CN113378894A - Non-invasive application off-line attack method based on side channel power consumption analysis - Google Patents

Abstract

A non-invasive application off-line attack method based on side channel power consumption analysis constructs a side channel attack classifier based on power consumption correlation degree through stages of data acquisition, data processing, feature extraction, classification and the like. An attacker collects physical leakage in the starting process of the application program, conjectures the starting state of the application program of the target equipment by adopting a method of combining side channel power analysis and correlation calculation, classifies and identifies the starting state as a complete event so as to know which application program the target equipment runs, infers sensitive information of the target equipment by utilizing the information leaked by the target equipment, and acquires user privacy. Compared with the traditional side channel attack intrusive method based on the direct-current power supply, the non-intrusive side channel attack method based on the alternating-current power supply is provided, and the method has better concealment.

Description

Non-invasive application off-line attack method based on side channel power consumption analysis

Technical Field

The invention relates to the technical field of side channel attack, in particular to a non-invasive application off-line attack method based on power consumption correlation.

Background

With the rapid development of computer technology, modern computing devices dynamically adjust their power consumption to meet the requirements of the workload. The power consumption information of a computing device changes over time as it performs different tasks. Therefore, as a typical side channel signal, power consumption information of a device is often used for privacy detection and attack. An attacker can infer the current activity of a computing device by analyzing power consumption information of the computing device. Traditional side channel attack methods based on dc power supplies are intrusive, require direct access to internal components of the computing device, and are not realistic.

Disclosure of Invention

In order to overcome the defects of the prior art, the invention provides a non-invasive application program offline attack method based on side channel power consumption analysis.

The technical scheme adopted by the invention for solving the technical problems is as follows:

a non-invasive application program offline attack method based on side channel power consumption analysis comprises the following steps:

(1) data acquisition: setting an automatic data acquisition platform, measuring the power consumption of notebook computers and desktop computers of different operating systems and different brands by using an open-close type current transformer, and acquiring power consumption leakage data of a plurality of different application programs when the application programs run on the computers by using a sound card so as to monitor the power consumption of target equipment;

(2) data processing: carrying out data segmentation on the power consumption signal, separating different running states of the application program from the collected sound file, and dividing the one-time complete running process of the application program into three states of starting, waiting and closing;

(3) feature extraction: after different running states of the application program are separated from the collected sound file, characteristic extraction is carried out on the sound samples;

(4) application program classification: randomly selecting a sample from data collected by different devices as a training sample of the classifier, setting labels as different device models, inputting a signal into the classifier when an attacker obtains a power signal started by an application program, and then determining a device model according to a classification result.

Further, the step (1) comprises the steps of:

1.1: an automatic data acquisition platform is arranged, and an open-close type current transformer is used for measuring the power consumption of notebook computers and desktop computers with different operating systems and brands. Acquiring power consumption leakage data of a plurality of different application programs when the application programs run on a computer through a sound card so as to monitor the power consumption of target equipment;

1.2: the platform realizes the automatic collection of experimental data for multiple times by means of communication among the devices, and the attack device and the target device are positioned in the same local area network in the data collection process in the training stage;

1.3: connecting one end of an open-close type current transformer to an audio interface of attack equipment, and placing a zero line of a patch board connected with target equipment in an induction area of the current transformer;

1.4: and acquiring power consumption data of the target equipment by controlling a sound card of the target equipment.

Still further, the step (2) comprises the following steps:

2.1: carrying out standardization processing on an original alternating current signal to enable the range of the original alternating current signal to be scaled to [ -3,3 ];

2.2: carrying out short-time energy summation on 882 points in the small window to obtain an energy value of each window;

2.3: when the energy of a window exceeds a certain threshold (the short-time energy mean value in the invention), namely the effective part of the starting waveform, the starting state waveform of the application program is separated.

Further, the step (3) introduces a correlation coefficient for measuring the degree of correlation between the two variables; in the invention, a specific application program always presents a similar curve on a starting power track, and power tracks of different application program starting processes have distinguishable differences; the matching degree of the actually detected power track and the power track with the label in the sample database can be presumed according to the correlation coefficient, and the sample label with the highest matching degree is selected as a final judgment result.

The step (3) introduces a correlation coefficient for measuring the degree of correlation between two variables, and comprises the following steps:

3.1: carrying out short-time Fourier transform on the starting state waveform to obtain a time-frequency domain power consumption track;

3.2: and extracting and compressing important features of the time-frequency domain power consumption track by a principal component analysis method, and keeping the results of the first 32 dimensions as the features of the correlation calculation.

The principal component analysis method comprises the following steps:

3.2.1: calculating a sample power trajectory data set X ═ X₁,x₂,x₃,......x_nThe mean value of the samples of (u),

3.2.2: averaging (i.e., de-centering) each power trace sample to obtain

3.2.3: solving covariance matrix by eigenvalue method

Characteristic value of (1 [ [ lambda ])₁,λ₂,λ₃,......,λ_n} and feature vector { ξ₁,ξ₂,ξ₃,......,ξ_n}；

3.2.4: sorting the eigenvalues from big to small, selecting the largest K eigenvalues, and taking the corresponding K eigenvectors as row vectors respectively to form an eigenvector matrix P;

3.2.5: the data is converted into a space constructed by K eigenvectors, i.e., X' ═ PX.

3.2.6: after the input track X and the sample track Y are subjected to feature extraction according to the steps, a Pearson correlation coefficient is calculated, and the formula is as follows:

wherein,

is the average of the input trace and the samples.

The invention has the following beneficial effects: compared with the traditional side channel attack intrusive method based on the direct-current power supply, the non-intrusive side channel attack method based on the alternating-current power supply is provided, and the method has better concealment.

Drawings

Fig. 1 is a schematic diagram of a "known device" attack scenario.

Fig. 2 is a schematic diagram of a "configure device" attack scenario.

Fig. 3 is a schematic diagram of an attack scenario of "unknown device".

Fig. 4 is a block diagram of an application detection architecture based on side channel power consumption analysis.

Fig. 5 is a block diagram of a side channel attack architecture.

Fig. 6 is a data acquisition flowchart of a non-intrusive application off-line attack method based on side channel power consumption analysis in an embodiment of the present invention;

FIG. 7 is a data processing flowchart of a non-intrusive application off-line attack method based on side channel power consumption analysis according to an embodiment of the present invention;

fig. 8 is a flowchart of feature extraction of a non-intrusive application off-line attack method based on side channel power consumption analysis according to an embodiment of the present invention.

Fig. 9 is a flowchart of principal component analysis of a non-intrusive application off-line attack method based on side channel power consumption analysis according to an embodiment of the present invention.

Detailed Description

The invention is further described below with reference to the accompanying drawings.

Referring to fig. 1 to 9, an application offline attack method based on power consumption correlation is characterized by including an attack device (desktop/notebook computer), a target device (desktop/notebook computer), an open-close type current transformer (SCT010), and a patch board;

"known device" attack scenario: fig. 1 is a schematic diagram of a "known device" attack scenario. In this attack scenario, the attacker obtains some power consumption leakage information on the victim target device, as well as the true case of the leakage. This may occur if the victim inadvertently provides some application examples to the attacker during chat, such leakage being referred to as "signature data" of the victim, corresponding to the most desirable attack scenario. For the authenticity of the attack, the amount of marking data should be limited to only a few samples per application. The attacker has the most relevant information with the victim in the scene.

Attack scenario "configuration device": fig. 2 is a schematic diagram illustrating a "configure device" attack scenario. In this scenario, the attacker does not have any tag data from the victim target device. In the training phase, the attacker may collect power consumption data from the same type of device as the victim target device and use it as a training set for the experiment. The training set models data acquired by an attacker, so that the power consumption mode of the attacking device is analyzed in the attack stage, and the application program which is being started is presumed.

Attack scenario of "unknown device": fig. 3 is a schematic diagram illustrating an attack scenario of an unknown device. The "unknown device" attack scenario is the most challenging and realistic attack scenario. The attacker does not have any training data for the victim target device, and the obtained information is limited to the leakage of the power consumption of the victim. The target of the attacker is to speculate the victim's device and the running application, and once the attacker learns the current model of the target device through analysis, the attacker can use this information to launch the attack, assuming that the attacker keeps the power consumption database of past attacks. Under the scenario, a side channel attack initiated by an attacker needs target device detection and application program detection.

During the attack, the victim runs some applications on the target device. In all scenarios presented in section 1.1, the attacker has performed ac power tracking on the victim's computer. Fig. 4 is a block diagram of an application detection structure based on side channel power consumption analysis, which is divided into a training phase and an attack phase.

A training stage: in the training phase, an attacker performs power consumption training data acquisition of a target application program on a target device or a device of the same model as the target device. Firstly, the collected alternating current signals are standardized to enable the range of the signals to be scaled to [ -3,3], then short-time energy summation is carried out on points in a small window, and effective parts of starting waveforms are segmented according to threshold values. And finally, performing feature extraction on the segmented starting state waveform, and inputting the starting state waveform into a classifier for training. The training phase also includes training of learning models, such as supervised classifiers, to generate an offline database for invocation by the attack detection phase.

And (3) attack stage: the attack phase typically consists of three steps. (1) Placing a current sensor on a zero line of a patch board connected with target equipment or a zero line of a corresponding ammeter, and waiting for starting a target application program; (2) observing leaked side channel information based on the collected information; (3) sensitive information is inferred using a previously established model.

In the "known device" scenario and the "configured device" scenario, an attacker obtains corresponding power consumption traces on the target device (the "known device" scenario) or on the same model device (the "configured device" scenario). As shown in the structural diagram 5 of the side channel attack in these two cases, an attacker first preprocesses the collected power consumption trajectory, then segments the preprocessed data, extracts an effective waveform of the application program at the start stage as its feature, and finally classifies the application program by using the obtained data as a training set.

In the "unknown device" analysis scenario, since the attacker does not know the target device of the victim, the target device class needs to be identified according to the ac power consumption trajectory, and then the running application is classified using correct training data.

The invention provides a non-invasive application off-line attack method based on side channel power consumption analysis, which constructs a side channel attack classifier based on power consumption correlation degree through stages of data acquisition, data processing, feature extraction, classification and the like, and the 3 stages are respectively introduced below by combining with figures 6-8.

A non-invasive application program offline attack method based on side channel power consumption analysis comprises the following steps:

(1) data acquisition: setting an automatic data acquisition platform, measuring the power consumption of notebook computers and desktop computers of different operating systems and different brands by using an open-close type current transformer, and acquiring power consumption leakage data of a plurality of different application programs when the application programs run on the computers by using a sound card so as to monitor the power consumption of target equipment;

(2) data processing: carrying out data segmentation on the power consumption signal, separating different running states of the application program from the collected sound file, and dividing the one-time complete running process of the application program into three states of starting, waiting and closing;

(3) feature extraction: after different running states of the application program are separated from the collected sound file, characteristic extraction is carried out on the sound samples;

(4) application program classification: randomly selecting a sample from data collected by different devices as a training sample of the classifier, setting labels as different device models, inputting a signal into the classifier when an attacker obtains a power signal started by an application program, and then determining a device model according to a classification result.

As shown in fig. 6, the non-intrusive application off-line attack method based on side channel power consumption analysis according to the present invention performs data acquisition according to the following steps:

1.1: an automatic data acquisition platform is arranged, and an open-close type current transformer is used for measuring the power consumption of notebook computers and desktop computers with different operating systems and brands. Acquiring power consumption leakage data of a plurality of different application programs when the application programs run on a computer through a sound card so as to monitor the power consumption of target equipment;

1.2: the platform realizes the automatic collection of experimental data for multiple times by means of communication among the devices, and the attack device and the target device are positioned in the same local area network in the data collection process in the training stage;

1.3: connecting one end of an open-close type current transformer to an audio interface of attack equipment, and placing a zero line of a patch board connected with target equipment in an induction area of the current transformer;

1.4: and acquiring power consumption data of the target equipment by controlling a sound card of the target equipment.

As shown in fig. 7, the non-intrusive application off-line attack method based on side channel power consumption analysis according to the present invention performs data processing according to the following steps:

2.1: carrying out standardization processing on an original alternating current signal to enable the range of the original alternating current signal to be scaled to [ -3,3 ];

2.2: carrying out short-time energy summation on 882 points in the small window to obtain an energy value of each window;

2.3: when the energy of a window exceeds a certain threshold (the short-time energy mean value in the invention), namely the effective part of the starting waveform, the starting state waveform of the application program is separated.

As shown in fig. 8, the non-intrusive application off-line attack method based on side channel power consumption analysis according to the present invention performs feature extraction according to the following steps:

3.1: carrying out short-time Fourier transform on the starting state waveform to obtain a time-frequency domain power consumption track;

3.2: and extracting and compressing important features of the time-frequency domain power consumption track by a principal component analysis method, and keeping the results of the first 32 dimensions as the features of the correlation calculation.

As shown in fig. 9, the non-intrusive application off-line attack method based on side channel power consumption analysis according to the present invention performs principal component analysis according to the following steps:

3.2.1: calculating a sample power trajectory data set X ═ X₁,x₂,x₃,......x_nThe mean value of the samples of (u),

3.2.2: averaging (i.e., de-centering) each power trace sample to obtain

3.2.3: solving covariance matrix by eigenvalue method

Characteristic value of (1 [ [ lambda ])₁,λ₂,λ₃,......,λ_n} and feature vector { ξ₁,ξ₂,ξ₃,......,ξ_n}；

3.2.4: sorting the eigenvalues from big to small, selecting the largest K eigenvalues, and taking the corresponding K eigenvectors as row vectors respectively to form an eigenvector matrix P;

3.2.5: converting the data into a space constructed by K eigenvectors, namely X' ═ PX;

3.2.6: after the input track X and the sample track Y are subjected to feature extraction according to the steps, a Pearson correlation coefficient is calculated, and the formula is as follows:

wherein,

is the average of the input trace and the samples.

By adopting the non-invasive application off-line attack method based on side channel power consumption analysis, a classifier of side channel off-line attack based on power consumption correlation is constructed through stages of data acquisition, data processing, feature extraction, classification and the like, and the side channel attack performance of the proposed classifier is evaluated. The experiment mainly aims at the three attack scenes of the known equipment, the configured equipment and the unknown equipment, and adopts Top-n accuracy rate to evaluate the side channel attack performance based on power consumption analysis under the offline condition, so that the side channel attack effect of an attacker on target equipment of different brands and different systems is better, and the accuracy rate can reach more than 92.6%.

The embodiments described in this specification are merely illustrative of implementations of the inventive concepts, which are intended for purposes of illustration only. The scope of the present invention should not be construed as being limited to the particular forms set forth in the examples, but rather as being defined by the claims and the equivalents thereof which can occur to those skilled in the art upon consideration of the present inventive concept.

Claims (5)

1. A non-invasive application off-line attack method based on side channel power consumption analysis is characterized by comprising the following steps:

(1) data acquisition: setting an automatic data acquisition platform, measuring the power consumption of notebook computers and desktop computers of different operating systems and different brands by using an open-close type current transformer, and acquiring power consumption leakage data of a plurality of different application programs when the application programs run on the computers by using a sound card so as to monitor the power consumption of target equipment;

(2) data processing: carrying out data segmentation on the power consumption signal, separating different running states of the application program from the collected sound file, and dividing the one-time complete running process of the application program into three states of starting, waiting and closing;

(3) feature extraction: after different running states of the application program are separated from the collected sound file, characteristic extraction is carried out on the sound samples;

(4) application program classification: randomly selecting a sample from data collected by different devices as a training sample of the classifier, setting labels as different device models, inputting a signal into the classifier when an attacker obtains a power signal started by an application program, and then determining a device model according to a classification result.

2. The non-intrusive application offline attack method based on side-channel power consumption analysis according to claim 1, wherein the step (1) comprises the steps of:

1.1: an automatic data acquisition platform is arranged, and an open-close type current transformer is used for measuring the power consumption of notebook computers and desktop computers with different operating systems and brands. Acquiring power consumption leakage data of a plurality of different application programs when the application programs run on a computer through a sound card so as to monitor the power consumption of target equipment;

1.2: the platform realizes the automatic collection of experimental data for multiple times by means of communication among the devices, and the attack device and the target device are positioned in the same local area network in the data collection process in the training stage;

1.3: connecting one end of an open-close type current transformer to an audio interface of attack equipment, and placing a zero line of a patch board connected with target equipment in an induction area of the current transformer;

1.4: and acquiring power consumption data of the target equipment by controlling a sound card of the target equipment.

3. The non-intrusive application offline attack method based on side-channel power consumption analysis according to claim 1 or 2, wherein the step (2) comprises the steps of:

2.1: carrying out standardization processing on an original alternating current signal to enable the range of the original alternating current signal to be scaled to [ -3,3 ];

2.2: carrying out short-time energy summation on 882 points in the small window to obtain an energy value of each window;

2.3: and when the energy of one window exceeds the short-time energy average value, namely the energy is an effective part of the starting waveform, and the starting state waveform of the application program is separated.

4. The non-intrusive application off-line attack method based on side channel power consumption analysis as defined in claim 1 or 2, wherein the step (3) introduces a correlation coefficient for measuring the degree of correlation between two variables, and comprises the following steps:

3.1: carrying out short-time Fourier transform on the starting state waveform to obtain a time-frequency domain power consumption track;

3.2: and extracting and compressing important features of the time-frequency domain power consumption track by a principal component analysis method, and keeping the results of the first 32 dimensions as the features of the correlation calculation.

5. The non-intrusive application off-line attack method based on side-channel power consumption analysis of claim 4, wherein the principal component analysis method comprises the steps of:

3.2.1: calculating a sample power trajectory data set X ═ X₁,x₂,x₃,......x_nThe mean value of the samples of (u),

3.2.2: averaging each power track sample to obtain

3.2.3: solving covariance matrix by eigenvalue method

Characteristic value of (1 [ [ lambda ])₁,λ₂,λ₃,......,λ_n} and feature vector { ξ₁,ξ₂,ξ₃,......,ξ_n}；

3.2.4: sorting the eigenvalues from big to small, selecting the largest K eigenvalues, and taking the corresponding K eigenvectors as row vectors respectively to form an eigenvector matrix P;

3.2.5: converting the data into a space constructed by K eigenvectors, namely X' ═ PX;

3.2.6: after the input track X and the sample track Y are subjected to feature extraction according to the steps, a Pearson correlation coefficient is calculated, and the formula is as follows:

wherein,

is the average of the input trace and the samples.

Images