CN109918901A - The method that real-time detection is attacked based on Cache - Google Patents

The method that real-time detection is attacked based on Cache Download PDF

Info

Publication number
CN109918901A
CN109918901A CN201910127173.2A CN201910127173A CN109918901A CN 109918901 A CN109918901 A CN 109918901A CN 201910127173 A CN201910127173 A CN 201910127173A CN 109918901 A CN109918901 A CN 109918901A
Authority
CN
China
Prior art keywords
queue
cache
event data
window
hardware event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910127173.2A
Other languages
Chinese (zh)
Other versions
CN109918901B (en
Inventor
翁楚良
郑蓓蕾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Normal University
Original Assignee
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Normal University filed Critical East China Normal University
Priority to CN201910127173.2A priority Critical patent/CN109918901B/en
Publication of CN109918901A publication Critical patent/CN109918901A/en
Application granted granted Critical
Publication of CN109918901B publication Critical patent/CN109918901B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The object of the present invention is to provide a kind of methods that real-time detection is attacked based on Cache, including two stages: in the off-line analysis stage, monitor the operation of attacker and well behaved program sample based on Cache, collect the hardware event data generated in its operational process, it is extracted further according to the data being collected into and feature is selected to be used to training machine learning model, a variety of classifiers based on Cache attack can be identified by generating;In the on-line checking stage, active process in monitoring system simultaneously collects the hardware event data generated when its operation, the data being collected into are divided into the window of fixed size in real time, again the data in each window handle and predicted using the classifier that the off-line analysis stage generates, to judge whether active process is the attack based on Cache in real time.This programme is not directed to using any specific Encryption Algorithm as the attack based on Cache of object of attack, and can presence of the real-time detection to attack before the attack based on Cache is completed with lower expense.

Description

The method that real-time detection is attacked based on Cache
Technical field
The present invention relates to a kind of methods that computer field more particularly to real-time detection are attacked based on Cache.
Background technique
Cloud computing is offered convenience by providing computing resource to its tenant, but since multiple tenants share hardware resource, There is also huge security risks for cloud computing.For example, attacker can use the cache (Cache) in shared processor The sensitive data for getting victim, here it is the attacks based on Cache.In order to initiate the attack based on Cache, attacker is logical Often need to first carry out some operations so that cache reaches a certain expected state, then waiting victim executes;Victim When execution, shared cache inevitably will use, therefore the state of cache may change;In victim After execution, attacker detects the state of cache, and the variation of front and back cached state is then executed by analysis victim Situation speculates the sensitive data to victim, to cause information leakage.Attack based on Cache can occur in desktop computer, cloud Between the shared caches such as server and virtual machine, mobile device and browser, mutual incredible component software, target of attack Including encryption system (such as key), computer system randomness (such as address space layout) and privacy of user (such as keyboard monitoring) Deng this brings huge threat to system and information security.
In order to resist the attack based on Cache, some defense schemes are limited by dividing the method for shared cache Use of the attacker to cache, to limit its ability for operating cache;Some defense schemes pass through injection noise Method carry out analysis of the interference attack person to cached state, so that attacker be prevented accurately to be inferred to the letter of victim Breath;Some detection methods implement the hardware event feature generated when the attack based on Cache to particular encryption algorithm by analyzing Rule, to identify the attack for particular encryption algorithm based on Cache using these features.
Although existing defense schemes and detection method obtain certain effect, these above-mentioned methods or only Energy defence is certain specifically based on the attack of Cache, or can only detect the Cache attack for particular encryption algorithm, and It is helpless when encountering the new attack based on Cache.Such as Meltdown and the Spectre attack produced recently are at The supposition of reason device executes the state of characteristic changing cache to realizing that illegal out-of-bounds access causes information leakage, still can be with Around all existing defence and detection scheme.
Summary of the invention
It is an object of the present invention to provide a kind of methods that real-time detection is attacked based on Cache.
According to an aspect of the invention, there is provided a kind of method that real-time detection is attacked based on Cache, this method include Two stages: off-line analysis stage and on-line checking stage, wherein
The off-line analysis stage the following steps are included:
Step 1, the hardware event data generated when attacker and well behaved program based on Cache execute are collected;
Step 2, the hardware event data being collected into are handled, extract and select feature for training machine learning algorithm, are obtained To the classifier for identification based on Cache attack;
The on-line checking stage the following steps are included:
Step 3, in real-time collecting system active process hardware event data, carried out window division;
Step 4, the hardware event data in each window are handled, whether there is using each window of detection of classifier and be based on The attack of Cache.
Further, in the above method, in the step 1,
The attacker based on Cache include: Flush+Reload, Flush+Flush, Prime+Probe, The attack of Meltdown, Spectre and XLATE series;
The well behaved program includes: CPU intensive type, I/O intensive type;The hardware event includes Cache hit, TLB hit And branch accidentally surveys dependent event, is collected using hardware performance counter;
The hardware event data are the hardware event data sequence with timing.
Further, in the above method, in the step 2, the hardware event data being collected into is processed into and are used to train Feature the step of it is as follows:
Step 2-1 handles the hardware event data being collected into using Attenuation method;
Step 2-2, to treated, data extract mean value, standard deviation, maximum value, quantile, very poor feature;
Step 2-3 is selected, selection gist F-Score using feature of the genetic algorithm to extraction.
Further, in the above method, in the Attenuation method, by the when ordinal series E=of original hardware event {x0,x1,...,xt,...,xnIt is converted into E'={ y0,y1,...,yt,...,yn, whereinht=α × ht-1+ (1-α)×xt, h0=x0, wherein t is sampling time point, t>0,0<α<1.
Further, in the above method, in the step 2, the machine learning algorithm includes: decision Tree algorithms, multilayer Perceptron algorithm and Xgboost algorithm;
The classifier is the machine learning algorithm by training what is generated can identify a variety of points based on Cache attack Class model.
Further, in the above method, in the step 3, the hardware event data of active process in real-time collecting system Steps are as follows:
Step 3-1 periodically scans for all active process in system, obtains the process ID list of all active process;
Step 3-2 compares the process ID list of the adjacent active process got twice, obtains newly generated active process Process ID list;
Step 3-3, filtered out from the process ID list of newly generated active process process ID in white list and its A process ID queue to be detected is added in the process ID of remaining active process by subprocess ID;
Step 3-4 monitors all active process in all process ID queues to be detected and obtains hardware event data.
Further, in the above method, the window include fixed quantity hardware event data record, multiple windows it Between there is no overlapping;
The white list is the process ID for being determined as benign process.
Further, in the above method, in the step 3-4, the process ID queue to be detected include: filtering queue, Long process queue and dangerous process queue,
When monitoring, a thread is respectively distributed for collecting for each process in the filtering queue and dangerous process queue Hardware event data distribute the hardware that a thread collects fixed window number in turn for all processes in the long process queue Event data;
In step 3-3, the process ID queue to be detected is filtering queue.
Further, in the above method, the process ID of the active process is in the filtering queue, long process queue and danger Circulation process between dangerous process queue is as follows:
The process ID initially enters the filtering queue, if the active process is within a specified time completed and do not had Exception is detected, then rejecting its process ID from filtering queue when the active process is completed;
If the active process is within a specified time without completing and not detecting exception, by the process ID Long process queue is moved to from filtering queue;
If the active process within a specified time detects exception, the process ID is moved to from filtering queue Dangerous process queue;
If the active process detects exception in long process queue, by the process ID from long process queue Move to dangerous process queue.
Further, in the above method, in the step 4,
The mode of hardware event data in window is handled with method described in step 2-1 and step 2-2;
When using in detection of classifier window with the presence or absence of the attack based on Cache, the window from different processes is adopted Classified with different detection scheme: the window for detecting the process in the filtering queue and long process queue using Xgboost Device;To the window of the process in the dangerous process queue using decision tree classifier, multi-layer perception (MLP) classifier and Xgboost classifier detects jointly.
Compared with prior art, of the invention to provide a kind of method that real-time detection is attacked based on Cache, including two Stage: it in the off-line analysis stage, monitors the operation of attacker and well behaved program sample based on Cache, collects it and ran The hardware event data generated in journey are extracted further according to the data being collected into and feature are selected to be used to training machine learning model, A variety of classifiers based on Cache attack can be identified by generating;Active process and collection in the on-line checking stage, in monitoring system The data being collected into are divided into the window of fixed size, then will be each by its hardware event data generated when running in real time Data in window handle and predicted using the classifier that the off-line analysis stage generates, thus judgement activity in real time Whether process is the attack based on Cache.This programme be not directed to using any specific Encryption Algorithm as object of attack based on The attack of Cache, and can presence of the real-time detection to attack before the attack based on Cache is completed with lower expense.
Detailed description of the invention
By reading a detailed description of non-restrictive embodiments in the light of the attached drawings below, of the invention other Feature, objects and advantages will become more apparent upon:
Fig. 1 is the scheme synoptic chart that real-time detection is attacked based on Cache in the embodiment of the present invention;
Fig. 2 is the architecture diagram that real-time detection is attacked based on Cache in the embodiment of the present invention;
Fig. 3 is feature selecting genetic algorithm flow chart in the embodiment of the present invention;
Fig. 4 is circulation figure of the process in monitoring queue when real-time detection is based on Cache attack in the embodiment of the present invention.
The same or similar appended drawing reference represents the same or similar component in attached drawing.
Specific embodiment
Present invention is further described in detail with reference to the accompanying drawing.
In a typical configuration of this application, terminal, the equipment of service network and trusted party include one or more Processor (CPU), input/output interface, network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices or Any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, computer Readable medium does not include non-temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
The present invention provides a kind of method that real-time detection is attacked based on Cache, including two stages: the off-line analysis stage and The on-line checking stage, wherein
The off-line analysis stage the following steps are included:
Step 1, the hardware event data generated when attacker and well behaved program based on Cache execute are collected;
Step 2, the hardware event data being collected into are handled, extract and select feature for training machine learning algorithm, are obtained To the classifier for identification based on Cache attack;
The on-line checking stage the following steps are included:
Step 3, in real-time collecting system active process hardware event data, carried out window division;
Step 4, the hardware event data in each window are handled, whether there is using each window of detection of classifier and be based on The attack of Cache.
In one embodiment of method that real-time detection of the invention is attacked based on Cache, in the step 1,
The attacker based on Cache include: Flush+Reload, Flush+Flush, Prime+Probe, The attack of Meltdown, Spectre and XLATE series;
The well behaved program includes: CPU intensive type, I/O intensive type;The hardware event includes Cache hit, TLB hit And branch accidentally surveys dependent event, is collected using hardware performance counter;
The hardware event data are the hardware event data sequence with timing.
In one embodiment of method that real-time detection of the invention is attacked based on Cache, in the step 2, by what is be collected into It is as follows that hardware event data are processed into the step of for trained feature:
Step 2-1 handles the hardware event data being collected into using Attenuation method;
Step 2-2, to treated, data extract mean value, standard deviation, maximum value, quantile, very poor feature;
Step 2-3 is selected, selection gist F-Score using feature of the genetic algorithm to extraction.
In one embodiment of method that real-time detection of the invention is attacked based on Cache, in the step 2, the engineering Practising algorithm includes: decision Tree algorithms, multi-layer perception (MLP) algorithm and Xgboost algorithm;
The classifier is the machine learning algorithm by training what is generated can identify a variety of points based on Cache attack Class model.
In one embodiment of method that real-time detection of the invention is attacked based on Cache, in the Attenuation method, By the when ordinal series E={ x of original hardware event0,x1,...,xt,...,xnIt is converted into E'={ y0,y1,...,yt,...,yn, Wherein,ht=α × ht-1+(1-α)×xt, h0=x0, wherein t is sampling time point, t>0,0<α<1.
In one embodiment of method that real-time detection of the invention is attacked based on Cache, in the step 3, real-time collecting system The hardware event data step of active process is as follows in system:
Step 3-1 periodically scans for all active process in system, obtains the process ID list of all active process;
Step 3-2 compares the process ID list of the adjacent active process got twice, obtains newly generated active process Process ID list;
Step 3-3, filtered out from the process ID list of newly generated active process process ID in white list and its A process ID queue to be detected is added in the process ID of remaining active process by subprocess ID;
Step 3-4 monitors all active process in all process ID queues to be detected and obtains hardware event data.
In one embodiment of method that real-time detection of the invention is attacked based on Cache, the window includes fixed quantity Hardware event data record, there is no overlappings between multiple windows;
The white list is the process ID for being determined as benign process.
It is described to be checked in the step 3-4 in one embodiment of method that real-time detection of the invention is attacked based on Cache Surveying process ID queue includes: to filter queue, long process queue and dangerous process queue,
When monitoring, a thread is respectively distributed for collecting for each process in the filtering queue and dangerous process queue Hardware event data distribute the hardware that a thread collects fixed window number in turn for all processes in the long process queue Event data;
In step 3-3, the process ID queue to be detected is filtering queue.
In one embodiment of method that real-time detection of the invention is attacked based on Cache, the process ID of the active process exists Circulation process between the filtering queue, long process queue and dangerous process queue is as follows:
The process ID initially enters the filtering queue, if the active process is within a specified time completed and do not had Exception is detected, then rejecting its process ID from filtering queue when the active process is completed;
If the active process is within a specified time without completing and not detecting exception, by the process ID Long process queue is moved to from filtering queue;
If the active process within a specified time detects exception, the process ID is moved to from filtering queue Dangerous process queue;
If the active process detects exception in long process queue, by the process ID from long process queue Move to dangerous process queue.
In one embodiment of method that real-time detection of the invention is attacked based on Cache, in the step 4,
The mode of hardware event data in window is handled with method described in step 2-1 and step 2-2;
When using in detection of classifier window with the presence or absence of the attack based on Cache, the window from different processes is adopted Classified with different detection scheme: the window for detecting the process in the filtering queue and long process queue using Xgboost Device;To the window of the process in the dangerous process queue using decision tree classifier, multi-layer perception (MLP) classifier and Xgboost classifier detects jointly.
Here, in order to resist the existing attack based on Cache and quickly reply is new attacks based on Cache, the application Provide a kind of method that real-time detection is attacked based on Cache.Scheme provided by the present application and framework are not directed to particular encryption Algorithm be object of attack the attack based on Cache, and can be had with lower expense real-time detection based on Cache's Attack.In addition, effective classifier is trained using scheme provided by the present application when the new attack based on Cache occurs, In addition framework provided by the present application can cope with the new attack based on Cache.
The application is described in further detail with reference to the accompanying drawing.
The hardware environment of the application is configured to a PC host, wherein and processor is Intel Core i5-4460, 3.2GHz has 11 hardware performance counters;Memory 8GB.Software environment operating system be Centos7.5.1804,64, Kernel version is 3.10.0.
Some embodiments of the present application provide a kind of real-time detection based on the Cache general scheme attacked and framework, such as Fig. 1 Shown, this programme includes off-line analysis stage and on-line checking stage.In the off-line analysis stage, runs and monitor based on Cache Attacker and well behaved program sample, the hardware event data generated in its operational process are collected, further according to the number being collected into According to extracting and feature being selected to be used to training machine learning model, a variety of classifiers based on Cache attack can be identified by generating;? Line detection-phase, active process in monitoring system are simultaneously collected the hardware event data generated when its operation, will be collected in real time To data be divided into the window of fixed size, then the data in each window handle and raw using the off-line analysis stage At classifier predicted, to judge whether active process is the attack based on Cache in real time.
Specifically, include monitoring module, study module and detection module three parts in some embodiments of the present application, such as scheme Shown in 2, the off-line analysis stage is made of the offline monitor and study module of monitoring module, and detailed process is indicated by the solid line, And the on-line checking stage is made of the in-service monitoring device and detection module of monitoring module, detailed process is represented by dashed line.
Monitoring module is made of offline monitor and in-service monitoring device, and offline monitor is responsible for collection sample program and is being executed The hardware event data that period generates, in-service monitoring device are responsible for the hardware event number of the generation of the active process in real-time collecting system According to.The work step of offline monitor shown in Fig. 2 is as follows:
1. step, runs sample program;
2. step, the process ID of the sample program of operation is obtained to operating system;
3. step, according to the sample program of process ID monitoring operation and collects the hardware generated in sample program operational process Event data;
4., by the hardware event data being collected into file is written in step.
Step 1. in, the sample program includes attacker and well behaved program based on Cache, wherein being based on The attacker of Cache come from Github, including Flush+Reload, Flush+Flush, Prime+Probe, Meltdown, The attack of Spectre and XLATE series;Some basic commands of the well behaved program from standard benchmark and Linux, including meter Calculate intensive and I/O intensive procedure.
Step 2. in, by order ps according to operation sample program title to operating system obtain sample program into Journey ID.
Step 3. in, mentioned using PAPI (Performance Application Programming Interface) The interface access hardware performance counter of confession obtains hardware event data, the hardware thing that is collected into primary every the sampling of 100 microseconds Number of packages evidence is the sequence with timing.When sample program operation is completed, the work of hardware event data is monitored and collected to it It terminates therewith.The hardware event is referring to following table:
Event title Event description
PAPI_TOT_CYC The total period executed
PAPI_TOT_INS The total instruction executed
PAPI_L3_LDM L3 grades of cachings load miss
PAPI_L3_TCA The total access of L3 grades of cachings
PAPI_PRF_DM Data pre-fetching miss
PAPI_TLB_DM Data TLB cache miss
PAPI_BR_CN Conditional branch instructions
PAPI_BR_MSP Conditional branching misspeculated instruction
1. -4. five time some embodiments provided by the present application repeat step to each sample program, every time with different Program run therewith.The uncertainty in program operation process on the one hand can be reduced in this way to hardware event data Caused by influence, on the other hand can increase for training sample size.
It is a part for the hardware event data being collected into during the operation of Spectre attacker shown in following table, wherein PAPI_ prefix is omitted, and every a line represents the record once sampled, and each column represent the timing record of corresponding event:
BR_MSP BR_CN PRF_DM TLB_DM TOT_CYC TOT_INS L3_LDM L3_TCA
0 0 0 0 0 0 0 0
3 3758 32 7 45424 36637 8 61
0 64180 1 73 509496 453733 32 13
34 58474 19 91 471392 402074 79 342
415 20187 22 5 516647 151523 1109 1302
230 20811 4 0 469192 153857 1042 1012
182 20258 0 0 543469 165991 1294 1270
213 24678 1 0 529390 176620 1292 1273
175 21912 0 0 528615 169715 1273 1254
210 24738 556 0 530863 182552 1255 1243
171 21960 1 0 519032 166022 1271 1268
178 23213 0 0 512900 177904 1181 1172
The target of study module is to train the model with very strong predictive ability according to the hardware event data being collected into, Obtain the classifier for being capable of detecting when to attack based on Cache.Study module shown in Fig. 2 comprises the steps of:
5. step, the hardware event data being collected into is pre-processed using Attenuation method;
6., to pretreated data step carries out feature extraction, and carry out feature selecting using genetic algorithm;
7. step, the feature feeding machine learning algorithm of selection is trained;
8. step, generates and saves classifier.
Step 5. in, invalid data mistake that may be present in the hardware event data that are first collected into offline monitor It filters, such as the record of the first row complete zero in upper table.Then hardware event data are turned using Attenuation method It changes.The conversion regime of Attenuation method is as follows:
Assuming that the when ordinal series of event e is E={ x0,x1,...,xt,...,xn, enable h0=x0, ht=α × ht-1+(1-α) ×xt, wherein t is sampled point, t>0,0<α<1.Sequence E'={ y after so converting0,y1,...,yt,...,yn, wherein
By Attenuation method, treated that data are unrelated with the numberical range of initial data, and retains original The fluctuation situation of data, this is not only suitable for the hardware event data got under different machines environment, is also applied for real-time field Scape.
Step 6. in, to pretreated data sequence extract most value, mean value, median, standard deviation, quantile, pole The features such as difference choose subset as candidate feature, then for training in candidate feature.Choosing subset both can be with as feature The performance cost for reducing study and prediction, can also reduce extraneous features interference caused by model training.Selected characteristic subset Use genetic algorithm, as shown in figure 3, its detailed process is as follows:
In initial phase, gene is encoded, a gene pairs answers a character subset, select N number of gene as Initialization population.If the length of candidate feature set is L, then each gene pairs answers the binary string of an a length of L, in any base Because on site, 0 indicates not selecting corresponding feature, and 1 indicates to select corresponding feature.When initialization population, randomly choose it is N number of 1~2LNumber, the corresponding binary string of every number is the gene in genetic algorithm, and the corresponding gene of this N number of random number is The population of initialization.
In evaluation stage, outstanding gene is selected to make Evolution of Population as male parent.Evaluation criteria whether gene is outstanding Depending on fitness function, what fitness function returned here is the corresponding character subset of each gene in multiple machine learning moulds The mean value of gained F-Score in type (multi-layer perception (MLP) MLP, decision tree DEC and XGBoost), fitness is bigger to illustrate gene more It is outstanding.In order to allow outstanding gene to have bigger procreation probability, the fitness of each genes of individuals in initialization population is calculated Afterwards, use roulette selection method choice n outstanding genes as male parent: setting the fitness of i-th of gene in population as fi, Then it is selected is for the probability of procreation
In phylogenetic scale, two male parent cross selections are selected to form new gene from n male parent, new gene has centainly Probability mutates.When cross selection, the gene coding of two male parents is compared, selects the protogene in two male parents (that is, two It is all 1 gene position in a male parent) it is hereditary to offspring, and non-advantage gene position (gene position that an only male parent is 1) There is certain probability to be hereditary to offspring.New gene also has certain probability that gene mutation occurs (i.e. certain in addition to the gene of hereditary male parent Gene position becomes 1 from 0, or becomes 0) from 1.
It repeats phylogenetic scale n times and generates n new gene as filial generation, to the gene calculating fitness of filial generation, and from filial generation N outstanding genes (evaluation stage) are selected to continue to multiply in parent, constantly repeatedly above step.After the certain number of iteration, The character subset of available near-optimization.
Step 7. in, by the optimal feature subset of acquisition input multi-layer perception (MLP) (MLP), decision tree (DEC) and In tri- machine learning algorithms of XGBoost.Best model is selected using the method for five folding cross validations in training: first Using 30% sample as test set, 70% sample is as training set;Then training set is randomly divided into five parts, wherein four parts It is remaining a for verifying for training;It repeats five times, the smallest model preservation of validation error is used to predict in real time.
The work step of in-service monitoring device shown in Fig. 2 is as follows:
Step [1] periodically obtains the process ID list of current active process to operating system;
Step [2] monitors the active process being currently running, and the hardware event number of collection activity process according to process ID According to;
The hardware event data being collected into are transmitted to detection module by step [3] in the form of streaming in real time.
In step [2], all active process in the active process and nonsystematic of monitoring, because at any time, being Most of active process in system is benign process, so It is not necessary to waste too many resource monitoring be determined as it is benign into Journey.Some embodiments of the present application use increment type monitoring scheme, i.e., the active process got more twice in succession into Journey ID list obtains the process ID list of newly generated active process.In addition, some embodiments of the present application are also provided with white name Single, record is determined as benign process ID in white list, in surveillance operation process, by the process ID and its son in white list Process ID filters out.Many unnecessary monitoring are eliminated in this way, reduce the unnecessary wasting of resources.
The target of detection module is all possible Cache attack of discovery, which utilizes the classification of study module output Device detects the hardware event feature that in-service monitoring device is collected.The work step of detection module shown in Fig. 2 is as follows:
Step [4], the hardware event data that in-service monitoring device is collected into carry out invalid value filtering, Attenuation turns It changes after being divided with window, the feature of selection is gone out to each window calculation, using feature as the input of classifier;
Step [5], classifier classify to window according to feature, once being predicted as the attack based on Cache, then issue Warning.
In order to further increase the efficiency of monitoring and detection, while rate of false alarm is reduced, is tieed up in some embodiments of the present application Three monitoring queues are protected: filtering queue, long process queue and dangerous process queue.As shown in figure 4, all newly generated, no Active process in white list is all introduced into filtering queue, for each process in filtering queue, distributes a thread It is exclusively used in collecting its hardware event data;Each process can be continually monitored the window of fixed quantity, and each window uses XGBoost detection of classifier is with the presence or absence of abnormal;It, should if program is completed in fixed window and do not detect exception Process is removed from filtering queue;If program detects exception in fixed window, which moves on to from filtering queue Dangerous process queue;If program is not completed in fixed window, while also not detecting exception, then the process is from mistake Filter queue moves on to long process queue.For all processes in long process queue, distributes a thread and collect fixed window in turn Several hardware event data, each window is using XGBoost detection of classifier with the presence or absence of abnormal;If detecting exception, The process is moved into dangerous process queue from long process queue;If not detecting exception, until process, which is run, to be completed It is removed from long process queue.For each process in dangerous process queue, distributes a thread and be exclusively used in collecting it Hardware event data, each window predict whether exist using three XGBoost, decision tree and multi-layer perception (MLP) classifiers jointly Attack based on Cache;Once detecting the attack based on Cache, then give a warning.Some embodiments of the present application use three A monitoring queue is monitored and is detected using different strategies to different processes, this is also reduced while reducing expense Rate of false alarm.
In conclusion this application provides a kind of real-time detections based on the Cache general scheme attacked and framework, including two A stage: it in the off-line analysis stage, monitors the operation of attacker and well behaved program sample based on Cache, collects its operation The hardware event data generated in the process are extracted further according to the data being collected into and feature are selected to be used to training machine study mould Type, a variety of classifiers based on Cache attack can be identified by generating;In the on-line checking stage, the active process in monitoring system is simultaneously The hardware event data generated when its operation are collected, the data being collected into are divided into the window of fixed size in real time, then will Data in each window handle and predicted using the classifier that the off-line analysis stage generates, to judge in real time Whether active process is the attack based on Cache.This programme is not directed to using any specific Encryption Algorithm as the base of object of attack In the attack of Cache, and can presence of the real-time detection to attack before the attack based on Cache is completed with lower expense.
Obviously, those skilled in the art can carry out various modification and variations without departing from the essence of the application to the application Mind and range.In this way, if these modifications and variations of the application belong to the range of the claim of this application and its equivalent technologies Within, then the application is also intended to include these modifications and variations.
It should be noted that the present invention can be carried out in the assembly of software and/or software and hardware, for example, can adopt With specific integrated circuit (ASIC), general purpose computer or any other realized similar to hardware device.In one embodiment In, software program of the invention can be executed to implement the above steps or functions by processor.Similarly, of the invention Software program (including relevant data structure) can be stored in computer readable recording medium, for example, RAM memory, Magnetic or optical driver or floppy disc and similar devices.In addition, some of the steps or functions of the present invention may be implemented in hardware, example Such as, as the circuit cooperated with processor thereby executing each step or function.
In addition, a part of the invention can be applied to computer program product, such as computer program instructions, when its quilt When computer executes, by the operation of the computer, it can call or provide according to the method for the present invention and/or technical solution. And the program instruction of method of the invention is called, it is possibly stored in fixed or moveable recording medium, and/or pass through Broadcast or the data flow in other signal-bearing mediums and transmitted, and/or be stored according to described program instruction operation In the working storage of computer equipment.Here, according to one embodiment of present invention including a device, which includes using Memory in storage computer program instructions and processor for executing program instructions, wherein when the computer program refers to When enabling by processor execution, method and/or skill of the device operation based on aforementioned multiple embodiments according to the present invention are triggered Art scheme.
It is obvious to a person skilled in the art that invention is not limited to the details of the above exemplary embodiments, Er Qie In the case where without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power Benefit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent elements of the claims Variation is included in the present invention.Any reference signs in the claims should not be construed as limiting the involved claims.This Outside, it is clear that one word of " comprising " does not exclude other units or steps, and odd number is not excluded for plural number.That states in device claim is multiple Unit or device can also be implemented through software or hardware by a unit or device.The first, the second equal words are used to table Show title, and does not indicate any particular order.

Claims (10)

1. a kind of method that real-time detection is attacked based on Cache, wherein this method include two stages: the off-line analysis stage and The on-line checking stage, wherein
The off-line analysis stage the following steps are included:
Step 1, the hardware event data generated when attacker and well behaved program based on Cache execute are collected;
Step 2, the hardware event data being collected into are handled, extract and select feature for training machine learning algorithm, are used In the classifier that identification is attacked based on Cache;
The on-line checking stage the following steps are included:
Step 3, in real-time collecting system active process hardware event data, carried out window division;
Step 4, the hardware event data in each window are handled, whether there is using each window of detection of classifier and be based on The attack of Cache.
2. according to the method described in claim 1, wherein, in the step 1,
The attacker based on Cache include: Flush+Reload, Flush+Flush, Prime+Probe, The attack of Meltdown, Spectre and XLATE series;
The well behaved program includes: CPU intensive type, I/O intensive type;The hardware event includes Cache hit, TLB hit and divides Branch accidentally surveys dependent event, is collected using hardware performance counter;
The hardware event data are the hardware event data sequence with timing.
3. according to the method described in claim 1, wherein, in the step 2, the hardware event data being collected into are processed into use It is as follows in the trained feature the step of:
Step 2-1 handles the hardware event data being collected into using Attenuation method;
Step 2-2, to treated, data extract mean value, standard deviation, maximum value, quantile, very poor feature;
Step 2-3 is selected, selection gist F-Score using feature of the genetic algorithm to extraction.
4. according to the method described in claim 3, wherein, in the Attenuation method, by the timing of original hardware event Ordered series of numbers E={ x0,x1,...,xt,...,xnIt is converted into E'={ y0,y1,...,yt,...,yn, whereinht=α × ht-1+(1-α)×xt, h0=x0, wherein t is sampling time point, t>0,0<α<1.
5. according to the method described in claim 1, wherein, in the step 2, the machine learning algorithm includes: decision tree calculation Method, multi-layer perception (MLP) algorithm and Xgboost algorithm;
The classifier is the machine learning algorithm by training what is generated can identify a variety of classification moulds based on Cache attack Type.
6. according to the method described in claim 1, wherein, in the step 3, the hardware thing of active process in real-time collecting system Number of packages is according to steps are as follows:
Step 3-1 periodically scans for all active process in system, obtains the process ID list of all active process;
Step 3-2 compares the process ID list of the adjacent active process got twice, obtain newly generated active process into Journey ID list;
Step 3-3, filtered out from the process ID list of newly generated active process process ID in white list and its son into A process ID queue to be detected is added in the process ID of remaining active process by journey ID;
Step 3-4 monitors all active process in all process ID queues to be detected and obtains hardware event data.
7. according to the method described in claim 6, wherein, the window includes the hardware event data record of fixed quantity, more There is no overlappings between a window;
The white list is the process ID for being determined as benign process.
8. according to the method described in claim 7, wherein, in the step 3-4, the process ID queue to be detected included: Queue, long process queue and dangerous process queue are filtered,
When monitoring, a thread is respectively distributed for collecting hardware for each process in the filtering queue and dangerous process queue Event data distributes the hardware event that a thread collects fixed window number in turn for all processes in the long process queue Data;
In step 3-3, the process ID queue to be detected is filtering queue.
9. according to the method described in claim 8, wherein, the process ID of the active process is in the filtering queue, long process Circulation process between queue and dangerous process queue is as follows:
The process ID initially enters the filtering queue, if the active process is within a specified time completed and do not detected To exception, then its process ID is rejected from filtering queue when the active process is completed;
If the active process within a specified time without completing and not detecting exception, by the process ID from mistake Filter queue moves to long process queue;
If the active process within a specified time detects exception, the process ID is moved into danger from filtering queue Process queue;
If the active process detects exception in long process queue, the process ID is moved to from long process queue Dangerous process queue.
10. according to the method described in claim 1, wherein, in the step 4,
The mode of hardware event data in window is handled with method described in step 2-1 and step 2-2;
When using in detection of classifier window with the presence or absence of the attack based on Cache, to the window from different processes using not Same detection scheme: the window for detecting the process in the filtering queue and long process queue uses Xgboost classifier;It is right The window of process uses decision tree classifier, multi-layer perception (MLP) classifier and Xgboost points in the dangerous process queue Class device detects jointly.
CN201910127173.2A 2019-02-20 2019-02-20 Method for real-time detection of attack based on Cache Active CN109918901B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910127173.2A CN109918901B (en) 2019-02-20 2019-02-20 Method for real-time detection of attack based on Cache

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910127173.2A CN109918901B (en) 2019-02-20 2019-02-20 Method for real-time detection of attack based on Cache

Publications (2)

Publication Number Publication Date
CN109918901A true CN109918901A (en) 2019-06-21
CN109918901B CN109918901B (en) 2021-10-15

Family

ID=66961861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910127173.2A Active CN109918901B (en) 2019-02-20 2019-02-20 Method for real-time detection of attack based on Cache

Country Status (1)

Country Link
CN (1) CN109918901B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113221118A (en) * 2021-05-11 2021-08-06 卓尔智联(武汉)研究院有限公司 Detection method and device for channel attack on cache side and electronic equipment
CN114679315A (en) * 2022-03-25 2022-06-28 中国工商银行股份有限公司 Attack detection method, apparatus, computer device, storage medium, and program product
CN117077152A (en) * 2023-10-18 2023-11-17 中电科申泰信息科技有限公司 Method for disturbing superscalar processor speculatively executing spectrum attack

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8910280B2 (en) * 2012-04-30 2014-12-09 At&T Intellectual Property I, L.P. Detecting and blocking domain name system cache poisoning attacks
CN105550578A (en) * 2015-12-10 2016-05-04 上海电机学院 Network anomaly classification rule extracting method based on feature selection and decision tree
CN108629181A (en) * 2018-05-11 2018-10-09 湖南大学 The Cache attack detection methods of Behavior-based control
US10116436B1 (en) * 2017-09-26 2018-10-30 Intel Corporation Techniques for preventing memory timing attacks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8910280B2 (en) * 2012-04-30 2014-12-09 At&T Intellectual Property I, L.P. Detecting and blocking domain name system cache poisoning attacks
CN105550578A (en) * 2015-12-10 2016-05-04 上海电机学院 Network anomaly classification rule extracting method based on feature selection and decision tree
US10116436B1 (en) * 2017-09-26 2018-10-30 Intel Corporation Techniques for preventing memory timing attacks
CN108629181A (en) * 2018-05-11 2018-10-09 湖南大学 The Cache attack detection methods of Behavior-based control

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李晓虹: "基于行为的cache攻击检测系统", 《湖南大学工程硕士学位论文》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113221118A (en) * 2021-05-11 2021-08-06 卓尔智联(武汉)研究院有限公司 Detection method and device for channel attack on cache side and electronic equipment
CN114679315A (en) * 2022-03-25 2022-06-28 中国工商银行股份有限公司 Attack detection method, apparatus, computer device, storage medium, and program product
CN114679315B (en) * 2022-03-25 2024-05-14 中国工商银行股份有限公司 Attack detection method, apparatus, computer device, storage medium, and program product
CN117077152A (en) * 2023-10-18 2023-11-17 中电科申泰信息科技有限公司 Method for disturbing superscalar processor speculatively executing spectrum attack
CN117077152B (en) * 2023-10-18 2024-01-23 中电科申泰信息科技有限公司 Method for disturbing superscalar processor speculatively executing spectrum attack

Also Published As

Publication number Publication date
CN109918901B (en) 2021-10-15

Similar Documents

Publication Publication Date Title
CN108718310B (en) Deep learning-based multilevel attack feature extraction and malicious behavior identification method
Ektefa et al. Intrusion detection using data mining techniques
Murtaza et al. A host-based anomaly detection approach by representing system calls as states of kernel modules
CN109522716B (en) Network intrusion detection method and device based on time sequence neural network
CN105590055B (en) Method and device for identifying user credible behaviors in network interaction system
CN106411921B (en) Multi-step attack prediction technique based on causal Bayesian network
CN110135157A (en) Malware homology analysis method, system, electronic equipment and storage medium
CN111428231A (en) Safety processing method, device and equipment based on user behaviors
CN109918901A (en) The method that real-time detection is attacked based on Cache
Lima et al. A comparative study of use of Shannon, Rényi and Tsallis entropy for attribute selecting in network intrusion detection
Gonaygunta Machine learning algorithms for detection of cyber threats using logistic regression
Ajdani et al. Introduced a new method for enhancement of intrusion detection with random forest and PSO algorithm
Sharma et al. Layered approach for intrusion detection using naïve Bayes classifier
CN110830483B (en) Webpage log attack information detection method, system, equipment and readable storage medium
Dou et al. Pc 2 a: predicting collective contextual anomalies via lstm with deep generative model
CN106792883A (en) Sensor network abnormal deviation data examination method and system
CN109120592A (en) A kind of Web abnormality detection system based on user behavior
CN116318924A (en) Small sample intrusion detection method, system, medium, equipment and terminal
Muslihi et al. Detecting SQL injection on web application using deep learning techniques: a systematic literature review
Mythreya et al. Prediction and prevention of malicious URL using ML and LR techniques for network security: machine learning
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set
CN110598959A (en) Asset risk assessment method and device, electronic equipment and storage medium
Lam Detecting unauthorized network intrusion based on network traffic using behavior analysis techniques
Eldos et al. On the KDD'99 Dataset: Statistical Analysis for Feature Selection
US11665185B2 (en) Method and apparatus to detect scripted network traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant