diff --git a/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf b/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf
index 08bd32a6299ff392f58260f1186e60c7308b419c..4a55ae686cbe59fe9a44f611da8e32a7aa545b97 100644
Binary files a/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf and b/Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.pdf differ
diff --git a/Thesis_Docs/main.tex b/Thesis_Docs/main.tex
index d1b595947f5ee134679fb378b5ca432571b15f66..150ba8275559689f90b8c143e4b9257c63e9784e 100644
--- a/Thesis_Docs/main.tex
+++ b/Thesis_Docs/main.tex
@@ -329,7 +329,7 @@ The structure of the JSON files is defined by a Document Type Definition (DTD),
         "logdate": { "type": "string", "format": "date-time"},
         "url_hostname": { "type": "string"},
         "user": { "type": "string"}},
-      "required": ["logdate", "url_hostname"] }
+      "required": ["logdate", "url-hostname"] }
 \end{lstlisting}
 
 The structured format of the JSON files ensures that each entry is consistent and comprehensive, providing a reliable record of user activities for analysis.
@@ -402,7 +402,7 @@ To ensure consistency and reliability across all generated entries, the structur
         "url_hostname": { "type": "string"},
         "user": { "type": "string"}},
         "Is_A": { "type": "string" },
-      "required": ["logdate", "url_hostname", "Is_A"] }
+      "required": ["logdate", "url-hostname", "Is-A"] }
 \end{lstlisting}
 
 \subsection{Jitter and Beacon Frequency Variations}
@@ -497,7 +497,7 @@ Analyzing the time intervals between URL requests is important for identifying p
     \label{fig:timeintervallog}
 \end{figure}
 
-Figure \ref{fig:timeintervallog} illustrates the distribution of time intervals between URL requests, with the Y-axis displayed on a logarithmic scale. The X-axis represents time intervals in seconds, divided into 65 bins, where each bin corresponds to a one-second interval ranging from 0 to 65 seconds. The use of a logarithmic scale on the Y-axis is particularly useful for visualizing the wide range of request counts. By compressing the scale for higher values and expanding it for lower values, the logarithmic scale enables a clearer and more detailed comparison of the frequency of requests across different time intervals. The visualization reveals a consistent pattern where the number of requests decreases as the time interval between them increases. However, there is a noticeable spike in the number of requests at every 10-second interval, suggesting periodicity in user behavior. This periodicity could be indicative of regular user activities, such as polling mechanisms, automated updates, or recurring checks for new information. These behaviors are common in legitimate network traffic and can help establish a baseline for normal activity. The identification of such periodic patterns is important in network traffic analysis, as it helps differentiate between regular activity and potential malicious behavior. For instance, if a URL exhibits similar periodic patterns but with irregular or unexpected intervals, it could be a sign of beaconingâ€”a technique often used by malware to maintain communication with a command-and-control (C\&C) server. In this case, the analysis could reveal anomalies in the intervals that deviate from expected patterns, potentially indicating a botnet or other malicious activity. By comparing these patterns against known baselines of legitimate traffic, it becomes easier to identify and flag suspicious requests for further investigation.
+Figure \ref{fig:timeintervallog} illustrates the distribution of time intervals between URL requests, with the Y-axis displayed on a logarithmic scale. The X-axis represents time intervals in seconds, divided into 65 bins, where each bin corresponds to a one-second interval ranging from 0 to 65 seconds. The use of a logarithmic scale on the Y-axis is particularly useful for visualizing the wide range of request counts. By compressing the scale for higher values and expanding it for lower values, the logarithmic scale enables a clearer and more detailed comparison of the frequency of requests across different time intervals. The visualization reveals a consistent pattern where the number of requests decreases as the time interval between them increases. However, there is a noticeable spike in the number of requests at every 10-second interval, suggesting periodicity in user behavior. This periodicity could be indicative of regular user activities, such as polling mechanisms, automated updates, or recurring checks for new information. These behaviors are common in legitimate network traffic and can help establish a baseline for normal activity. The identification of such periodic patterns is important in network traffic analysis, as it helps differentiate between regular activity and potential malicious behavior. For instance, if a URL exhibits similar periodic patterns but with irregular or unexpected intervals, it could be a sign of beaconingâ€”a technique often used by malware to maintain communication with a command-and-control (C2) server. In this case, the analysis could reveal anomalies in the intervals that deviate from expected patterns, potentially indicating a botnet or other malicious activity. By comparing these patterns against known baselines of legitimate traffic, it becomes easier to identify and flag suspicious requests for further investigation.
 
 \begin{figure}
     \centering
@@ -506,10 +506,10 @@ Figure \ref{fig:timeintervallog} illustrates the distribution of time intervals
     \label{fig:timeintervallogmin}
 \end{figure}
 
-Figure \ref{fig:timeintervallogmin} extends the analysis of time intervals between URL requests to a larger time scale, with the X-axis each representing a one-minute interval, except for the last bin, which aggregates data from intervals longer than 31 minutes. To avoid losing beaconing data at the edges, each bin spans Â±30 seconds; for example, the 1-minute bin represents data from 30 to 90 seconds. The Y-axis remains on a logarithmic scale, ensuring that both high-frequency and low-frequency intervals are visible and can be compared effectively. This use of a logarithmic scale enables the identification of trends across various time scales, making it a powerful tool for understanding patterns in network traffic. Similar to the analysis presented in Figure \ref{fig:timeintervallog}, the visualization reveals a decreasing trend in the number of requests as the time interval between them increases. This suggests that user interactions are typically clustered within shorter time intervals, with longer gaps between requests. However, a notable spike in request frequency appears every 5 minutes, indicating a periodic pattern at a larger time scale. This periodicity is consistent across all URLs in the dataset, suggesting that it represents a common behavior such as scheduled tasks, automated updates, or regular user interactions. These spikes could correspond to routine activities in many systems or applications that are configured to perform tasks at fixed intervalsâ€”such as background data synchronization, refresh cycles, or regular system health checks. The observed periodic behavior is particularly significant in the context of detecting malicious beaconing activity. Malicious software, including botnets and malware, often utilizes similar periodic behavior to maintain communication with command-and-control (C\&C) servers, operating at regular intervals. By identifying these regular spikes in request frequency, organizations can establish a baseline for normal network behavior and detect any deviations that might indicate unauthorized or suspicious activities. The consistent periodicity observed across the dataset could thus serve as a key indicator for detecting potential threats and taking proactive security measures. The logarithmic scale is crucial for effectively visualizing the wide range of time intervals and request counts. The logarithmic scale compresses the scale for higher values and expands it for lower values, allowing for a more balanced view of both common and rare events. This enhanced visualization capability enables a clearer understanding of the temporal dynamics of user interactions and supports the identification of periodic patterns, which are important for detecting stealthy beaconing behavior in network traffic. Ultimately, this approach aids in distinguishing between normal and abnormal patterns, enhancing the frameworkâ€™s ability to identify potential security threats.
+Figure \ref{fig:timeintervallogmin} extends the analysis of time intervals between URL requests to a larger time scale, with the X-axis each representing a one-minute interval, except for the last bin, which aggregates data from intervals longer than 31 minutes. To avoid losing beaconing data at the edges, each bin spans Â±30 seconds; for example, the 1-minute bin represents data from 30 to 90 seconds. The Y-axis remains on a logarithmic scale, ensuring that both high-frequency and low-frequency intervals are visible and can be compared effectively. This use of a logarithmic scale enables the identification of trends across various time scales, making it a powerful tool for understanding patterns in network traffic. Similar to the analysis presented in Figure \ref{fig:timeintervallog}, the visualization reveals a decreasing trend in the number of requests as the time interval between them increases. This suggests that user interactions are typically clustered within shorter time intervals, with longer gaps between requests. However, a notable spike in request frequency appears every 5 minutes, indicating a periodic pattern at a larger time scale. This periodicity is consistent across all URLs in the dataset, suggesting that it represents a common behavior such as scheduled tasks, automated updates, or regular user interactions. These spikes could correspond to routine activities in many systems or applications that are configured to perform tasks at fixed intervalsâ€”such as background data synchronization, refresh cycles, or regular system health checks. The observed periodic behavior is particularly significant in the context of detecting malicious beaconing activity. Malicious software, including botnets and malware, often utilizes similar periodic behavior to maintain communication with command-and-control (C2) servers, operating at regular intervals. By identifying these regular spikes in request frequency, organizations can establish a baseline for normal network behavior and detect any deviations that might indicate unauthorized or suspicious activities. The consistent periodicity observed across the dataset could thus serve as a key indicator for detecting potential threats and taking proactive security measures. The logarithmic scale is important for effectively visualizing the wide range of time intervals and request counts. The logarithmic scale compresses the scale for higher values and expands it for lower values, allowing for a more balanced view of both common and rare events. This enhanced visualization capability enables a clearer understanding of the temporal dynamics of user interactions and supports the identification of periodic patterns, which are important for detecting stealthy beaconing behavior in network traffic. Ultimately, this approach aids in distinguishing between normal and abnormal patterns, enhancing the frameworkâ€™s ability to identify potential security threats.
 
 \section{Distribution of Hosts Based on Unique URLs Contacted}
-Understanding the interaction patterns of hosts within the network is essential for identifying key services, detecting anomalies, and optimizing network performance. By analyzing the distribution of hosts based on the number of unique URLs they contacted, insights can be gained into the concentration of network activity and the diversity of services being accessed. This analysis helps highlight the most active hosts and their browsing behaviors, providing valuable information for pinpointing critical network resources, determining high-traffic users, and identifying potential security concerns. For example, an unusually high number of unique URL requests from a single host may indicate an abnormal pattern, which could suggest automated processes or even malicious behavior. By focusing on the number of unique URLs accessed by each host, this section offers a clear understanding of how traffic is distributed across the network and how hosts interact with various services. Additionally, this analysis aids in understanding the level of engagement with different network segments, assisting network administrators in optimizing resource allocation and managing network load during peak times."
+Understanding the interaction patterns of hosts within the network is important for identifying key services, detecting anomalies, and optimizing network performance. By analyzing the distribution of hosts based on the number of unique URLs they contacted, insights can be gained into the concentration of network activity and the diversity of services being accessed. This analysis helps highlight the most active hosts and their browsing behaviors, providing valuable information for pinpointing critical network resources, determining high-traffic users, and identifying potential security concerns. For example, an unusually high number of unique URL requests from a single host may indicate an abnormal pattern, which could suggest automated processes or even malicious behavior. By focusing on the number of unique URLs accessed by each host, this section offers a clear understanding of how traffic is distributed across the network and how hosts interact with various services. Additionally, this analysis aids in understanding the level of engagement with different network segments, assisting network administrators in optimizing resource allocation and managing network load during peak times."
 
 \begin{figure}
     \centering
@@ -518,7 +518,7 @@ Understanding the interaction patterns of hosts within the network is essential
     \label{fig:ip}
 \end{figure}
 
-Figure \ref{fig:ip} illustrates the distribution of hosts (IP addresses) based on the number of unique URLs they contacted. The X-axis represents the number of unique URLs, ranging from 1 to 15, while the Y-axis shows the count of hosts within each category. The visualization highlights that the majority of hosts interact with only a small number of unique URLs. Specifically, approximately 17,500 hosts contacted exactly two unique URLs, while around 15,000 hosts interacted with only one unique URL. As the number of unique URLs increases, the number of hosts decreases significantly, although there are still many hosts contacting more than a few URLs. This pattern suggests that network activity is highly concentrated around a small set of destinations, with most hosts accessing only a limited range of resources. For example, hosts that contact only one or two unique URLs are likely interacting with essential services such as internal tools, authentication servers, or frequently accessed websites. In contrast, hosts contacting a larger number of unique URLs may represent more diverse or specialized activities, such as administrators, developers, or automated systems performing a variety of tasks across the network. This distribution of host behavior emphasizes the importance of leveraging whitelists to filter out known legitimate traffic, ensuring that analysis can focus on detecting potentially suspicious activities. The concentration of network traffic on a limited set of URLs also carries significant implications for network monitoring and security. By identifying the most frequently accessed URLs, organizations can prioritize security measures for resources that are most likely to be targeted by malicious actors. URLs that experience high traffic are often the focal points of cyberattacks, such as phishing schemes, malware distribution, or command-and-control (C\&C) communication. By directing attention to these critical resources, organizations can enhance their ability to detect and mitigate emerging threats. Additionally, monitoring the distribution of hosts based on the number of unique URLs they access can help identify anomalous behavior. For instance, a host that unexpectedly begins contacting a large number of unique URLs could indicate suspicious activity, such as a compromised device engaged in reconnaissance or data exfiltration. Establishing a baseline for normal host behavior allows organizations to more effectively identify deviations that may require further investigation, enhancing overall network security.
+Figure \ref{fig:ip} illustrates the distribution of hosts (IP addresses) based on the number of unique URLs they contacted. The X-axis represents the number of unique URLs, ranging from 1 to 15, while the Y-axis shows the count of hosts within each category. The visualization highlights that the majority of hosts interact with only a small number of unique URLs. Specifically, approximately 17,500 hosts contacted exactly two unique URLs, while around 15,000 hosts interacted with only one unique URL. As the number of unique URLs increases, the number of hosts decreases significantly, although there are still many hosts contacting more than a few URLs. This pattern suggests that network activity is highly concentrated around a small set of destinations, with most hosts accessing only a limited range of resources. For example, hosts that contact only one or two unique URLs are likely interacting with essential services such as internal tools, authentication servers, or frequently accessed websites. In contrast, hosts contacting a larger number of unique URLs may represent more diverse or specialized activities, such as administrators, developers, or automated systems performing a variety of tasks across the network. This distribution of host behavior emphasizes the importance of leveraging whitelists to filter out known legitimate traffic, ensuring that analysis can focus on detecting potentially suspicious activities. The concentration of network traffic on a limited set of URLs also carries significant implications for network monitoring and security. By identifying the most frequently accessed URLs, organizations can prioritize security measures for resources that are most likely to be targeted by malicious actors. URLs that experience high traffic are often the focal points of cyberattacks, such as phishing schemes, malware distribution, or command-and-control (C2) communication. By directing attention to these critical resources, organizations can enhance their ability to detect and mitigate emerging threats. Additionally, monitoring the distribution of hosts based on the number of unique URLs they access can help identify anomalous behavior. For instance, a host that unexpectedly begins contacting a large number of unique URLs could indicate suspicious activity, such as a compromised device engaged in reconnaissance or data exfiltration. Establishing a baseline for normal host behavior allows organizations to more effectively identify deviations that may require further investigation, enhancing overall network security.
 
 \textbf{Analysis of URL Connections}
 
@@ -529,7 +529,7 @@ After checking the URLs that were reached by these hosts, several conclusions ca
     Some URLs, such as \url{ocsp.digicert.com}, \url{ocsp.globalsign.com}, \url{crl.globalsign.com}, and \url{ctldl.windowsupdate.com}, are associated with certificate status checking and other security validations. These connections highlight that the hosts are actively performing routine checks to ensure the validity of digital certificates. This activity is indicative of a continuous effort to maintain secure communication channels, verify certificate integrity, and prevent man-in-the-middle (MITM) attacks. The inclusion of URLs related to certificate revocation and status checking suggests a heightened emphasis on maintaining secure connections in the network environment.
     
     \item \textbf{Operating System and Application Updates:} \\
-    Several URLs, including \url{update.googleapis.com}, \url{www.msftconnecttest.com}, and \url{tldl.windowsupdate.com}, are indicative of hosts checking for operating system or application updates. These domains are typically associated with automated update mechanisms, where endpoints periodically reach out to ensure that their software and security patches are up to date. This also includes connectivity tests to verify network accessibility and ensure systems are functioning properly. These connections are crucial for maintaining the integrity and functionality of the hosts, keeping them secure and performing optimally through regular updates.
+    Several URLs, including \url{update.googleapis.com}, \url{www.msftconnecttest.com}, and \url{tldl.windowsupdate.com}, are indicative of hosts checking for operating system or application updates. These domains are typically associated with automated update mechanisms, where endpoints periodically reach out to ensure that their software and security patches are up to date. This also includes connectivity tests to verify network accessibility and ensure systems are functioning properly. These connections are important for maintaining the integrity and functionality of the hosts, keeping them secure and performing optimally through regular updates.
     
     \item \textbf{Enterprise and Cloud Services:} \\
     Domains such as \url{saml.allianz.com}, \url{www.allianz.de}, \url{autodiscover.allianz.de}, \url{service-now.com}, and \url{workspace.citrix} point to hosts interacting with enterprise-level services commonly found in corporate environments. These include services for Single Sign-On (SSO), IT service management, and remote workspace access. The connection to platforms like Citrix suggests that users are accessing virtual desktop environments or cloud-based services, enabling flexible work arrangements. Additionally, integration with platforms like ServiceNow highlights that these hosts may be involved in internal IT service management and troubleshooting, which is a critical component of organizational operations, particularly in large enterprises with complex infrastructures.