behavior, as it combines complementary analytical techniques to overcome the challenges posed by noisy and irregular data. The integration of bandpass filtering, dynamic FFT thresholding, and autocorrelation-based validation provides a robust framework for isolating true periodic signals, even in complex network traffic environments.
 
-This comprehensive signal analysis pipeline, combining zero-phase bandpass filtering, permutation-based FFT thresholding, autocorrelation peak detection, and frequency-lag correlation, constitutes a novel contribution of the DBAYWATCH framework. It is designed to be robust in the presence of noise and adaptable to variations in beaconing patterns, thereby significantly enhancing the detection of periodic signals in complex network traffic data.
+This comprehensive signal analysis pipeline, combining bandpass filtering, permutation-based FFT thresholding, autocorrelation peak detection, and frequency-lag correlation, constitutes a novel contribution of the DBAYWATCH framework. It is designed to be robust in the presence of noise and adaptable to variations in beaconing patterns, thereby significantly enhancing the detection of periodic signals in complex network traffic data.
 
 \subsection{Evaluation with Beaconing Data}
 A thorough evaluation was conducted using two data sources:
@@ -712,7 +712,7 @@ For instance:
 \begin{itemize}
     \item A beacon with a 10-second interval and 2-second jitter has effective intervals between 8 and 12 seconds.
     \item Another beacon with a 60-second interval and 10-second jitter produces intervals between approximately 50 and 70 seconds.
-    \item More extreme cases include a beacon with a 300-second interval and 150-second jitter (half of the interval), resulting in intervals from 150 to 450 seconds.
+    \item More extreme cases include a beacon with a 300-second interval and 150-second jitter (half of the interval), resulting in intervals from 150 to 450 seconds. At the end, it is concluded that the jitter amount that is half of the interval is not an option for the beaconing detection.
 \end{itemize}
 
 \section{Results and Analysis}
@@ -765,7 +765,7 @@ A clear example of this can be seen in "beacon7.example.com", where a detected f
 \section{Discussion and Conclusion}
 The BAYWATCH extensions significantly enhance beacon detection accuracy by incorporating an advanced signal analysis pipeline. The evaluation confirms that maintaining a low jitter/interval ratio (ideally below 10\%) is useful for robust detection. However, the framework also demonstrates resilience under moderate noise conditions through adaptive thresholding and correlation techniques. The synthetic experiments provide valuable insights into the impact of temporal noise on beacon detection, highlighting the importance of understanding periodic patterns and the challenges posed by irregular transmissions. By combining real-world network traces with synthetic beaconing data, the framework achieves a comprehensive evaluation, demonstrating its efficacy in detecting malicious beaconing behavior under varied conditions. These results underscore the framework's potential to enhance network security by identifying stealthy threats and improving anomaly detection capabilities. The advanced signal analysis pipeline, coupled with a rigorous evaluation methodology, positions the BAYWATCH framework as a valuable tool for securing enterprise networks against advanced cyber threats.
 
-The enhancements in the DBAYWATCH framework, as detailed in this chapter, offer substantial improvements over the original BAYWATCH implementation. By reimplementing the base framework in Python and extending it with an advanced signal analysis pipeline, DBAYWATCH achieves improved accuracy and scalability in beacon detection. The comprehensive evaluation with both real and synthetic data underscores the critical impact of jitter on detection performance and provides clear guidelines for optimal parameter settings in practical network security applications.
+The enhancements in the BAYWATCH framework, as detailed in this chapter, offer substantial improvements over the original BAYWATCH implementation. By reimplementing the base framework in Python and extending it with an advanced signal analysis pipeline, BAYWATCH achieves improved accuracy and scalability in beacon detection. The comprehensive evaluation with both real and synthetic data underscores the critical impact of jitter on detection performance and provides clear guidelines for optimal parameter settings in practical network security applications.
 
 \chapter{Experiments and Discussions}
 This chapter presents a comprehensive evaluation of the framework to validate its efficacy in detecting malicious beaconing behavior in large-scale networks. The experiments are designed to address two objectives: first assessing the framework's robustness and accuracy under controlled noise conditions using synthetic datasets, and second evaluating its practical performance in real-world enterprise network environments. Synthetic data, generated with programmable noise levels and periodic patterns, enables systematic testing of framework's core algorithms, such as the Fast Fourier Transform (FFT) and autocorrelation-based verification. Subsequently, the framework is deployed on a real-world dataset. This dual approach not only validates the theoretical soundness of the methodology but also demonstrates its scalability and operational feasibility. By synthesizing findings from both artificial and real-world scenarios, this chapter provides insights into framework's strengths, limitations, and applicability in modern cybersecurity defense systems.
@@ -782,7 +782,7 @@ The validation process in the framework consists of three steps designed to iden
     \item \textbf{Combination of FFT and ACF Results}: In the final step, the FFT and ACF results are combined to confirm beaconing behavior. The ACF results are transformed into the frequency domain, allowing direct comparison with the FFT candidates. A URL is flagged as malicious beaconing only if it is identified as a candidate by both the FFT and ACF steps. This cross-validation ensures high confidence in the detected beaconing behavior.
 \end{enumerate}
 
-This multi-step validation process is for distinguishing malicious beaconing from legitimate periodic traffic and noise. By combining the strengths of FFT (frequency-domain analysis) and ACF (time-domain consistency), the BAYWATCH framework achieves high accuracy and robustness in detecting advanced threats like botnets and APTs.
+This multi-step validation process is for distinguishing malicious beaconing from legitimate periodic traffic and noise. By combining the strengths of FFT (frequency-domain analysis) and ACF (time-domain consistency), the framework achieves high accuracy and robustness in detecting advanced threats like botnets and APTs.
 
 \subsection{FFT Candidate Detection with Power Threshold}
 
@@ -792,7 +792,7 @@ The global threshold \( \tau \) is a parameter in the FFT candidate detection pr
 
 \subsection{ACF Verification}
 
-After identifying candidate frequencies using the FFT, the BAYWATCH framework verifies their validity using the autocorrelation function (ACF). The ACF measures the similarity between the time series and a shifted version of itself, providing a more robust detection of periodic behavior. This step is for eliminating false positives caused by noise or transient patterns.
+After identifying candidate frequencies using the FFT, the BAYWATCH verifies their validity using the autocorrelation function (ACF). The ACF measures the similarity between the time series and a shifted version of itself, providing a more robust detection of periodic behavior. This step is for eliminating false positives caused by noise or transient patterns.
 
 \subsection{Combination of FFT and ACF Results}
 
@@ -813,7 +813,7 @@ By applying the detection algorithm to this dataset and analyzing the output, it
 
 \section{Discussion}
 
-The BAYWATCH frameworkâ€™s combination of Fast Fourier Transform (FFT) and autocorrelation function (ACF) proved highly effective in detecting malicious beaconing behavior. By leveraging the complementary strengths of FFT (frequency-domain analysis) and ACF (time-domain consistency), the framework achieved a high detection accuracy while minimizing false positives. The cross-validation step, where only frequencies confirmed by both FFT and ACF are flagged as beaconing candidates, ensured robust identification of malicious behavior even in noisy environments.
+The frameworkâ€™s combination of Fast Fourier Transform (FFT) and autocorrelation function (ACF) proved highly effective in detecting malicious beaconing behavior. By leveraging the complementary strengths of FFT (frequency-domain analysis) and ACF (time-domain consistency), the framework achieved a high detection accuracy while minimizing false positives. The cross-validation step, where only frequencies confirmed by both FFT and ACF are flagged as beaconing candidates, ensured robust identification of malicious behavior even in noisy environments.
 
 However, the framework has certain limitations. First, its reliance on historical data means it cannot detect zero-day beaconing behavior, as it requires a sufficient time window to analyze periodicity. Second, while the framework effectively filters out most noise, it occasionally flags legitimate periodic traffic (e.g., news feeds) as suspicious. This issue could be mitigated by integrating adaptive whitelisting mechanisms that dynamically update based on observed traffic patterns and threat intelligence feeds.