CBA-detector: An accurate detector against cache-based attacks using HPCs and Pintools

Beilei Zheng; Jianan Gu; Chuliang Weng

doi:10.1007/978-3-030-29611-7_9

CBA-detector: An accurate detector against cache-based attacks using HPCs and Pintools

Beilei Zheng, Jianan Gu, Chuliang Weng

School of Data Science and Engineering

East China Normal University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

7 Scopus citations

Abstract

Cloud computing is convenient to provide adequate resources for tenants, but it suffers from information disclosure risks because hardware resources are shared among multiple tenants. For example, secret information in the shared cache can be inferred by other malicious processes, which is called cache-based attacks. To defeat against such attacks, many detection methods have been proposed. However, most of the existing detection mechanisms completely rely on the hardware performance counters (HPCs) and induce high false positives in detecting attacks. This paper proposes an accurate detector named CBA-Detector to detect cache-based side-channel attacks in real time. CBA-Detector is composed of an offline analysis phase and an online detection phase. The former analyzes the hardware events generated by sample programs. Then it extracts features from these events to train machine learning models. Based on the models, the latter monitors active processes in real time to discover suspicious processes. These suspicious processes will be checked again at the instruction level by customized Pintools, which effectively eliminates false positives. As shown in our experiments, CBA-Detector can accurately identify attacks in real time and introduces 4.4% overhead on PARSEC and about 10% overhead on web server.

Original language	English
Title of host publication	Advanced Parallel Processing Technologies - 13th International Symposium, APPT 2019, Proceedings
Editors	Pen-Chung Yew, Per Stenström, Junjie Wu, Xiaoli Gong, Tao Li
Publisher	Springer Verlag
Pages	109-122
Number of pages	14
ISBN (Print)	9783030296100
DOIs	https://doi.org/10.1007/978-3-030-29611-7_9
State	Published - 2019
Event	13th International Symposium on Advanced Parallel Processing Technologies, APPT 2019 - Tianjin, China Duration: 15 Aug 2019 → 16 Aug 2019

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11719 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	13th International Symposium on Advanced Parallel Processing Technologies, APPT 2019
Country/Territory	China
City	Tianjin
Period	15/08/19 → 16/08/19

Keywords

Cache-based side-channel attacks
False positives
Hardware performance counters
Pintools

Access to Document

10.1007/978-3-030-29611-7_9

Cite this

Zheng, B., Gu, J., & Weng, C. (2019). CBA-detector: An accurate detector against cache-based attacks using HPCs and Pintools. In P.-C. Yew, P. Stenström, J. Wu, X. Gong, & T. Li (Eds.), Advanced Parallel Processing Technologies - 13th International Symposium, APPT 2019, Proceedings (pp. 109-122). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11719 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-29611-7_9

Zheng, Beilei ; Gu, Jianan ; Weng, Chuliang. / CBA-detector : An accurate detector against cache-based attacks using HPCs and Pintools. Advanced Parallel Processing Technologies - 13th International Symposium, APPT 2019, Proceedings. editor / Pen-Chung Yew ; Per Stenström ; Junjie Wu ; Xiaoli Gong ; Tao Li. Springer Verlag, 2019. pp. 109-122 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{db42b9e092a74ab7ba8cb9af17646d28,

title = "CBA-detector: An accurate detector against cache-based attacks using HPCs and Pintools",

abstract = "Cloud computing is convenient to provide adequate resources for tenants, but it suffers from information disclosure risks because hardware resources are shared among multiple tenants. For example, secret information in the shared cache can be inferred by other malicious processes, which is called cache-based attacks. To defeat against such attacks, many detection methods have been proposed. However, most of the existing detection mechanisms completely rely on the hardware performance counters (HPCs) and induce high false positives in detecting attacks. This paper proposes an accurate detector named CBA-Detector to detect cache-based side-channel attacks in real time. CBA-Detector is composed of an offline analysis phase and an online detection phase. The former analyzes the hardware events generated by sample programs. Then it extracts features from these events to train machine learning models. Based on the models, the latter monitors active processes in real time to discover suspicious processes. These suspicious processes will be checked again at the instruction level by customized Pintools, which effectively eliminates false positives. As shown in our experiments, CBA-Detector can accurately identify attacks in real time and introduces 4.4\% overhead on PARSEC and about 10\% overhead on web server.",

keywords = "Cache-based side-channel attacks, False positives, Hardware performance counters, Pintools",

author = "Beilei Zheng and Jianan Gu and Chuliang Weng",

note = "Publisher Copyright: {\textcopyright} 2019, Springer Nature Switzerland AG.; 13th International Symposium on Advanced Parallel Processing Technologies, APPT 2019 ; Conference date: 15-08-2019 Through 16-08-2019",

year = "2019",

doi = "10.1007/978-3-030-29611-7\_9",

language = "英语",

isbn = "9783030296100",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "109--122",

editor = "Pen-Chung Yew and Per Stenstr{\"o}m and Junjie Wu and Xiaoli Gong and Tao Li",

booktitle = "Advanced Parallel Processing Technologies - 13th International Symposium, APPT 2019, Proceedings",

address = "德国",

}

Zheng, B, Gu, J & Weng, C 2019, CBA-detector: An accurate detector against cache-based attacks using HPCs and Pintools. in P-C Yew, P Stenström, J Wu, X Gong & T Li (eds), Advanced Parallel Processing Technologies - 13th International Symposium, APPT 2019, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11719 LNCS, Springer Verlag, pp. 109-122, 13th International Symposium on Advanced Parallel Processing Technologies, APPT 2019, Tianjin, China, 15/08/19. https://doi.org/10.1007/978-3-030-29611-7_9

CBA-detector: An accurate detector against cache-based attacks using HPCs and Pintools. / Zheng, Beilei; Gu, Jianan; Weng, Chuliang.
Advanced Parallel Processing Technologies - 13th International Symposium, APPT 2019, Proceedings. ed. / Pen-Chung Yew; Per Stenström; Junjie Wu; Xiaoli Gong; Tao Li. Springer Verlag, 2019. p. 109-122 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11719 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - CBA-detector

T2 - 13th International Symposium on Advanced Parallel Processing Technologies, APPT 2019

AU - Zheng, Beilei

AU - Gu, Jianan

AU - Weng, Chuliang

PY - 2019

Y1 - 2019

N2 - Cloud computing is convenient to provide adequate resources for tenants, but it suffers from information disclosure risks because hardware resources are shared among multiple tenants. For example, secret information in the shared cache can be inferred by other malicious processes, which is called cache-based attacks. To defeat against such attacks, many detection methods have been proposed. However, most of the existing detection mechanisms completely rely on the hardware performance counters (HPCs) and induce high false positives in detecting attacks. This paper proposes an accurate detector named CBA-Detector to detect cache-based side-channel attacks in real time. CBA-Detector is composed of an offline analysis phase and an online detection phase. The former analyzes the hardware events generated by sample programs. Then it extracts features from these events to train machine learning models. Based on the models, the latter monitors active processes in real time to discover suspicious processes. These suspicious processes will be checked again at the instruction level by customized Pintools, which effectively eliminates false positives. As shown in our experiments, CBA-Detector can accurately identify attacks in real time and introduces 4.4% overhead on PARSEC and about 10% overhead on web server.

AB - Cloud computing is convenient to provide adequate resources for tenants, but it suffers from information disclosure risks because hardware resources are shared among multiple tenants. For example, secret information in the shared cache can be inferred by other malicious processes, which is called cache-based attacks. To defeat against such attacks, many detection methods have been proposed. However, most of the existing detection mechanisms completely rely on the hardware performance counters (HPCs) and induce high false positives in detecting attacks. This paper proposes an accurate detector named CBA-Detector to detect cache-based side-channel attacks in real time. CBA-Detector is composed of an offline analysis phase and an online detection phase. The former analyzes the hardware events generated by sample programs. Then it extracts features from these events to train machine learning models. Based on the models, the latter monitors active processes in real time to discover suspicious processes. These suspicious processes will be checked again at the instruction level by customized Pintools, which effectively eliminates false positives. As shown in our experiments, CBA-Detector can accurately identify attacks in real time and introduces 4.4% overhead on PARSEC and about 10% overhead on web server.

KW - Cache-based side-channel attacks

KW - False positives

KW - Hardware performance counters

KW - Pintools

UR - https://www.scopus.com/pages/publications/85071453567

U2 - 10.1007/978-3-030-29611-7_9

DO - 10.1007/978-3-030-29611-7_9

M3 - 会议稿件

AN - SCOPUS:85071453567

SN - 9783030296100

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 109

EP - 122

BT - Advanced Parallel Processing Technologies - 13th International Symposium, APPT 2019, Proceedings

A2 - Yew, Pen-Chung

A2 - Stenström, Per

A2 - Wu, Junjie

A2 - Gong, Xiaoli

A2 - Li, Tao

PB - Springer Verlag

Y2 - 15 August 2019 through 16 August 2019

ER -

Zheng B, Gu J, Weng C. CBA-detector: An accurate detector against cache-based attacks using HPCs and Pintools. In Yew PC, Stenström P, Wu J, Gong X, Li T, editors, Advanced Parallel Processing Technologies - 13th International Symposium, APPT 2019, Proceedings. Springer Verlag. 2019. p. 109-122. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-29611-7_9

CBA-detector: An accurate detector against cache-based attacks using HPCs and Pintools

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this