Detection Mechanism Based On Machine Learning Against Cache Attacks

With the advent of the big data era,processing massive data has increasingly require-ments on the underlying infrastructure.Enterprises gradually transfer various services to cloud platforms with sufficient computing and storage resources.Cloud platforms facili-tate their tenants,but since multiple tenants share the underlying hardware resources,ma-licious tenants can use the shared processor to launch cache attacks and steal the private data from other tenants bypassing the system's isolation mechanism,resulting in infor-mation leakage.Moreover,Spectre and Meltdown vulnerabilities can even extract any memory contents with the help of cache attacks.Therefore,the existence of cache attacks poses a serious threat to the security of cloud platforms.To defeat against cache attacks,this paper makes an in-depth study and analysis of typical cases of cache attacks,then designs and implements a detection mechanism called CBA-Detector,which is constructed from the two perspectives of hardware events and software instructions according to the features of attacks.CBA-Detector first uses ma-chine learning technologies to create models for identifying suspicious programs with abnormal hardware behaviors,then analyzes suspicious programs from the instruction level to identify attacks and provide feedback.Based on the feedback,the models can be updated to further improve their detection accuracy.Besides,this paper evaluates the detection mechanism from the aspects of timeliness,accuracy and performance.The ex-periment results show that CBA-Detector can accurately identify attacks in real time,and the overhead introduced is low.The main work of this paper includes:(1)A detection method based on hardware events:To leak information,cache at-tacks need to frequently manipulate the shared cache,resulting in some unusual hard-ware behaviors like high cache load miss rates.Thus,this paper proposes a detection method based on hardware events,which employs machine learning technologies to predict in real time whether a program has abnormal hardware behaviors or not.This method can quickly detect potential threats in real time without any interference to the normal execution of programs.(2)A detection method based on software instructions:The main loop for information leakage of cache attacks usually involves some special operations,such as timing,resulting in some special instructions used frequently and regularly along with at-tacking cycles.Therefore,this paper proposes a detection method based on software instructions to analyze the use of special instructions during program execution.This method frees from the effects of runtime environment and can accurately identify attacks.(3)Feedback mechanism:Since hardware behaviors may be affected by workloads,environments or other aspects,the detection method based on hardware events is prone to produce false positives.While the detection method based on software in-structions frees from the interference of runtime environments and can accurately identify attacks.Thus,the latter can reduce or even eliminate false positives and pro-vide effective feedback for the former.According to the feedback,correction models are created and updated for the classifiers to diagnose abnormal hardware behaviors,which can further improve the hardware-based detection accuracy.(4)Architecture implementation and optimization of detection mechanism:This pa-per combines the detection method based on hardware events and software instruc-tions,and integrates the feedback mechanism to design and implement the overall architecture of CBA-Detector.To reduce the burden of the detection mechanism,this paper proposes three optimizations: incremental monitoring,whitelisting and double-queue strategy,which also reduce the performance overhead of detection.