skip to main content
research-article

Victims Can Be Saviors: A Machine Learning--based Detection for Micro-Architectural Side-Channel Attacks

Published: 29 January 2021 Publication History

Abstract

Micro-architectural side-channel attacks are major threats to the most mathematically sophisticated encryption algorithms. In spite of the fact that there exist several defense techniques, the overhead of implementing the countermeasures remains a matter of concern. A promising strategy is to develop online detection and prevention methods for these attacks. Though some recent studies have devised online prevention mechanisms for some categories of these attacks, still other classes remain undetected. Moreover, to detect these side-channel attacks with minimal False Positives is a challenging effort because of the similarity of their behavior with computationally intensive applications. This article presents a generalized machine learning--based multi-layer detection technique that targets these micro-architectural side-channel attacks, while not restricting its attention only on a single category of attacks. The proposed mechanism gathers low-level system information by profiling performance counter events using Linux perf tool and then applies machine learning techniques to analyze the data. A novel approach using time-series analysis of the data is implemented to find out the correlation of the execution trace of the attack process with the secret key of encryption, which helps in dealing with False-Positives and unknown attacks. This article also provides a detailed theoretical analysis of the detection mechanism of the proposed model along with its security analysis. The experimental results show that the proposed method is superior to the state-of-the-art reported techniques with high detection accuracy, low False Positives, and low implementation overhead while being able to detect before the completion of the attack.

References

[1]
Onur Aciiçmez, Çetin Kaya Koç, and Jean-Pierre Seifert. 2007. Predicting secret keys via branch prediction. In Proceedings of the Cryptographer’s Track of the RSA Conference (CT-RSA’07). 225--242.
[2]
Manaar Alam, Sarani Bhattacharya, Swastika Dutta, Sayan Sinha, Debdeep Mukhopadhyay, and Anupam Chattopadhyay. 2019. RATAFIA: Ransomware analysis using time and frequency informed autoencoders. In Proceedings of the IEEE International Symposium on Hardware Oriented Security and Trust (HOST’19). IEEE, 218--227.
[3]
Kanad Basu, Prashanth Krishnamurthy, Farshad Khorrami, and Ramesh Karri. 2020. A theoretical study of hardware performance counters-based malware detection. IEEE Trans. Inf. Forens. Secur. 15 (2020), 512--525.
[4]
Daniel J. Bernstein. 2005. Cache-timing Attacks on AES. Technical Report.
[5]
Sarani Bhattacharya, Clementine Maurice, Shivam Bhasin, and Debdeep Mukhopadhyay. 2017. Template Attack on Blinded Scalar Multiplication with Asynchronous Perf-ioctl Calls. Technical Report. Cryptology ePrint Archive, Report 2017/968, 2017.
[6]
Sarani Bhattacharya and Debdeep Mukhopadhyay. 2015. Who watches the watchmen?: Utilizing performance monitors for compromising keys of RSA on Intel platforms. In Proceedings of the 17th International Workshop on Cryptographic Hardware and Embedded Systems (CHES’15). 248--266.
[7]
Sarani Bhattacharya and Debdeep Mukhopadhyay. 2016. Curious case of rowhammer: Flipping secret exponent bits using timing analysis. In Proceedings of the 18th International Conference on Cryptographic Hardware and Embedded Systems (CHES’16). 602--624.
[8]
Sarani Bhattacharya and Debdeep Mukhopadhyay. 2018. Utilizing performance counters for compromising public key ciphers. ACM Trans. Priv. Secur. 21, 1 (2018), 5:1--5:31.
[9]
Christopher M. Bishop. 2006. Pattern Recognition and Machine Learning. Springer.
[10]
Joseph Bonneau and Ilya Mironov. 2006. Cache-collision timing attacks against AES. In Proceedings of the 8th International Workshop on Cryptographic Hardware and Embedded Systems (CHES’06). 201--215.
[11]
Samira Briongos, Gorka Irazoqui, Pedro Malagón, and Thomas Eisenbarth. 2018. CacheShield: Detecting cache attacks through self-observation. In Proceedings of the 8th ACM Conference on Data and Application Security and Privacy (CODASPY’18), Ziming Zhao, Gail-Joon Ahn, Ram Krishnan, and Gabriel Ghinita (Eds.). ACM, 224--235.
[12]
Christopher J. C. Burges. 1998. A tutorial on support vector machines for pattern recognition. Data Min. Knowl. Discov. 2, 2 (1998), 121--167.
[13]
Shuai Che, Michael Boyer, Jiayuan Meng, David Tarjan, Jeremy W. Sheaffer, Sang-Ha Lee, and Kevin Skadron. 2009. Rodinia: A benchmark suite for heterogeneous computing. In Proceedings of the IEEE International Symposium on Workload Characterization (IISWC’09). IEEE, 44--54.
[14]
Marco Chiappetta, Erkay Savas, and Cemal Yilmaz. 2016. Real time detection of cache-based side-channel attacks using hardware performance counters. Appl. Soft Comput. 49 (2016), 1162--1174.
[15]
Ya Lun Chou. 1975. Statistical Analysis. Holt International.
[16]
Corinna Cortes and Vladimir Vapnik. 1995. Support-vector networks. Mach. Learn. 20, 3 (Sep. 1995), 273--297.
[17]
John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. 2013. On the feasibility of online malware detection with performance counters. In Proceedings of the 40th Annual International Symposium on Computer Architecture (ISCA’13). ACM, New York, NY, 559--570.
[18]
Leonid Domnitser, Aamer Jaleel, Jason Loew, Nael B. Abu-Ghazaleh, and Dmitry Ponomarev. 2012. Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks. Trans. Arch. Code Optimiz. 8, 4 (2012), 35:1--35:21.
[19]
Yoav Freund and Robert E. Schapire. 1997. A decision-theoretic generalization of on-line learning and an application to boosting. J. Comput. Syst. Sci. 55, 1 (Aug. 1997), 119--139.
[20]
Qian Ge, Yuval Yarom, Frank Li, and Gernot Heiser. 2017. Your processor leaks information - and there’s nothing you can do about it. arxiv:1612.04474v6. Retrieved from http://arxiv.org/abs/1612.04474.
[21]
Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+ Flush: A fast and stealthy cache attack. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 279--299.
[22]
Berk Gulmezoglu, Thomas Eisenbarth, and Berk Sunar. 2017. Cache-Base Application Detection in the Cloud Using Machine Learning. Cryptology ePrint Archive, Report 2017/245.
[23]
Berk Gülmezoglu, Ahmad Moghimi, Thomas Eisenbarth, and Berk Sunar. 2019. FortuneTeller: Predicting microarchitectural attacks via unsupervised deep learning. arxiv:1907.03651. Retrieved from http://arxiv.org/abs/1907.03651.
[24]
Yuko Hara, Hiroyuki Tomiyama, Shinya Honda, Hiroaki Takada, and Katsuya Ishii. 2008. CHStone: A benchmark program suite for practical C-based high-level synthesis. In Proceedings of the International Symposium on Circuits and Systems (ISCAS’08). 1192--1195.
[25]
John L. Henning. 2006. SPEC CPU2006 benchmark descriptions. SIGARCH Comput. Archit. News 34, 4 (Sep. 2006), 1--17.
[26]
Tin Kam Ho. 1995. Random decision forests. In Proceedings of the 3rd International Conference on Document Analysis and Recognition (Volume 1) (ICDAR’95). IEEE Computer Society, Los Alamitos, CA, 278.
[27]
Casen Hunger, Mikhail Kazdagli, Ankit Singh Rawat, Alexandros G. Dimakis, Sriram Vishwanath, and Mohit Tiwari. 2015. Understanding contention-based channels and using them for defense. In Proceedings of the 21st IEEE International Symposium on High Performance Computer Architecture (HPCA’15). IEEE Computer Society, 639--650.
[28]
Alan J. Izenman. 2013. Modern Multivariate Statistical Techniques: Regression, Classification, and Manifold Learning (second ed.). Springer.
[29]
Sai Praveen Kadiyala, Manaar Alam, Yash Shrivastava, Sikhar Patranabis, Muhamed Fauzi Bin Abbas, Arnab Kumar Biswas, Debdeep Mukhopadhyay, and Thambipillai Srikanthan. 2020. LAMBDA: Lightweight assessment of malware for emBeddeD architectures. ACM Trans. Embed. Comput. Syst. 19, 4 (2020), 23:1--23:31.
[30]
Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji-Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In Proceedings of the ACM/IEEE 41st International Symposium on Computer Architecture (ISCA’14). 361--372.
[31]
Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre attacks: Exploiting speculative execution. arxiv:1801.01203. Retrieved from https://arxiv.org/abs/1801.01203.
[32]
Congmiao Li and Jean-Luc Gaudiot. 2018. Online detection of spectre attacks using microarchitectural traces from performance counters. In Proceedings of the 30th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD’18). IEEE, 25--28.
[33]
Congmiao Li and Jean-Luc Gaudiot. 2019. Detecting malicious attacks exploiting hardware vulnerabilities using performance counters. In Proceedings of the 43rd IEEE Annual Computer Software and Applications Conference (COMPSAC’19), Volume 1, Vladimir Getov, Jean-Luc Gaudiot, Nariyoshi Yamai, Stelvio Cimato, J. Morris Chang, Yuuichi Teranishi, Ji-Jiang Yang, Hong Va Leong, Hossain Shahriar, Michiharu Takemoto, Dave Towey, Hiroki Takakura, Atilla Elçi, Susumu Takeuchi, and Satish Puri (Eds.). IEEE, 588--597.
[34]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown. arxiv:1801.01207. Retrieved from https://arxiv.org/abs/1801.01207.
[35]
Fangfei Liu and Ruby B. Lee. 2014. Random fill cache architecture. In Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO’14). 203--215.
[36]
Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. 2015. Last-level cache side-channel attacks are practical. In Proceedings of the IEEE Symposium on Security and Privacy (SP’15). IEEE, 605--622.
[37]
Robert Martin, John Demme, and Simha Sethumadhavan. 2012. TimeWarp: Rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In Proceedings of the 39th Annual International Symposium on Computer Architecture (ISCA’12). IEEE Computer Society, Los Alamitos, CA, 118--129.
[38]
B. W. Matthews. 1975. Comparison of the predicted and observed secondary structure of T4 phage lysozyme. Bioch. Biophys. Acta 405, 2 (1975), 442--451.
[39]
David Molnar, Matt Piotrowski, David Schultz, and David Wagner. 2006. The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks. Springer, Berlin, 156--168.
[40]
David Mosberger and Stephane Eranian. 2001. IA-64 Linux Kernel: Design and Implementation. Prentice-Hall PTR, Upper Saddle River, NJ.
[41]
Maria Mushtaq, Ayaz Akram, Muhammad Khurram Bhatti, Maham Chaudhry, Vianney Lapotre, and Guy Gogniat. 2018. NIGHTs-WATCH: A cache-based side-channel intrusion detector using hardware performance counters. In Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and Privacy (HASP@ISCA’18), Jakub Szefer, Weidong Shi, and Ruby B. Lee (Eds.). ACM, 1:1--1:8.
[42]
Meltem Ozsoy, Caleb Donovick, Iakov Gorelik, Nael B. Abu-Ghazaleh, and Dmitry V. Ponomarev. 2015. Malware-aware processors: A framework for efficient online malware detection. In Proceedings of the 21st IEEE International Symposium on High Performance Computer Architecture (HPCA’15). IEEE Computer Society, 651--661.
[43]
F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay. 2011. Scikit-learn: Machine learning in Python. J. Mach. Learn. Res. 12 (2011), 2825--2830.
[44]
Thomas Pornin. 2018. BearSSL: A Smaller SSL/TLS Library. Retrieved from https://www.bearssl.org/constanttime.html.
[45]
Michael S. Nikulin and Priscilla E. Greenwood. 1996. A Guide to Chi-Squared Testing. Wiley.
[46]
Chester Rebeiro and Debdeep Mukhopadhyay. 2015. A formal analysis of prefetching in profiled cache-timing attacks on block ciphers. IACR Cryptology ePrint Archive 2015 (2015), 1191.
[47]
Chester Rebeiro, Debdeep Mukhopadhyay, Junko Takahashi, and Toshinori Fukunaga. 2009. Cache Timing Attacks on Clefia. Springer, Berlin, 104--118.
[48]
Frank Rosenblatt. 1962. Principles of Neurodynamics; Perceptrons and the Theory of Brain Mechanisms. Washington, Spartan Books.
[49]
Leif Uhsadel, Andy Georges, and Ingrid Verbauwhede. 2008. Exploiting hardware performance counters. In Proceedings of the 5th International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC’08). 59--67.
[50]
Xueyang Wang, Sek Chai, Michael A. Isnardi, Sehoon Lim, and Ramesh Karri. 2016. Hardware performance counter-based malware identification and detection with adaptive compressive sensing. ACM Trans. Arch. Code Optimiz. 13, 1 (2016), 3:1--3:23.
[51]
Xueyang Wang and Ramesh Karri. 2016. Reusing hardware performance counters to detect and identify kernel control-flow modifying rootkits. IEEE Trans. CAD Integr. Circ. Syst. 35, 3 (2016), 485--498.
[52]
Xueyang Wang, Charalambos Konstantinou, Michail Maniatakos, and Ramesh Karri. 2015. ConFirm: Detecting firmware modifications in embedded systems using hardware performance counters. In Proceedings of the IEEE/ACM International Conference on Computer-Aided Design (ICCAD’15). 544--551.
[53]
Shijia Wei, Aydin Aysu, Michael Orshansky, Andreas Gerstlauer, and Mohit Tiwari. 2019. Using power-anomalies to counter evasive micro-architectural attacks in embedded systems. In Proceedings of the IEEE International Symposium on Hardware Oriented Security and Trust (HOST’19). IEEE, 111--120.
[54]
Yuval Yarom and Katrina Falkner. 2014. FLUSH+ RELOAD: A high resolution, low noise, L3 cache side-channel attack. In Proceedings of the USENIX Security Symposium, Vol. 1. 22--25.
[55]
Yuval Yarom, Daniel Genkin, and Nadia Heninger. 2017. CacheBleed: A timing attack on OpenSSL constant-time RSA. J. Cryptogr. Eng. 7, 2 (2017), 99--112.
[56]
Yanfang Ye, Tao Li, Donald A. Adjeroh, and S. Sitharama Iyengar. 2017. A survey on malware detection using data mining techniques. ACM Comput. Surv. 50, 3 (2017), 41:1--41:40.
[57]
Tianwei Zhang, Yinqian Zhang, and Ruby B. Lee. 2016. CloudRadar: A real-time side-channel attack detection system in clouds. In Proceedings of the 19th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID’16). 118--140.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Journal on Emerging Technologies in Computing Systems
ACM Journal on Emerging Technologies in Computing Systems  Volume 17, Issue 2
Hardware and Algorithms for Efficient Machine Learning
April 2021
360 pages
ISSN:1550-4832
EISSN:1550-4840
DOI:10.1145/3446841
  • Editor:
  • Ramesh Karri
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

Publication History

Published: 29 January 2021
Accepted: 01 November 2020
Revised: 01 October 2020
Received: 01 January 2020
Published in JETC Volume 17, Issue 2

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Micro-architectural side-channel attacks
  2. hardware performance counters
  3. machine learning
  4. time-series

Qualifiers

  • Research-article
  • Research
  • Refereed

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)82
  • Downloads (Last 6 weeks)12
Reflects downloads up to 18 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Towards Optimal Leakage Assessment of TVLAWeb and Big Data. APWeb-WAIM 2024 International Workshops10.1007/978-981-96-0055-7_17(200-211)Online publication date: 31-Jan-2025
  • (2024)Secure Processor ArchitecturesHandbook of Computer Architecture10.1007/978-981-97-9314-3_10(171-199)Online publication date: 21-Dec-2024
  • (2023)Vizard: Passing Over Profiling-Based Detection by Manipulating Performance CountersIEEE Access10.1109/ACCESS.2023.326017911(48099-48112)Online publication date: 2023
  • (2022)MADFAM: MicroArchitectural Data Framework and MethodologyIEEE Access10.1109/ACCESS.2022.315331310(23511-23531)Online publication date: 2022
  • (2022)Secure Processor ArchitecturesHandbook of Computer Architecture10.1007/978-981-15-6401-7_10-1(1-29)Online publication date: 26-Apr-2022
  • (2021)Paradigm Shift of Machine Learning to Deep Learning in Side Channel Attacks - A Survey2021 6th International Multi-Topic ICT Conference (IMTIC)10.1109/IMTIC53841.2021.9719689(1-6)Online publication date: 10-Nov-2021

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media