CN113378894B - Non-invasive application offline attack method based on side channel power consumption analysis - Google Patents

Abstract

A non-invasive application off-line attack method based on side channel power consumption analysis constructs a side channel attack classifier based on power consumption correlation through data acquisition, data processing, feature extraction, classification and other stages. The attacker collects physical leakage in the starting process of the application program, adopts a method of combining side channel power analysis and correlation calculation, presumes the starting state of the application program of the target device, classifies and identifies the starting state as a complete event, so as to know what application program the target device is running, presumes sensitive information of the application program by utilizing the information revealed by the target device, and obtains privacy of a user. Compared with the traditional invasive method based on the direct-current power supply side channel attack, the invention provides a non-invasive side channel attack method based on the alternating-current power supply, which has better concealment.

Description

Non-invasive application offline attack method based on side channel power consumption analysis

Technical Field

The invention relates to the technical field of side channel attack, in particular to a non-invasive application offline attack method based on power consumption correlation.

Background

With the rapid development of computer technology, modern computing devices dynamically adjust their power consumption to meet the demands of the workload. Computing devices have power consumption information that varies over time as they perform different tasks. Thus, as a typical side channel signal, the power consumption information of the device is often used for privacy detection and attack. An attacker may infer the current activity of a computing device by analyzing the power consumption information of the computing device. Traditional dc-based side channel attack methods are intrusive and require direct access to the internal components of the computing device, which is not practical.

Disclosure of Invention

In order to overcome the defects of the prior art, the invention provides a non-invasive application offline attack method based on side channel power consumption analysis.

The technical scheme adopted for solving the technical problems is as follows:

A non-invasive application offline attack method based on side channel power consumption analysis comprises the following steps:

(1) And (3) data acquisition: an automatic data acquisition platform is arranged, power consumption of different operating systems and different brands of notebook computers and desktop computers is measured by using an open-close type current transformer, and power consumption leakage data of a plurality of different application programs running on the computers are acquired through sound cards so as to monitor the power consumption of target equipment;

(2) And (3) data processing: the method comprises the steps of performing data segmentation on power consumption signals, separating different states of application program operation from collected sound files, and dividing a complete operation process of the application program into three states of starting, waiting and closing;

(3) Feature extraction: after different states of the running of the application program are separated from the collected sound files, extracting the characteristics of the sound samples;

(4) Application classification: and randomly selecting samples from data acquired from different devices as training samples of the classifier, setting labels to different device models, inputting the signals into the classifier when an attacker acquires power signals started by an application program, and then determining a device model according to classification results.

Further, the step (1) includes the steps of:

1.1: an automatic data acquisition platform is arranged, and an open-close type current transformer is used for measuring the power consumption of different operating systems, notebook computers of different brands and desktop computers. Collecting power consumption leakage data of a plurality of different application programs running on a computer through a sound card so as to monitor the power consumption of target equipment;

1.2: the platform realizes repeated cyclic automatic acquisition of experimental data by means of communication among devices, and the attack device and the target device are positioned in the same local area network in the data acquisition process of the training stage;

1.3: connecting one end of the open-close type current transformer to an audio interface of attack equipment, and placing a zero line of a patch board connected with target equipment in an induction area of the current transformer;

1.4: and collecting the power consumption data of the target equipment by controlling the sound card of the target equipment.

Still further, the step (2) includes the steps of:

2.1: normalizing the original AC signal to scale its range to [ -3,3];

2.2: short-time energy summation is carried out on 882 points in the small window, so that the energy value of each window is obtained;

2.3: when the energy of a window exceeds a certain threshold (the short-time energy average value in the invention), the effective part of the starting waveform is used for separating the starting state waveform of the application program.

Furthermore, the step (3) introduces a correlation coefficient for measuring the degree of correlation between two variables; in the invention, a specific application program always presents a similar curve on a starting power track, and the power tracks of different application programs in the starting process have distinguishable differences; and according to the correlation coefficient, the matching degree of the actually detected power track and the power track with the label in the sample database can be deduced, and the sample label with the highest matching degree is selected as a final judging result.

The step (3) introduces a correlation coefficient for measuring the degree of correlation between two variables, and comprises the following steps:

3.1: performing short-time Fourier transform on the starting state waveform to obtain a time-frequency domain power consumption track;

3.2: and extracting and compressing important characteristics of the time-frequency domain power consumption track by a principal component analysis method, and reserving the results of the first 32 dimensions as the characteristics of correlation calculation.

The principal component analysis method includes the steps of:

3.2.1: a sample mean mu of the sample power trace dataset x= { X ₁,x₂,x₃,......x_n } is calculated,

3.2.2: The average value of each power trace sample is removed (namely the center is removed) to obtain

3.2.3: Solving covariance matrix by eigenvalue methodEigenvalues { lambda ₁,λ₂,λ₃,......,λ_n } and eigenvectors { ζ ₁,ξ₂,ξ₃,......,ξ_n };

3.2.4: sorting the characteristic values from large to small, selecting the K maximum characteristic values, and respectively taking the K corresponding characteristic vectors as row vectors to form a characteristic vector matrix P;

3.2.5: the data is converted into a space constructed of K eigenvectors, i.e., X' =px.

3.2.6: After the input track X and the sample track Y are subjected to feature extraction according to the steps, the Pearson correlation coefficient is calculated, and the formula is as follows:

wherein, Is the average of the input trajectory and the sample.

The beneficial effects of the invention are mainly shown in the following steps: compared with the traditional invasive method based on the direct-current power supply side channel attack, the non-invasive side channel attack method based on the alternating-current power supply is provided, and better concealment is achieved.

Drawings

Fig. 1 is a schematic diagram of a "known device" attack scenario.

Fig. 2 is a schematic diagram of a "configuration device" attack scenario.

Fig. 3 is a schematic diagram of an "unknown device" attack scenario.

Fig. 4 is a block diagram of an application detection architecture based on side channel power consumption analysis.

Fig. 5 is a block diagram of a side channel attack architecture.

FIG. 6 is a flow chart of data acquisition of a non-invasive application offline attack method based on side channel power consumption analysis in an embodiment of the present invention;

FIG. 7 is a data processing flow chart of a non-invasive application offline attack method based on side channel power consumption analysis in an embodiment of the present invention;

Fig. 8 is a flow chart of feature extraction of a non-invasive application offline attack method based on side channel power consumption analysis according to an embodiment of the present invention.

Fig. 9 is a flow chart of principal component analysis of a non-invasive application offline attack method based on side channel power consumption analysis according to an embodiment of the present invention.

Detailed Description

The invention is further described below with reference to the accompanying drawings.

Referring to fig. 1 to 9, an off-line attack method for an application program based on a power consumption correlation degree is characterized by comprising attack equipment (desktop/notebook computer), target equipment (desktop/notebook computer), an open-close current transformer (SCT 010) and a patch board;

"known device" attack scenario: a schematic diagram of a "known device" attack scenario is shown in fig. 1. In this attack scenario, the attacker obtains some power consumption leakage information on the victim target device, as well as the true case of the leakage. This may occur if the victim inadvertently provides some application examples to the attacker during chat, such leakage being referred to as the victim's "tag data", corresponds to the most ideal attack scenario. For the authenticity of the attack, the amount of marking data should be limited to only a few samples per application. The attacker has the most relevant information to the victim in this scenario.

"Configure device" attack scenario: a schematic diagram of a "configure device" attack scenario is shown in fig. 2. In this scenario, the attacker does not have any tag data from the victim target device. During the training phase, an attacker may collect power consumption data from the same type of device as the victim target device and take it as a training set for the experiment. The training set models data acquired by an attacker, so that the power consumption mode of the attack device is analyzed in the attack stage, and the application program which is being started is presumed.

"Unknown device" attack scenario: a schematic diagram of an "unknown device" attack scenario is shown in fig. 3. The "unknown device" attack scenario is the most challenging and most realistic attack scenario. The attacker does not have any training data for the victim target device and the information obtained is limited to power consumption leakage of the victim. The goal of an attacker is to infer the victim's device and the running application, and this information can be used to launch an attack once the attacker knows the model of the current target device by analysis, assuming that the attacker has saved a power consumption database of past attacks. In this scenario, a side channel attack initiated by an attacker requires target device detection and application detection.

During an attack, the victim runs some application on the target device. In all of the scenarios presented in section 1.1, the attacker has performed ac power tracking on the victim's computer. Fig. 4 is a block diagram of an application detection structure based on side channel power consumption analysis, and the block diagram is divided into a training stage and an attack stage.

Training phase: in the training stage, an attacker collects power consumption training data of a target application program on target equipment or equipment with the same model as the target equipment. Firstly, the acquired alternating current signal is standardized to scale the range to [ -3,3], then the short-time energy summation is carried out on the points in the small window, and the effective part of the starting waveform is segmented according to the threshold value. And finally, extracting the characteristics of the segmented starting state waveform, and inputting the characteristic to a classifier for training. The training phase also includes training of a learning model, such as a supervised classifier, to generate an offline database for invocation by the attack detection phase.

Attack stage: the attack phase typically consists of three steps. (1) Placing the current sensor on a zero line of a patch board connected with target equipment or a zero line of a corresponding ammeter, and waiting for starting a target application program; (2) Observing the leaked side channel information based on the collected information; (3) using the previously established model to infer sensitive information.

In the "known device" scenario and the "configured device" scenario, an attacker obtains a corresponding power consumption trace on the target device ("known device" scenario) or the same model of device ("configured device" scenario). As shown in the side channel attack structural block diagram 5 of the two cases, an attacker firstly preprocesses the collected power consumption tracks, then segments the preprocessed data, extracts the effective waveforms of the starting stage of the application program as the characteristics thereof, and finally uses the obtained data as a training set to classify the application program.

In the "unknown device" analysis scenario, since the target device of the victim is not known to the attacker, it is necessary to first identify the target device class from its traffic power track and then use the correct training data to classify the running application.

The invention provides a non-invasive application off-line attack method based on side channel power consumption analysis, which constructs a side channel attack classifier based on power consumption correlation through the stages of data acquisition, data processing, feature extraction, classification and the like, and introduces the 3 stages respectively with reference to figures 6-8.

A non-invasive application offline attack method based on side channel power consumption analysis comprises the following steps:

(1) And (3) data acquisition: an automatic data acquisition platform is arranged, power consumption of different operating systems and different brands of notebook computers and desktop computers is measured by using an open-close type current transformer, and power consumption leakage data of a plurality of different application programs running on the computers are acquired through sound cards so as to monitor the power consumption of target equipment;

(2) And (3) data processing: the method comprises the steps of performing data segmentation on power consumption signals, separating different states of application program operation from collected sound files, and dividing a complete operation process of the application program into three states of starting, waiting and closing;

(3) Feature extraction: after different states of the running of the application program are separated from the collected sound files, extracting the characteristics of the sound samples;

(4) Application classification: and randomly selecting samples from data acquired from different devices as training samples of the classifier, setting labels to different device models, inputting the signals into the classifier when an attacker acquires power signals started by an application program, and then determining a device model according to classification results.

As shown in fig. 6, the non-invasive application offline attack method based on side channel power consumption analysis of the present invention performs data acquisition according to the following steps:

1.1: an automatic data acquisition platform is arranged, and an open-close type current transformer is used for measuring the power consumption of different operating systems, notebook computers of different brands and desktop computers. Collecting power consumption leakage data of a plurality of different application programs running on a computer through a sound card so as to monitor the power consumption of target equipment;

1.2: the platform realizes repeated cyclic automatic acquisition of experimental data by means of communication among devices, and the attack device and the target device are positioned in the same local area network in the data acquisition process of the training stage;

1.3: connecting one end of the open-close type current transformer to an audio interface of attack equipment, and placing a zero line of a patch board connected with target equipment in an induction area of the current transformer;

1.4: and collecting the power consumption data of the target equipment by controlling the sound card of the target equipment.

As shown in fig. 7, the non-invasive application offline attack method based on side channel power consumption analysis of the present invention performs data processing according to the following steps:

2.1: normalizing the original AC signal to scale its range to [ -3,3];

2.2: short-time energy summation is carried out on 882 points in the small window, so that the energy value of each window is obtained;

2.3: when the energy of a window exceeds a certain threshold (the short-time energy average value in the invention), the effective part of the starting waveform is used for separating the starting state waveform of the application program.

As shown in fig. 8, the non-invasive application offline attack method based on side channel power consumption analysis of the present invention performs feature extraction according to the following steps:

3.1: performing short-time Fourier transform on the starting state waveform to obtain a time-frequency domain power consumption track;

3.2: and extracting and compressing important characteristics of the time-frequency domain power consumption track by a principal component analysis method, and reserving the results of the first 32 dimensions as the characteristics of correlation calculation.

Fig. 9 shows a non-invasive application off-line attack method based on side channel power consumption analysis, according to the present invention, the principal component analysis is performed according to the following steps:

3.2.1: a sample mean mu of the sample power trace dataset x= { X ₁,x₂,x₃,......x_n } is calculated,

3.2.2: The average value of each power trace sample is removed (namely the center is removed) to obtain

3.2.3: Solving covariance matrix by eigenvalue methodEigenvalues { lambda ₁,λ₂,λ₃,......,λ_n } and eigenvectors { ζ ₁,ξ₂,ξ₃,......,ξ_n };

3.2.4: sorting the characteristic values from large to small, selecting the K maximum characteristic values, and respectively taking the K corresponding characteristic vectors as row vectors to form a characteristic vector matrix P;

3.2.5: converting the data into a space constructed by K eigenvectors, i.e., X' =px;

3.2.6: after the input track X and the sample track Y are subjected to feature extraction according to the steps, the Pearson correlation coefficient is calculated, and the formula is as follows:

wherein, Is the average of the input trajectory and the sample.

By adopting the non-invasive application program offline attack method based on the side channel power consumption analysis, a classifier based on the power consumption correlation is constructed through the stages of data acquisition, data processing, feature extraction, classification and the like, and the side channel attack performance of the proposed classifier is evaluated. The experiment is mainly aimed at the three attack scenes of known equipment, configured equipment and unknown equipment, the Top-n accuracy is adopted to evaluate the side channel attack performance based on power consumption analysis under the offline condition, the side channel attack effects of an attacker on target equipment of different brands and different systems are good, and the accuracy can reach more than 92.6%.

The embodiments described in this specification are merely illustrative of the manner in which the inventive concepts may be implemented. The scope of the present invention should not be construed as being limited to the specific forms set forth in the embodiments, but the scope of the present invention and the equivalents thereof as would occur to one skilled in the art based on the inventive concept.

Claims (4)

1. A non-intrusive application offline attack method based on side channel power consumption analysis, the method comprising the steps of:

(1) And (3) data acquisition: an automatic data acquisition platform is arranged, power consumption of different operating systems and different brands of notebook computers and desktop computers is measured by using an open-close type current transformer, and power consumption leakage data of a plurality of different application programs running on the computers are acquired through sound cards so as to monitor the power consumption of target equipment;

(2) And (3) data processing: the method comprises the steps of performing data segmentation on power consumption signals, separating different states of application program operation from collected sound files, and dividing a complete operation process of the application program into three states of starting, waiting and closing;

(3) Feature extraction: after different states of the running of the application program are separated from the collected sound files, extracting the characteristics of the sound samples;

(4) Application classification: randomly selecting samples from data acquired from different devices as training samples of a classifier, setting labels to different device models, inputting the signals into the classifier when an attacker acquires power signals started by an application program, and then determining the device model according to classification results;

The step (1) comprises the following steps:

1.1: an automatic data acquisition platform is arranged, power consumption of different operating systems and different brands of notebook computers and desktop computers is measured by using an open-close type current transformer, and power consumption leakage data of a plurality of different application programs running on the computers are acquired through sound cards so as to monitor the power consumption of target equipment;

1.2: the platform realizes repeated cyclic automatic acquisition of experimental data by means of communication among devices, and the attack device and the target device are positioned in the same local area network in the data acquisition process of the training stage;

1.3: connecting one end of the open-close type current transformer to an audio interface of attack equipment, and placing a zero line of a patch board connected with target equipment in an induction area of the current transformer;

1.4: and collecting the power consumption data of the target equipment by controlling the sound card of the target equipment.

2. The non-invasive application offline attack method based on side-channel power consumption analysis according to claim 1, wherein said step (2) comprises the steps of:

2.1: normalizing the original AC signal to scale its range to [ -3,3];

2.2: short-time energy summation is carried out on 882 points in the small window, so that the energy value of each window is obtained;

2.3: when the energy of one window exceeds the short-time energy average value, the effective part of the starting waveform is used for separating the starting state waveform of the application program.

3. The method for off-line attack of non-invasive application program based on side channel power consumption analysis according to claim 1, wherein said step (3) introduces a correlation coefficient for measuring the degree of correlation between two variables, comprising the steps of:

3.1: performing short-time Fourier transform on the starting state waveform to obtain a time-frequency domain power consumption track;

3.2: and extracting and compressing important characteristics of the time-frequency domain power consumption track by a principal component analysis method, and reserving the results of the first 32 dimensions as the characteristics of correlation calculation.

4. The non-intrusive application offline attack method based on side-channel power consumption analysis of claim 3, wherein the principal component analysis method comprises the steps of:

3.2.1: a sample mean mu of the sample power trace dataset x= { X ₁,x₂,x₃,......x_n } is calculated,

3.2.2: Removing average value of each power track sample to obtain

3.2.3: Solving covariance matrix by eigenvalue methodEigenvalues { lambda ₁,λ₂,λ₃,......,λ_n } and eigenvectors { ζ ₁,ξ₂,ξ₃,......,ξ_n };

3.2.4: sorting the characteristic values from large to small, selecting the K maximum characteristic values, and respectively taking the K corresponding characteristic vectors as row vectors to form a characteristic vector matrix P;

3.2.5: converting the data into a space constructed by K eigenvectors, i.e., X' =px;

3.2.6: after the input track X and the sample track Y are subjected to feature extraction according to the steps, the Pearson correlation coefficient is calculated, and the formula is as follows:

wherein, Is the average of the input trajectory and the sample.