chapter 6

Thesis_Docs/main.tex

@@ -623,6 +623,7 @@ The \texttt{calculate\_autocorrelation} function is used to compute the autocorr
 \section{Function to Calculate Fourier Transform}
 The \texttt{calculate\_fourier\_transform} function performs a Fourier Transform on the time series of power values, which is a mathematical technique used to analyze the frequency components of a signal. The Fourier Transform decomposes a time-domain signal into its constituent frequencies, allowing for the identification of dominant frequency components. This is particularly useful when analyzing periodic behaviors or oscillations within the power data. The function uses the \texttt{fft} (Fast Fourier Transform) method from the \texttt{scipy.fft} library, which computes the discrete Fourier transform (DFT) of the signal. The output of this function includes the frequencies and corresponding amplitudes, representing how the power values are distributed across different frequency bands. By examining these components, one can gain insights into the underlying frequency characteristics of the data, such as identifying dominant frequencies that may correlate with specific events or behaviors in the system.
 
+
 \section{Behavior Detection}
 In the final stage of the algorithm, behavior detection is performed to determine the relevance and significance of the URLs retained after the filtering process. This stage is critical for identifying potentially malicious or anomalous URLs. The process begins with establishing a threshold value, which is determined through a combination of extensive experimentation and leveraging past experiences.
 
@@ -792,6 +793,32 @@ The subsequent investigation into 'yt3.ggpht.com' confirmed the presence of unau
 These visual representations play a vital role in maintaining online security. They not only facilitate the detection of malicious activity but also aid in the timely response to emerging threats. The detailed logs and focused analyses presented in Figures \ref{fig:report2} and \ref{fig:malicious2} exemplify the effectiveness of combining algorithmic detection with expert scrutiny experiences. This approach ensures that suspicious activities are not only identified but also thoroughly investigated and mitigated.
 
 The integration of advanced algorithms and detailed visual representations provides a robust framework for monitoring and securing online environments. By continuously analyzing web traffic and identifying anomalies, these systems help protect against unauthorized activities and potential cyber threats. This multi-layered approach is  for maintaining the integrity and security of digital spaces in an increasingly connected world.
+\section{Validation with Artificial Data}
+
+To validate the proposed methodology and analysis, artificial data was generated to simulate beaconing behavior. This controlled dataset allows us to explore and understand the patterns in the data and validate the efficacy of the implemented algorithms, including Fast Fourier Transform (FFT) and autocorrelation analysis. The results of these analyses are visualized in Figures~\ref{fig:autocorrelation10} and~\ref{fig:fft_analysis}.
+
+\subsection{Autocorrelation Analysis}
+Figure \ref{fig:autocorrelation10} illustrates the autocorrelation analysis of the artificial dataset, showcasing the correlation between the intervals of beaconing activity. The x-axis represents the lag between intervals, which indicates the time intervals over which autocorrelation is computed, while the y-axis denotes the autocorrelation values. The analysis includes multiple URLs, each represented by distinct colors (e.g., \texttt{beacon1@example.com} to \texttt{beacon10@example.com}). The analysis reveals a strong correlation between consecutive intervals, indicating a high degree of periodicity in the data. This autocorrelation pattern is a key characteristic of beaconing behavior, where regular intervals are maintained to establish communication with a command-and-control server. The distinct peaks in the autocorrelation plot highlight the repetitive nature of the intervals, providing a clear indication of beaconing activity. 
+
+\subsection{FFT Analysis}
+Figure \ref{fig:fft_analysis} showcases the frequency domain analysis of the artificial dataset using the Fast Fourier Transform (FFT) algorithm. The x-axis represents the frequency components, while the y-axis denotes the power spectrum of the data. The FFT analysis reveals a dominant low-frequency component in the dataset, with a sharp peak at the lower end of the frequency spectrum. This peak signifies the presence of a strong periodic signal in the data, indicating beaconing behavior. The analysis further demonstrates the algorithm's ability to extract and visualize the frequency components of the dataset, providing valuable insights into the underlying patterns and behaviors.
+
+\begin{figure}
+    \centering
+    \includegraphics[width=0.8\textwidth]{../Thesis_Docs/media/autocorrelation10.png}
+    \caption{Autocorrelation analysis of artificially generated beaconing intervals.}
+    \label{fig:autocorrelation10}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics[width=0.8\textwidth]{../Thesis_Docs/media/fft_analysis.png}
+    \caption{FFT analysis of artificially generated beaconing intervals.}
+    \label{fig:fft_analysis}
+\end{figure}
+
+In summary, these analyses demonstrate the efficacy of the implemented algorithms in detecting and visualizing the characteristics of beaconing behavior in a controlled artificial dataset. The autocorrelation highlights the immediate dependencies in the intervals, while the FFT underscores the low-frequency dominance, collectively validating the methodology and its ability to model and analyze beaconing activity effectively.
+
 \chapter{Results and Discussions}
 The implementation of the methodology within Allianz Company’s network infrastructure represents a pivotal advancement in enhancing network security and resilience. This chapter provides a detailed discussion of how beaconing behavior can be effectively detected and the impact of periodicity in network communication on the detection of malicious behavior. The methodology’s application involved several key steps, each contributing to the robustness of the network monitoring and security measures.