update Mastersthesis.pdf and main.tex to correct URL representation and add...

update Mastersthesis.pdf and main.tex to correct URL representation and add beaconing data candidates table for enhanced analysis

Thesis_Docs/main.tex

@@ -809,14 +809,36 @@ The final step combines the results from the FFT and ACF steps to confirm malici
 \begin{figure}
     \centering
     \includegraphics[width=\textwidth]{../Thesis_Docs/media/candidates.png}
-    \caption{Frequency Spectrum with FFT \& ACF Candidates. The x-axis represents frequency (Hz), and the y-axis represents amplitude. The figure shows candidates for the domains "fpc.mesedge.net", "m4v4+fc5.stackpathcdn.com", and "beacon7.example.com"}
+    \caption{Frequency Spectrum with FFT \& ACF Candidates. The x-axis represents frequency (Hz), and the y-axis represents amplitude. The figure shows candidates for the domains "fpc.mesedge.net", "m4v4r4c5.stackpathcdn.com", and "beacon7.example.com"}
     \label{fig:combinedall}
 \end{figure}
 
-Figure \ref{fig:combinedall} presents the analysis of three selected URLs "fpc.mesedge.net", "m4v4+fc5.stackpathcdn.com", and "beacon7.example.com", derived from both real and synthetic data. The first URL represents a non-beaconing behavior observed in real data, meaning that no periodic transmission pattern is present. The second URL, also extracted from real data, exhibits a clear beaconing behavior. The third URL corresponds to a synthetic beacon, artificially generated to simulate a periodic transmission pattern. 
+Figure \ref{fig:combinedall} presents the analysis of three selected URLs "fpc.mesedge.net", "m4v4r4c5.stackpathcdn.com", and "beacon7.example.com", derived from both real and synthetic data. The first URL represents a non-beaconing behavior observed in real data, meaning that no periodic transmission pattern is present. The second URL, also extracted from real data, exhibits a clear beaconing behavior. The third URL corresponds to a synthetic beacon, artificially generated to simulate a periodic transmission pattern. 
 
 The x-axis represents the frequency range, corresponding to different time intervals, while the y-axis indicates the amplitude of the detected signals. The results show that for the first URL, which does not exhibit beaconing behavior, very few significant points appear in the output, confirming the absence of strong periodic patterns. In contrast, the second beacon, which originates from real data, displays a periodic behavior with a transmission interval of 10 seconds. Similarly, the synthetic beacon demonstrates a periodicity of 20 seconds. 
 
+\begin{table}
+    \centering
+    \caption{Beaconing Data Candidates from Real and Beaconing Data}
+    \label{tab:candidates}
+    \resizebox{\textwidth}{!}{%
+    \begin{tabular}{lcc}
+        \toprule
+        \textbf{Attribute} & \textbf{Candidate 1} & \textbf{Candidate 2} \\
+        \midrule
+        Host IP addresses          & 127.0.0.1          & 10.16.102.224 \\
+        URLs with beaconing behavior & beacon7.example.com & m4v4r4c5.stackpathcdn.com \\
+        Frequencies (\(\sim\)Hz)     & 0.05 \& 0.15       & 0.1 \\
+        Amplitude                  & 0.014              & 0.024 \\
+        \bottomrule
+    \end{tabular}%
+    }
+\end{table}
+
+\bigskip
+
+Table \ref{tab:candidates} presents candidate data obtained from both real network traces and beaconing analysis. The table is organized into three columns: the first lists the measured attributes, including host IP addresses, URLs exhibiting beaconing behavior, observed frequencies (in Hertz), and amplitude values of the periodic signals. The subsequent columns represent two distinct candidates. Candidate 1 is characterized by the host IP address "127.0.0.1", a URL "beacon7.example.com", frequencies "0.05 \& 0.15" Hz (indicating multiple frequency components), and maximum amplitude of 0.014. Candidate 2, on the other hand, features the host IP address "10.16.102.224", the URL "m4v4r4c5.stackpathcdn.com", a single frequency component at 0.1 Hz, and maximum amplitude of 0.024. Such candidates are crucial because they alert analysts directly by flagging URLs with beaconing behavior, thereby providing actionable intelligence for further investigation.
+
 By applying the detection algorithm to this dataset and analyzing the output, it becomes evident that the algorithm effectively identifies periodic signals in both real and synthetic beaconing behaviors. The results highlight the robustness of the method, demonstrating its ability to distinguish between beaconing and non-beaconing activity while accurately capturing different periodic transmission intervals.
 
 \section{Discussion}