remove outdated Mastersthesis.pdf and Mastersthesis.blg files to eliminate...

remove outdated Mastersthesis.pdf and Mastersthesis.blg files to eliminate warnings and improve clarity

Thesis_Docs/Nikkhah_Nasab-Aida-Mastersthesis.blg

-This is BibTeX, Version 0.99d (TeX Live 2022/dev/Debian)
-Capacity: max_strings=200000, hash_size=200000, hash_prime=170003
-The top-level auxiliary file: Nikkhah_Nasab-Aida-Mastersthesis.aux
-The style file: IEEEtran.bst
-Reallocated singl_function (elt_size=4) to 100 items from 50.
-Reallocated singl_function (elt_size=4) to 100 items from 50.
-Reallocated singl_function (elt_size=4) to 100 items from 50.
-Reallocated wiz_functions (elt_size=4) to 6000 items from 3000.
-Reallocated singl_function (elt_size=4) to 100 items from 50.
-Database file #1: ../Thesis_Docs/sources/references.bib
-Warning--I didn't find a database entry for "ransomware2022"
-Warning--I didn't find a database entry for "cybersecurity_skills_gap"
-Warning--I didn't find a database entry for "apt_definition"
-Warning--I didn't find a database entry for "charan2021dmpt"
-Warning--I didn't find a database entry for "spear_phishing"
-Warning--I didn't find a database entry for "zero_day"
-Warning--I didn't find a database entry for "lateral_movement"
-Warning--I didn't find a database entry for "c2_communication"
-Warning--I didn't find a database entry for "network_architecture"
-Warning--I didn't find a database entry for "security_protocols"
-Warning--I didn't find a database entry for "access_controls"
-Warning--I didn't find a database entry for "network_monitoring"
-Warning--I didn't find a database entry for "insider_threats"
-Warning--I didn't find a database entry for "advanced_malware"
-Warning--I didn't find a database entry for "misconfigurations"
-Warning--I didn't find a database entry for "supply_chain_attacks"
-Warning--I didn't find a database entry for "influxdb"
-Warning--I didn't find a database entry for "influxdb_storage"
-Warning--I didn't find a database entry for "influxdb_throughput"
-Warning--I didn't find a database entry for "influxdb_flux"
-Warning--I didn't find a database entry for "influxdb_retention"
-Warning--I didn't find a database entry for "influxdb_integrations"
-Warning--I didn't find a database entry for "influxdb_monitoring"
-Warning--I didn't find a database entry for "influxdb_historical"
-Warning--I didn't find a database entry for "influxdb_alerting"
-Warning--I didn't find a database entry for "influxdb_visualization"
--- IEEEtran.bst version 1.14 (2015/08/26) by Michael Shell.
--- http://www.michaelshell.org/tex/ieeetran/bibtex/
--- See the "IEEEtran_bst_HOWTO.pdf" manual for usage information.
-
-Done.
-You've used 23 entries,
-            4087 wiz_defined-function locations,
-            976 strings with 13530 characters,
-and the built_in function-call counts, 19750 in all, are:
-= -- 1498
-> -- 570
-< -- 153
-+ -- 303
-- -- 107
-* -- 944
-:= -- 2765
-add.period$ -- 57
-call.type$ -- 23
-change.case$ -- 26
-chr.to.int$ -- 369
-cite$ -- 23
-duplicate$ -- 1399
-empty$ -- 1656
-format.name$ -- 127
-if$ -- 4671
-int.to.chr$ -- 0
-int.to.str$ -- 23
-missing$ -- 266
-newline$ -- 96
-num.names$ -- 23
-pop$ -- 677
-preamble$ -- 1
-purify$ -- 0
-quote$ -- 2
-skip$ -- 1499
-stack$ -- 0
-substring$ -- 919
-swap$ -- 1136
-text.length$ -- 30
-text.prefix$ -- 0
-top$ -- 5
-type$ -- 23
-warning$ -- 0
-while$ -- 94
-width$ -- 25
-write$ -- 240
-(There were 26 warnings)

Thesis_Docs/main.tex

@@ -13,79 +13,76 @@ The research is guided by several key questions, including: How can beaconing be
 The thesis is organized into a cohesive narrative that begins by establishing the foundational background and core concepts essential to understanding network security and periodicity detection. Following this, a review of related work contextualizes the current research within the broader field. The methodology chapter then details the advanced techniques introduced in the framework. Chapter 5, Data Analysis is an exploration of real-world network log data to uncover patterns and insights related to beaconing behavior, setting the stage for subsequent evaluations. Chapter 6 is a detailed description of the procedures and techniques employed to generate synthetic beaconing data, which is used to validate the performance of the detection framework under controlled conditions. Chapter 7 is Evaluation and Results. An investigation and comparison of the framework’s performance on both real and synthetic data, summarizing key findings and contributions, and discussing potential improvements. Finally Chapter 8 is Conclusions and Future Work. The final chapter presents the overall conclusions of the research, outlines the contributions made, and proposes directions for future research in the field of network security.
 
 \chapter{Background}
-This chapter provides the foundational knowledge necessary for understanding the context and significance of this research. It begins with an overview of the cybersecurity landscape, emphasizing the current state, emerging trends, and persistent challenges faced by organizations. It then explores Advanced Persistent Threats (APTs) and their sophisticated, covert tactics that pose significant risks to enterprise networks. The discussion also covers the concept of periodicity in network communication, which is for detecting anomalies in cybersecurity contexts. Finally, the chapter delves into the role of time series databases, with a specific focus on InfluxDB, in managing and analyzing the vast amounts of data generated in cybersecurity operations.
-
-The field of cybersecurity is continually evolving, with new threats emerging as technology advances. Understanding these threats and the strategies to counter them is  for protecting sensitive information, ensuring the continuity of operations, and maintaining the integrity of enterprise networks. This chapter lays the foundation for the research by discussing key concepts and technologies relevant to cybersecurity, setting the stage for the detailed analysis and solutions proposed in subsequent chapters.
+This chapter provides the foundational knowledge for understanding the context and significance of this research. It begins with an overview of the cybersecurity landscape and Advanced Persistent Threats (APTs), followed by enterprise network vulnerabilities. It then explains periodicity detection techniques, time-series databases like InfluxDB, and concludes with the BAYWATCH framework. These concepts are critical for detecting beaconing behavior in enterprise networks.
 
 \section{Cybersecurity Landscape}
-The cybersecurity landscape is characterized by a dynamic and increasingly complex environment where various types of cyber threats continually evolve. Organizations across the globe face numerous challenges in protecting their networks, data, and systems from these threats, which range from malware and ransomware to sophisticated nation-state attacks.
-
-Cybersecurity encompasses a wide range of practices, technologies, and strategies aimed at safeguarding information and systems from unauthorized access, damage, or disruption. It involves both proactive measures, such as implementing robust security architectures and practices, and reactive measures, such as incident response and recovery strategies.
+The cybersecurity landscape is characterized by dynamic and evolving threats, including malware, ransomware, and APTs. Organizations face challenges in protecting networks due to increasing digitization, cloud adoption, and IoT proliferation. Figure \ref{fig:maps} illustrates the global distribution of cyber threats.
 
-\begin{figure}
+\begin{figure}[htbp]
     \centering
     \includegraphics[width=\textwidth]{../Thesis_Docs/media/maps.png}
-    \caption{Global cybersecurity threat map \cite{bitdefender}}
+    \caption{Global cybersecurity threat map \cite{bitdefender}.}
     \label{fig:maps}
 \end{figure}
 
-Figure \ref{fig:maps} presents a global map of cybersecurity threats, illustrating the widespread nature of these challenges. This visualization highlights regions most affected by various types of cyber attacks, underscoring the global reach and impact of cyber threats.
-
-The rapid digitization of industries, the increasing reliance on cloud services, and the proliferation of Internet of Things (IoT) devices have significantly expanded the attack surface for cyber threats. These developments, while beneficial, have introduced new vulnerabilities that attackers are quick to exploit. Additionally, the rise of ransomware as a service (RaaS) and the growing sophistication of phishing attacks reflect the evolving threat landscape \cite{ransomware2022}.
-
-Another significant challenge is the shortage of skilled cybersecurity professionals, which hampers the ability of organizations to effectively defend against these threats. This gap is exacerbated by the complexity of modern networks and the need for advanced tools and techniques to detect and mitigate sophisticated attacks \cite{cybersecurity_skills_gap}.
+\subsection{Emerging Trends and Challenges}
+Key challenges include:
+\begin{itemize}
+    \item \textbf{Ransomware-as-a-Service (RaaS):} Lowering the barrier for attackers \cite{ransomware2022}.
+    \item \textbf{Skills Gap:} Shortage of skilled professionals \cite{cybersecurity_skills_gap}.
+\end{itemize}
 
-\section{Advanced Persistent Threats (APTs) and Covert Tactics}
-Advanced Persistent Threats (APTs) represent one of the most sophisticated and dangerous forms of cyber attacks. APTs involve prolonged, targeted efforts by attackers, typically state-sponsored or highly organized criminal groups, aimed at stealing sensitive information, disrupting operations, or compromising infrastructure. Unlike traditional cyber attacks, which may be opportunistic and short-lived, APTs are characterized by their stealth, persistence, and the significant resources devoted to them \cite{apt_definition}.
+\section{Advanced Persistent Threats (APTs)}
+APTs are prolonged, stealthy attacks often state-sponsored. Figure \ref{fig:apt_attack_lifecycle} shows their lifecycle.
 
 \begin{figure}[htbp]
     \centering
     \includegraphics[width=\textwidth]{../Thesis_Docs/media/apt_attack_lifecycle.png}
-    \caption{APT attack lifecycle \cite{charan2021dmpt}}
+    \caption{APT attack lifecycle \cite{charan2021dmpt}.}
     \label{fig:apt_attack_lifecycle}
-\end{figure}
-
-Figure \ref{fig:apt_attack_lifecycle} illustrates the lifecycle of an APT attack, highlighting the various stages involved, from initial reconnaissance to exfiltration of data. Understanding these stages is crucial for developing effective detection and mitigation strategies.
-
-APT actors employ various covert tactics to remain undetected and achieve their objectives. Some of these tactics include:
+\end{itemize}
 
+\subsection{Covert Tactics}
 \begin{itemize}
-    \item \textbf{Spear Phishing:} Crafting highly personalized email messages that appear legitimate to the recipient. These emails are designed to trick recipients into clicking on malicious links or attachments, leading to the compromise of their credentials or systems \cite{spear_phishing}.
-    \item \textbf{Zero-Day Exploits:} Exploiting previously unknown vulnerabilities in software or hardware, which have not yet been patched by the vendor. This allows attackers to gain unauthorized access to systems without triggering existing security defenses \cite{zero_day}.
-    \item \textbf{Lateral Movement:} After gaining initial access, attackers move within the compromised network, exploring and compromising additional systems to find and exfiltrate valuable data. This tactic often involves the use of legitimate administrative tools to avoid detection \cite{lateral_movement}.
-    \item \textbf{Command and Control (C2):} Establishing a secure communication channel with the compromised systems to remotely control them, issue commands, and exfiltrate data \cite{c2_communication}.
+    \item Spear phishing \cite{spear_phishing}.
+    \item Zero-day exploits \cite{zero_day}.
+    \item Command-and-Control (C2) communication \cite{c2_communication}.
 \end{itemize}
 
 \section{Enterprise Networks}
-Enterprise networks are the backbone of modern organizations, providing the necessary infrastructure for communication, data sharing, and operational efficiency. However, their complexity and scale make them attractive targets for cyber attackers. Understanding the architecture, components, and vulnerabilities of enterprise networks is crucial for developing effective cybersecurity strategies.
+Enterprise networks (Figure \ref{fig:enterprise_network_diagram}) are vulnerable to insider threats, misconfigurations, and supply chain attacks \cite{supply_chain_attacks}.
 
 \begin{figure}[htbp]
     \centering
     \includegraphics[width=0.7\textwidth]{../Thesis_Docs/media/enterprise_network_diagram.png}
-    \caption{Enterprise network diagram}
+    \caption{Enterprise network architecture.}
     \label{fig:enterprise_network_diagram}
 \end{figure}
 
-Figure \ref{fig:enterprise_network_diagram} provides a visual representation of an enterprise network, illustrating the various components such as servers, workstations, routers, and communication links, as well as potential points of vulnerability.
-
-\subsection{Key Aspects of Enterprise Networks}
-Enterprise networks typically consist of multiple interconnected subsystems, including:
-
+\section{Periodicity in Network Communication}
+Periodic patterns (e.g., beaconing) are detected using:
 \begin{itemize}
-    \item \textbf{Network Architecture:} The physical and logical design of the network, including the layout and interconnection of routers, switches, firewalls, and other network devices. A well-designed architecture enhances security by segmenting the network and controlling traffic flow \cite{network_architecture}.
-    \item \textbf{Security Protocols:} Protocols such as TLS (Transport Layer Security) and IPSec (Internet Protocol Security) protect data in transit. Additionally, firewalls, intrusion detection/prevention systems (IDS/IPS), and encryption mechanisms are employed to safeguard data and systems \cite{security_protocols}.
-    \item \textbf{Access Controls:} Policies and technologies that regulate who can access specific data and resources within the network. This includes user authentication, role-based access control (RBAC), and multi-factor authentication (MFA) to ensure that only authorized personnel can access sensitive information \cite{access_controls}.
-    \item \textbf{Network Monitoring and Management:} Tools and practices for monitoring network traffic, identifying anomalies, and managing network resources to maintain performance and security \cite{network_monitoring}.
+    \item \textbf{Fast Fourier Transform (FFT):} Converts time-domain data to frequency components.
+    \item \textbf{Autocorrelation:} Measures self-similarity at different time lags.
 \end{itemize}
 
-\subsection{Vulnerabilities in Enterprise Networks}
-Despite the implementation of robust security measures, enterprise networks remain vulnerable to a variety of threats, including:
+To simulate real-world conditions, artificial datasets often introduce \textbf{jitter}—random delays in beacon intervals—to mimic network irregularities \cite{jitter_analysis}.
+
+\section{Time Series Databases and InfluxDB}
+Time-series databases (TSDBs) like InfluxDB (Figure \ref{fig:influxdb_architecture}) manage temporal data for cybersecurity analytics.
+
+\begin{figure}
+    \centering
+    \includegraphics[width=\textwidth]{../Thesis_Docs/media/influxdb_architecture.png}
+    \caption{InfluxDB architecture \cite{influxdb2023}.}
+    \label{fig:influxdb_architecture}
+\end{figure}
 
+\subsection{InfluxDB Features}
 \begin{itemize}
-    \item \textbf{Insider Threats:} Employees or contractors with legitimate access who misuse their privileges, either maliciously or negligently \cite{insider_threats}.
-    \item \textbf{Advanced Malware:} Malware designed to bypass traditional security measures, often delivered through phishing attacks or drive-by downloads \cite{advanced_malware}.
-    \item \textbf{Misconfigurations:} Incorrectly configured devices or systems that leave the network open to exploitation \cite{misconfigurations}.
-    \item \textbf{Supply Chain Attacks:} Attacks that target the software or hardware supply chain, introducing vulnerabilities that can be exploited after deployment \cite{supply_chain_attacks}.
+    \item High-throughput data ingestion \cite{influxdb_throughput}.
+    \item Retention policies \cite{influxdb_retention}.
+    \item Flux query language \cite{influxdb_flux}.
 \end{itemize}
 
 \section{Overview of the BAYWATCH Framework}
@@ -211,39 +208,8 @@ the remaining cases to automate the classification process.
 To minimize the manual investigation workload, the BAYWATCH framework employs a boot strapping process. A small set of candidate cases is manually investigated and used as a training set for the classifier. The trained classifier is then applied to the remaining cases, significantly
 reducing the number of cases that require manual investigation.
 
-\subsection{InfluxDB}
-InfluxDB is a popular time series database known for its high performance and ease of use. It is optimized for handling large-scale time-series data, providing powerful querying capabilities and efficient storage \cite{influxdb}.
-
-\subsubsection{Key Features of InfluxDB}
-\begin{itemize}
-    \item \textbf{Time-Optimized Storage:} InfluxDB uses a custom storage engine that efficiently writes and reads time-series data \cite{influxdb_storage}.
-    \item \textbf{High Throughput:} It can handle high write and query loads, making it suitable for large-scale monitoring applications \cite{influxdb_throughput}.
-    \item \textbf{SQL-like Query Language (Flux):} InfluxDB offers a powerful query language that is both easy to learn and capable of complex data manipulations \cite{influxdb_flux}.
-    \item \textbf{Retention Policies:} Users can define retention policies to manage data lifecycle, automatically deleting old data to save storage \cite{influxdb_retention}.
-    \item \textbf{Integrations:} InfluxDB integrates well with other tools and platforms, supporting various data inputs and outputs \cite{influxdb_integrations}.
-\end{itemize}
-
-\subsubsection{Applications in Cybersecurity}
-InfluxDB can be employed in cybersecurity for:
-
-\begin{itemize}
-    \item \textbf{Real-Time Monitoring:} Capturing and analyzing live data to detect anomalies and potential threats \cite{influxdb_monitoring}.
-    \item \textbf{Historical Analysis:} Storing historical data for trend analysis and forensic investigations \cite{influxdb_historical}.
-    \item \textbf{Alerting:} Setting up alerts based on specific criteria to notify administrators of suspicious activities \cite{influxdb_alerting}.
-    \item \textbf{Visualization:} Integrating with visualization tools like Grafana to create dashboards that display network metrics and security insights \cite{influxdb_visualization}.
-\end{itemize}
-
-\begin{figure}[htbp]
-    \centering
-    \includegraphics[width=\textwidth]{../Thesis_Docs/media/influxdb_architecture.png}
-    \caption{InfluxDB Architecture \cite{influxdb2023}}
-    \label{fig:influxdb_architecture}
-\end{figure}
-
-Figure \ref{fig:influxdb_architecture} illustrates the architecture of InfluxDB and how data flows through the system, from ingestion to querying and visualization.
-
 \section{Summary}
-This chapter has provided a comprehensive overview of the cybersecurity landscape, APTs and their covert tactics, enterprise networks, periodicity in network communication, and time series databases, with a detailed focus on InfluxDB. These foundational topics are crucial for understanding the subsequent chapters, which will delve deeper into related work, methodology, implementation, experiments, and results. The knowledge gained from this background will inform the development and evaluation of advanced techniques for detecting and mitigating cyber threats in enterprise networks.
+This chapter covered cybersecurity threats, APTs, periodicity detection, InfluxDB, and the BAYWATCH framework. These concepts underpin the methodology for detecting beaconing behavior in enterprise networks.
 
 \chapter{Related Work}