CN117688558A - Terminal attack lightweight detection method and device based on microstructure abnormal event - Google Patents

Terminal attack lightweight detection method and device based on microstructure abnormal event Download PDF

Info

Publication number
CN117688558A
CN117688558A CN202410145365.7A CN202410145365A CN117688558A CN 117688558 A CN117688558 A CN 117688558A CN 202410145365 A CN202410145365 A CN 202410145365A CN 117688558 A CN117688558 A CN 117688558A
Authority
CN
China
Prior art keywords
microstructure
event data
feature vector
event
detection model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410145365.7A
Other languages
Chinese (zh)
Other versions
CN117688558B (en
Inventor
周少鹏
王滨
胡峰俊
毕志城
刘帅
朱伟康
王旭
张峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hikvision Digital Technology Co Ltd
Original Assignee
Hangzhou Hikvision Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hikvision Digital Technology Co Ltd filed Critical Hangzhou Hikvision Digital Technology Co Ltd
Priority to CN202410145365.7A priority Critical patent/CN117688558B/en
Publication of CN117688558A publication Critical patent/CN117688558A/en
Application granted granted Critical
Publication of CN117688558B publication Critical patent/CN117688558B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application provides a lightweight detection method and device for terminal attack based on microstructure abnormal event, wherein the method comprises the following steps: acquiring microstructure event data of a specified type; the specified type of microstructure event data comprises N1 different types of microstructure event data; the microstructure event data are obtained by monitoring microstructure events in the running process of the specified intelligent terminal equipment in the specified running environment; n1 is more than or equal to 2; training an anomaly detection model based on a single-classification Support Vector Machine (SVM) according to the obtained microstructure event data to obtain a trained anomaly detection model; and carrying out attack detection on the intelligent terminal equipment to be detected by using the trained abnormality detection model. The method can improve the comprehensiveness and accuracy of attack detection and reduce the requirement of the attack detection on hardware resources.

Description

Terminal attack lightweight detection method and device based on microstructure abnormal event
Technical Field
The application relates to the technical field of information security, in particular to a lightweight detection method and device for terminal attack based on microstructure abnormal events.
Background
With the rapid development of internet of things (Internet of Things, ioT for short), the number of connected devices and information handled through the internet has increased significantly. Accordingly, network attacks against vulnerable internet of things devices have also increased dramatically.
A hardware micro-architecture attack (abbreviated as a micro-architecture attack) is a common network attack for internet of things equipment. The microstructure attack can not only reveal confidential information to an attacker through shared processor resources such as caches, branch predictors and various functional units, but also completely harm embedded system equipment, thereby forming serious threat to the security of the Internet of things.
Traditional signature-based antivirus software cannot effectively detect microstructure attacks.
Disclosure of Invention
In view of this, the present application provides a method and a system for lightweight detection of terminal attacks based on microstructure anomalies.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of an embodiment of the present application, there is provided a method for lightweight detection of a terminal attack based on a microstructure anomaly event, including:
acquiring microstructure event data of a specified type; the specified type of microstructure event data comprises N1 different types of microstructure event data; the microstructure event data are obtained by monitoring microstructure events in the running process of the specified intelligent terminal equipment in the specified running environment; n1 is more than or equal to 2;
Training an anomaly detection model based on a single-classification Support Vector Machine (SVM) according to the obtained microstructure event data to obtain a trained anomaly detection model; the trained anomaly detection model is used for carrying out attack detection on the intelligent terminal equipment to be detected.
According to a second aspect of embodiments of the present application, there is provided a terminal attack lightweight detection device based on a microstructure anomaly event, including:
an acquisition unit for acquiring microstructure event data of a specified type; the specified type of microstructure event data comprises N1 different types of microstructure event data; the microstructure event data are obtained by monitoring microstructure events in the running process of the specified intelligent terminal equipment in the specified running environment; n1 is more than or equal to 2;
the training unit is used for training the anomaly detection model based on the single-classification Support Vector Machine (SVM) according to the acquired microstructure event data to obtain a trained anomaly detection model; the trained anomaly detection model is used for carrying out attack detection on the intelligent terminal equipment to be detected.
According to a third aspect of embodiments of the present application, there is provided an electronic device comprising a processor and a memory, wherein,
A memory for storing a computer program;
and a processor configured to implement the method provided in the first aspect when executing the program stored in the memory.
According to a fourth aspect of embodiments of the present application, there is provided a computer program product having a computer program stored therein, which when executed by a processor implements the method provided by the first aspect.
According to the terminal attack lightweight detection method based on the microstructure abnormal event, through obtaining microstructure event data of a specified type and training an abnormality detection model based on a single-classification SVM according to the obtained microstructure event data, a trained abnormality detection model is obtained, and further, the trained abnormality detection model can be used for attack detection of intelligent terminal equipment to be detected, and through carrying out attack detection according to the microstructure event data, the comprehensiveness and accuracy of attack detection are improved, and technical support is provided for detection of unknown microstructure attacks; in addition, compared with service application data such as network traffic, the single data of the microstructure event data is smaller and simpler, and the microstructure abnormal event detection is carried out by utilizing the single classification SVM, so that the requirements of attack detection on equipment performance and hardware resources can be effectively reduced, and lightweight attack detection is realized.
Drawings
Fig. 1 is a schematic flow chart of a lightweight detection method for a terminal attack based on a microstructure abnormal event according to an exemplary embodiment of the present application;
fig. 2 is a schematic diagram of an implementation flow of an anomaly-based device detector for internet of things according to an exemplary embodiment of the present application;
fig. 3 is a schematic structural diagram of a lightweight detection device for a terminal attack based on a microstructure abnormal event according to an exemplary embodiment of the present application;
fig. 4 is a schematic hardware structure of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to enable those skilled in the art to better understand the technical solutions provided in the embodiments of the present application, some technical terms related to the embodiments of the present application are described below.
1. Hardware microarchitecture (microstructure for short): refers to the internal design and organization of computer processors. It determines the actual implementation, resource allocation, and data flow of the computer in executing instructions and operations. The hardware microarchitecture defines the individual components, circuits, and functional modules in the processor and specifies the manner in which they communicate and cooperate. These components include Central Processing Units (CPUs), register files, arithmetic Logic Units (ALUs), caches, instruction and data buses, and the like. The design of hardware microarchitecture involves many aspects such as pipeline architecture, instruction Set Architecture (ISA), branch prediction, out-of-order execution, superscalar design, multi-core processing, and so forth.
2. Hardware microarchitectural events (microstructural events for short): refers to various events that occur at the hardware microarchitecture level of the processor. These events are typically related to operations, state changes, and performance within the processor. Hardware microarchitectural events can be monitored and recorded by hardware performance counters (Hardware Performance Counters). Different processor architectures and vendors may provide different microarchitectural events, and each event may have a particular encoding or identifier.
By way of example, common hardware microarchitectural events may include:
instruction execution event: including the total number of instruction executions, the number of executions of a particular type of instruction (e.g., integer instructions, floating point instructions, vector instructions, etc.).
Caching access events: including the number of cache hits, the number of cache reads and writes, the number of cache misses, etc.
Branch prediction event: including the number of branch prediction hits, the number of branch prediction errors, the total number of branch instructions, etc.
Instruction cycle event: including the total number of cycles, the number of cycles that occupy processor time, the number of idle cycles, etc.
Data-related events: including the number of data-dependent collisions, data-dependent delays, etc.
Exception and interrupt events: including the number of exceptions and interrupts that occur, and the response of the processor to them.
By monitoring and analyzing hardware microarchitectural events, developers can learn about the performance status, bottlenecks, and optimization potential of a processor in executing tasks. These events can be used in performance analysis, debugging, optimization, and system level problem diagnosis.
3. Hardware performance counter: a special set of registers within the computer processor are used to record and monitor various performance indicators and events while the processor is running. These counters may provide detailed information about processor execution, helping programmers and system developers to perform performance analysis, optimization, and debugging.
In order to make the above objects, features and advantages of the embodiments of the present application more comprehensible, the following describes the technical solutions of the embodiments of the present application in detail with reference to the accompanying drawings.
Referring to fig. 1, a flow chart of a method for lightweight detection of a terminal attack based on a microstructure abnormal event according to an embodiment of the present application is provided, where the method may be applied to a server device, as shown in fig. 1, and the method for lightweight detection of a terminal attack based on a microstructure abnormal event may include the following steps:
step S100, acquiring microstructure event data of a specified type; the specified type of microstructure event data includes N1 different types of microstructure event data; the microstructure event data are obtained by monitoring microstructure events in the running process of the specified intelligent terminal equipment in the specified running environment; n1 is more than or equal to 2.
In the embodiment of the application, the occurrence of the event of the microstructure system is obviously different under the condition that the intelligent terminal equipment is in normal operation (not attacked) and under the condition that the intelligent terminal equipment is attacked.
Therefore, whether the intelligent terminal equipment is attacked or not can be determined according to whether the microstructure event data is abnormal or not by acquiring the microstructure event data.
By way of example, the intelligent terminal device may include, but is not limited to: and the internet of things equipment with limited resources such as front-end acquisition equipment (such as a camera), rear-end storage equipment (such as NVR (Network Video Recorder, network video recorder), DVR (Digital Video Recorder ) and the like) or access control equipment and the like.
Furthermore, considering that the final attack is usually aimed at data, cache, stack, etc., the attack may trigger the occurrence of some relatively representative microstructure events or cause the frequency of some microstructure events to change.
Accordingly, the microstructure event data of the specified type (i.e., the data of the microstructure event of the specified type, such as the occurrence times in the specified period, etc.) can be obtained by monitoring the microstructure data of the specified intelligent terminal device in the operation process under the specified operation environment.
By way of example, the designated intelligent terminal device refers to an intelligent terminal device for acquiring training data.
By way of example, the specified type of microstructure event data may include microstructure events associated with common attacks against the intelligent terminal device.
Illustratively, the specified type of microstructure event data includes N1 (N1. Gtoreq.2) different types of microstructure event data.
In some embodiments, the specified types of events described above may include, but are not limited to, a plurality of the following 12 types of microstructure events:
1) Last level cache reference events (LLC references);
2) A last level cache miss event (LLC miss);
3) Branch instruction retirement events (branches);
4) A branch office mispredicted retirement event (branch mispredictions);
5) L1 data cache load event (L1 d-cache loads);
6) L1 data cache load miss event (L1 d-cache load misses);
7) L1 data cache store event (L1 d-cache store);
8) L1 data cache miss event (L1 d-cache store misses);
9) L1 instruction cache load miss event (i-cache misses);
10 A data TLB (Translation Lookaside Buffer, address translation cache) load miss event (dTLB load miss);
11 A Data TLB store miss event (dTLB store misses);
12 Instruction TLB load miss event (iltlb miss).
Step S110, training an anomaly detection model based on a single-classification SVM according to the obtained microstructure event data to obtain a trained anomaly detection model; the trained anomaly detection model is used for carrying out attack detection on the intelligent terminal equipment to be detected.
In the embodiment of the application, the situation that the intelligent terminal equipment is attacked is considered to be an event with relatively low probability compared with the normal operation of the intelligent terminal equipment. Microstructure abnormal events (microstructure events in case of an attack on the intelligent terminal device) are rare instances matching normal events with respect to microstructure events (which may be referred to as normal events) in case of normal operation of the intelligent terminal device. The abnormal data in the identification data by the abnormality detection can be regarded as a single classification problem.
Therefore, in order to realize lower resource consumption and more efficient anomaly detection and reduce the requirement of anomaly detection on a deployment environment (hardware environment), a single classification SVM (Support Vector Machine ) can be adopted to realize detection of microstructure anomaly events, thereby realizing attack detection for intelligent terminal equipment.
Accordingly, training of the anomaly detection model based on the single-classification SVM can be performed according to the microstructure event data obtained in the step S110, and a trained anomaly detection model is obtained.
In this embodiment of the present application, in the case where a trained anomaly detection model is obtained in the manner described in the foregoing embodiment, attack detection may be performed on an intelligent terminal device to be detected using the trained anomaly detection model.
The intelligent terminal equipment to be detected is an intelligent terminal equipment which needs to use the technical scheme provided by the embodiment of the application for attack detection.
For example, a microstructure event corresponding to an input of the anomaly detection model may be determined based on the input of the anomaly detection model.
For example, the microstructure events corresponding to the inputs of the anomaly monitoring model may include some or all of the specified types of microstructure events described above.
The method comprises the steps of monitoring microstructure events of intelligent terminal equipment, acquiring microstructure event data (microstructure event data for attack detection) corresponding to input of an anomaly monitoring model, and determining whether microstructure anomaly events exist or not by utilizing a trained anomaly detection model according to the acquired microstructure event data, so as to determine whether the intelligent terminal equipment is attacked or not.
In one example, the to-be-detected intelligent terminal device may acquire the microstructure event data for attack detection and upload the microstructure event data to the server device, where the server device may perform attack detection on the intelligent terminal device by using the trained anomaly detection model according to the microstructure event data for attack detection uploaded by the to-be-detected intelligent terminal device.
In another example, the server device may issue the trained anomaly detection model to the to-be-detected intelligent terminal device, and the to-be-detected intelligent terminal device performs attack detection by using the trained anomaly detection model, so as to improve attack detection efficiency.
It can be seen that, in the process of the method shown in fig. 1, training of an anomaly detection model based on a single-classification SVM is performed by acquiring microstructure event data of a specified type and according to the acquired microstructure event data, so as to obtain a trained anomaly detection model, and further, attack detection is performed on an intelligent terminal device to be detected by using the trained anomaly detection model, and the comprehensiveness and accuracy of the attack detection are improved by performing the attack detection according to the microstructure event data, so that technical support is provided for the detection of unknown microarchitecture attacks; in addition, compared with service application data such as network traffic, the single data of the microstructure event data is smaller and simpler, and the microstructure abnormal event detection is carried out by utilizing the single classification SVM, so that the requirements of attack detection on equipment performance and hardware resources can be effectively reduced, and lightweight attack detection is realized.
In some embodiments, the microstructure event data is obtained by:
respectively carrying out microstructure event monitoring on a plurality of appointed intelligent terminal devices in the running process of the plurality of appointed intelligent terminal devices in the running environment without attack to acquire a first quantity of microstructure event data of an appointed type;
the method comprises the steps of,
respectively carrying out microstructure event monitoring on a plurality of appointed intelligent terminal devices in the running process of the plurality of appointed intelligent terminal devices under the attacked running environment to acquire microstructure event data of a second quantity of appointed types;
wherein, the system settings and the running programs of different appointed intelligent terminal devices are consistent.
For example, in consideration of that different intelligent terminal devices have certain differences in the same service and the same running state, in order to improve the generalization degree of data, in the process of acquiring the microstructure event data, the microstructure event data acquisition can be performed on a plurality of (two or more) intelligent terminal devices running in the same environment.
In addition, in order to limit variables corresponding to the microstructure events acquired in different operation environments to be attacked and not attacked, system settings and operation programs of different intelligent terminal devices are consistent under the condition that the microstructure events are acquired in different operation environments.
Correspondingly, in the process that a plurality of appointed intelligent terminal devices run in an operating environment without attack, microstructure event monitoring can be carried out on the plurality of appointed intelligent terminal devices respectively, and a first quantity of microstructure event data of an appointed type is obtained;
the method comprises the steps of,
and respectively carrying out microstructure event monitoring on the specified intelligent terminal devices in the running process of the specified intelligent terminal devices under the attacked running environment to acquire a second quantity of microstructure event data of the specified type.
The first and second numbers may be the same or different, for example.
In one example, an anomaly detection model based on a single classification SVM is trained by:
generating a training set and a testing set according to the first quantity of the microstructure event data of the specified type and the second quantity of the microstructure event data of the specified type;
and carrying out iterative training on the anomaly detection model based on the single-classification SVM by using the training set until the detection accuracy of the trained anomaly detection model on the testing set meets the preset condition, and/or the training round reaches the preset maximum round.
For example, in an actual application scenario, in a process that the intelligent terminal device operates in an operating environment where an attack is received, a microstructure event of the intelligent terminal device usually shows an abnormality after a period of time, and in a case that the microstructure event has an abnormality, the intelligent terminal device usually restarts automatically, and in a case that the restart is completed, the microstructure event of the intelligent terminal device returns to normal, and shows an abnormality again after a period of time, so that the cycle is performed.
Therefore, in the process that the intelligent terminal device operates under the attacked operating environment, the microstructure event monitoring is carried out on the intelligent terminal device to obtain the microstructure event data of the appointed type, wherein most of the microstructure event data are the microstructure event data in a normal state, and the other part of the microstructure event data are the microstructure event data in an abnormal state (the proportion is usually extremely low, and the proportion is usually not more than 1-2%).
Accordingly, in the first number of the microstructure event data of the specified type and the second number of the microstructure event data of the specified type obtained in the above manner, most of the microstructure event data is in a normal state (corresponding to a positive sample), and the minimum part (the duty ratio is lower than a preset proportion threshold, which can be set according to actual requirements, such as 1%) is in an abnormal state (corresponding to a negative sample).
In the process of training the abnormal detection model based on the single-classification SVM by utilizing the microstructure event data obtained in the mode, most training samples are positive samples, and the smallest part of training samples are abnormal samples.
Illustratively, a training set and a test set are generated from a first number of specified types of microstructure event data and a second number of specified types of microstructure event data acquired in the manner described above.
For example, 80% of the acquired microstructure event data may be used as a training set, and the remaining 20% may be used as a test set.
The anomaly detection model based on the single-classification SVM may be iteratively trained using a training set and the training is determined to be complete if at least one of the following conditions is met:
the detection accuracy of the trained abnormal detection model on the test set meets the preset condition, if the detection accuracy exceeds the preset accuracy threshold; or, the detection accuracy of the abnormal detection model obtained by two continuous iterations on the test set is improved to be smaller than a preset threshold value; or the detection accuracy exceeds a preset accuracy threshold, and the detection accuracy of the abnormal detection model obtained by two continuous iterations on the test set is improved to be smaller than the preset threshold.
And 2, the training round reaches a preset maximum round.
As an example, the iterative training of the anomaly detection model based on the single classification SVM using the training set may include:
And (3) adopting an SVDD (Support Vector Data Description) algorithm, and carrying out iterative training on an anomaly detection model based on the single-classification SVM by utilizing a training set.
For example, the SVDD algorithm may be used to perform anomaly detection model training, map the training set to a particular feature space, and find an optimal hypersphere in the space to describe the distribution of normal data.
Because the training data comprises a very small part of negative samples, in the process of training an abnormality detection model by adopting an SVDD algorithm, under the condition that normal data is ensured to be in the hypersphere as much as possible and abnormal data is positioned outside the hypersphere, the boundary of the optimal hypersphere is enabled to approach the abnormal data as much as possible, namely, the optimal hypersurface is ensured to contain most of normal data as much as possible, and the optimal hypersurface is prevented from containing the abnormal data as much as possible, so that the occurrence of the condition that the normal data is detected as the abnormal data is reduced, and the abnormality detection accuracy is improved.
In some embodiments, training the anomaly detection model based on the single-classification support vector machine SVM according to the obtained microstructure event data to obtain a trained anomaly detection model may include:
Generating an initial feature vector according to the acquired microstructure event data; the initial feature vector is an N1-dimensional feature vector, and one element in the initial feature vector corresponds to one type of microstructure event;
performing feature selection on the initial feature vector by using a filtering algorithm to obtain a classified feature vector; the classification feature vector is an N2-dimensional feature vector, and N2 is less than N1;
and training an anomaly detection model based on the single-classification SVM by using the classification feature vector to obtain a trained anomaly detection model.
For example, in order to reduce the workload of training the anomaly detection model and improve the training efficiency of the anomaly detection model, a filtering algorithm may be used to perform feature selection on feature vectors generated according to the obtained microstructure event data, and dimension reduction may be performed on the feature vectors.
For example, for the microstructure event data acquired in the manner described in the above embodiments, an initial feature vector may be generated from the acquired microstructure event data.
The initial feature vector is an N1-dimensional feature vector, and one element in the initial feature vector corresponds to one type of microstructure event.
For example, for any microstructure event, the number of event occurrences of the microstructure event in a specified period, such as an update period of a hardware performance counter, may be used as an element corresponding to the microstructure event, so that an N1-dimensional initial feature vector may be generated according to the obtained microstructure event data of the specified type.
For example, a filtering algorithm may be used to perform feature selection on the initial feature vector to obtain a classification feature vector with a lower dimension, and training an anomaly detection model based on a single classification SVM by using the classification feature vector to obtain a trained anomaly detection model.
In one example, the feature selection of the initial feature vector by using the filtering algorithm to obtain the classified feature vector includes:
and performing feature filtering on the initial feature vector by using a low variance filtering algorithm to obtain a classified feature vector.
By way of example, considering that the low variance feature is generally poorly correlated with the target variable (such as whether the microstructure event is abnormal or not), that is, the influence of the low variance feature on the target variable is small, filtering the low variance feature can reduce the workload of model training and improve the model training efficiency without significantly affecting the model performance.
In addition, the low variance features may cause over-fitting problems in the process of training the model, and by filtering the low variance features, the complexity of the model can be reduced, and the over-fitting risk can be reduced.
Accordingly, for the initial feature vector, a low variance filtering algorithm may be used to perform feature filtering on the initial feature vector, removing features in the dataset that have low variance compared to other features.
For example, for each feature, its variance may be calculated over the entire dataset; a threshold is set (which may be determined empirically or by statistical analysis) and features whose variance is below the threshold are determined based on the threshold and filtered out.
In one example, the feature selection of the initial feature vector by using the filtering algorithm to obtain the classified feature vector includes:
and performing feature filtering on the initial feature vector by using a high-correlation filtering algorithm to obtain a classification feature vector.
By way of example, considering that high-correlation features generally means that features have similar trends and carry similar information, in the case of performing model training by using the high-correlation features, more redundant information exists, the model training efficiency is reduced, and multiple co-linearity problems and over-fitting risks may occur in the model.
Therefore, feature filtering can be performed in a high-correlation filtering mode, redundant information is reduced, model training efficiency is improved, fitting risk is reduced, and model performance is optimized.
Correspondingly, for the initial feature vector, a high correlation filtering algorithm can be used for filtering the features, the highly correlated features are regarded as redundant or overlapped information based on the correlation among the features, one of the features is selected for reservation, and the dimension of the feature space is reduced.
For example, the correlation between each pair of features in the dataset may be calculated, such as calculating a correlation coefficient, covariance, or other correlation metric between each pair of features; the correlation threshold is set (which may be determined based on empirical values or statistical analysis), pairs of features having a correlation (e.g., correlation coefficient) above the threshold are labeled as high-correlation features, and one of the features is selectively retained based on specific needs.
It should be noted that, in the embodiment of the present application, the low variance filtering algorithm and the high correlation filtering algorithm may be used in combination, for example, the low variance filtering algorithm may be used to perform low variance feature removal on the initial feature vector first, and then the high correlation filtering algorithm may be used to further perform high correlation feature removal on the remaining features.
In the embodiment of the application, the data volume to be processed in attack detection is reduced by the feature screening, and the requirements of the attack detection on the equipment performance and hardware resources are further reduced.
Because the trained abnormality detection model in the embodiment of the application has low requirements on equipment performance and hardware resources, the trained abnormality detection model can be deployed on resource-limited intelligent terminal equipment, such as front-end acquisition equipment (e.g. a camera), rear-end storage equipment or access control equipment and other resource-limited Internet of things equipment.
In order to enable those skilled in the art to better understand the technical solutions provided by the embodiments of the present application, the technical solutions provided by the embodiments of the present application are described below with reference to specific examples.
In the embodiment, an anomaly-based internet of things device detector is provided, and by utilizing the characteristics collected from a hardware performance counter and combining an unsupervised machine learning and characteristic selection method, unknown micro-architecture attacks are detected for resource-constrained devices.
As shown in fig. 2, the specific implementation flow is as follows:
s1, hardware microstructure monitoring event selection.
For example, microstructure event data (event data of a hardware performance counter) may be selected as the monitoring data.
Illustratively, hardware performance counters (in most cases 6) of a performance monitoring unit (Performance Monitoring Unit, abbreviated PMU) in the core of the intelligent terminal device are used to collect statistics of the operation of the processor and the storage system. Each counter may count any one of the tens of events available in the processor at the same time.
Illustratively, according to the behavior of most microarchitectural attacks, the following 12 microarchitectural events (i.e., the above-specified types of events) are selected as monitoring objects:
1) Last level cache reference events (LLC references);
2) A last level cache miss event (LLC miss);
3) Branch instruction retirement events (branches);
4) A branch office mispredicted retirement event (branch mispredictions);
5) L1 data cache load event (L1 d-cache loads);
6) L1 data cache load miss event (L1 d-cache load misses);
7) L1 data cache store event (L1 d-cache store);
8) L1 data cache miss event (L1 d-cache store misses);
9) L1 instruction cache load miss event (i-cache misses);
10 A data TLB (Translation Lookaside Buffer, address translation cache) load miss event (dTLB load miss);
11 A Data TLB store miss event (dTLB store misses);
12 Instruction TLB load miss event (iltlb miss).
S2, microstructure event data acquisition.
For example, for the selected 12 microstructure events, a set of 12-dimensional data is collected in two independently operating intelligent terminal devices, respectively.
Illustratively, each set of data may contain 3600 samples (one sample is one 12-dimensional data).
After one set of data is collected for a particular scenario (e.g., clean environment or system under attack), the system state is reset, then the system settings and operating procedures are changed (reverting to the same system equipment and operating procedures as the previous set), and another set of data is collected.
By way of example, the required data may be recorded every 100ms so as not to unduly degrade system performance.
Illustratively, 80% of the collected data are used for training (i.e., constitute a training set) and the remainder are used for testing (i.e., constitute a testing set).
S3, constructing a classification model based on the abnormality.
Illustratively, to reduce the complexity of running the model on the edge device, the number of features is first reduced by selecting the most relevant features in an unsupervised manner. And then performing model construction by using an unsupervised single classification SVM.
S4, selecting classification features.
By way of example, considering the actual scenario, the intelligent terminal core can only monitor 6 events at the same time. In order to construct a more efficient model running on the internet of things device, a subset of the events listed above is selected using an unsupervised feature selection method to reduce the data dimension, achieving better generalization performance.
Unlike supervised feature selection, the unsupervised feature selection method does not require tagged data. Furthermore, the unsupervised feature selection method has two advantages. First, the unsupervised feature selection method is unbiased and performs well if prior knowledge is not available. Second, the unsupervised feature selection method may reduce the risk of data overfitting compared to a supervised feature selection method that may not be able to handle new categories of data.
For example, since the filtering method is generally faster, the calculation amount is smaller, and the filtering method is more suitable for resource-constrained devices (such as edge devices). Thus, the filtering method can be used to select the most relevant features by the data itself, i.e. the features are evaluated based on the intrinsic properties of the data, without using any clustering algorithm to guide the search for relevant features, avoiding overfitting.
By way of example, considering that the low variance feature is generally poorly correlated with the target variable (such as whether the microstructure event is abnormal or not), that is, the influence of the low variance feature on the target variable is small, filtering the low variance feature can reduce the workload of model training and improve the model training efficiency without significantly affecting the model performance.
In addition, the low variance features may cause over-fitting problems in the process of training the model, and by filtering the low variance features, the complexity of the model can be reduced, and the over-fitting risk can be reduced.
Accordingly, for the initial feature vector, a low variance filtering algorithm may be used to perform feature filtering on the initial feature vector, removing features in the dataset that have low variance compared to other features.
For example, for each feature, its variance may be calculated over the entire dataset; a threshold is set (which may be determined empirically or by statistical analysis) and features whose variance is below the threshold are determined based on the threshold and filtered out.
In addition, considering that the high-correlation feature generally means that the feature has similar trend and carries similar information, under the condition that the model training is performed by using the high-correlation feature, more redundant information exists, the model training efficiency is reduced, and multiple collinearity problems and over-fitting risks of the model can be caused.
Therefore, feature filtering can be performed in a high-correlation filtering mode, redundant information is reduced, model training efficiency is improved, fitting risk is reduced, and model performance is optimized.
Correspondingly, for the initial feature vector, a high correlation filtering algorithm can be used for filtering the features, the highly correlated features are regarded as redundant or overlapped information based on the correlation among the features, one of the features is selected for reservation, and the dimension of the feature space is reduced.
For example, the correlation between each pair of features in the dataset may be calculated, such as calculating a correlation coefficient, covariance, or other correlation metric between each pair of features; the correlation threshold is set (which may be determined based on empirical values or statistical analysis), pairs of features having a correlation (e.g., correlation coefficient) above the threshold are labeled as high-correlation features, and one of the features is selectively retained based on specific needs.
For example, the low variance filtering algorithm may be used to perform low variance feature removal on the initial feature vector, and then the high correlation filtering algorithm may be used to further perform high correlation feature removal on the remaining features, and 6 features may be selected from the 12 feature types.
S5, training based on the abnormal classification model.
Illustratively, consider that exceptions are rare instances that do not match normal data. Anomalies in the anomaly detection identification data are single classification problems. Thus, a single classification SVM may be used for anomaly event classification to achieve lower resource consumption, local model deployment, and efficient anomaly detection.
A single classification SVM is an unsupervised machine learning algorithm that classifies data by learning a decision function to classify new data as data similar to or different from a training set. Since the data size of the abnormal event and the normal event is unbalanced, the classification problem of serious deviation of the classification distribution can be solved by using a single classification SVM. An unbalanced classification dataset is valid for few classes of samples that do not exist or rarely exist.
In the microstructure event data obtained in the above manner, most of the microstructure event data is in a normal state (corresponding to a positive sample), and the minimum part (the duty ratio is lower than a preset proportion threshold value, which can be set according to actual requirements, for example, 1%) is in an abnormal state (corresponding to a negative sample).
In the process of training the abnormal detection model based on the single-classification SVM by utilizing the microstructure event data obtained in the mode, most training samples are positive samples, and the smallest part of training samples are abnormal samples.
The methods provided herein are described above. The apparatus provided in this application is described below:
referring to fig. 3, a schematic structural diagram of a terminal attack lightweight detection device based on a microstructure abnormal event according to an embodiment of the present application is shown in fig. 3, where the terminal attack lightweight detection device based on a microstructure abnormal event may include:
an acquisition unit 310 for acquiring microstructure event data of a specified type; the specified type of microstructure event data comprises N1 different types of microstructure event data; the microstructure event data are obtained by monitoring microstructure events in the running process of the specified intelligent terminal equipment in the specified running environment; n1 is more than or equal to 2;
the training unit 320 is configured to perform training of the anomaly detection model based on the single-classification support vector machine SVM according to the obtained microstructure event data, to obtain a trained anomaly detection model; the trained anomaly detection model is used for carrying out attack detection on the intelligent terminal equipment to be detected.
In some embodiments, the obtaining unit 310 is specifically configured to perform microstructure event monitoring on a plurality of specified intelligent terminal devices during a process that the plurality of specified intelligent terminal devices operate in an operating environment in which no attack exists, so as to obtain a first number of specified types of microstructure event data;
The method comprises the steps of,
respectively carrying out microstructure event monitoring on a plurality of appointed intelligent terminal devices in the running process of the plurality of appointed intelligent terminal devices under the attacked running environment to acquire microstructure event data of a second quantity of appointed types;
wherein, the system settings and the running programs of different appointed intelligent terminal devices are consistent.
In some embodiments, the training unit 320 is specifically configured to generate a training set and a test set according to the first number of microstructure event data of a specified type and the second number of microstructure event data of a specified type;
and carrying out iterative training on the abnormal detection model based on the single-classification SVM by utilizing the training set until the detection accuracy of the trained abnormal detection model on the test set meets the preset condition and/or the training round reaches the preset maximum round.
In some embodiments, the training unit 320 performs training of the anomaly detection model based on the single-classification support vector machine SVM according to the obtained microstructure event data, to obtain a trained anomaly detection model, including:
generating an initial feature vector according to the acquired microstructure event data; the initial feature vector is an N1-dimensional feature vector, and one element in the initial feature vector corresponds to one type of microstructure event;
Performing feature selection on the initial feature vector by using a filtering algorithm to obtain a classified feature vector; the classification feature vector is an N2-dimensional feature vector, and N2 is less than N1;
and training an anomaly detection model based on the single-classification SVM by using the classification feature vector to obtain a trained anomaly detection model.
In some embodiments, the training unit performs feature selection on the initial feature vector by using a filtering algorithm to obtain a classified feature vector, including:
and performing feature filtering on the initial feature vector by using a low variance filtering algorithm and/or a high correlation filtering algorithm to obtain a classification feature vector.
The embodiment of the application also provides electronic equipment, which comprises a processor and a memory, wherein the memory is used for storing a computer program; and the processor is used for realizing the lightweight detection method for the terminal attack based on the microstructure abnormal event when executing the program stored in the memory.
Fig. 4 is a schematic hardware structure of an electronic device according to an embodiment of the present application. The electronic device may include a processor 401, a memory 402 storing machine-executable instructions. The processor 401 and the memory 402 may communicate via a system bus 403. And, by reading and executing the machine executable instructions corresponding to the microstructure exception event based terminal attack lightweight detection party logic in the memory 402, the processor 401 can execute the microstructure exception event based terminal attack lightweight detection method described above.
The memory 402 referred to herein may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state drive, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
In some embodiments, a machine-readable storage medium, such as memory 402 in fig. 4, is also provided, having stored therein machine-executable instructions that when executed by a processor implement the above-described microstructure anomaly event-based terminal attack lightweight detection method. For example, the machine-readable storage medium may be ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
The embodiments of the present application also provide a computer program product storing a computer program and causing a processor to execute the above-described method for lightweight detection of a terminal attack based on a microstructure anomaly event when the processor executes the computer program.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.

Claims (10)

1. A terminal attack light-weight detection method based on a microstructure abnormal event is characterized by comprising the following steps:
acquiring microstructure event data of a specified type; the specified type of microstructure event data comprises N1 different types of microstructure event data; the microstructure event data are obtained by monitoring microstructure events in the running process of the specified intelligent terminal equipment in the specified running environment; n1 is more than or equal to 2;
training an anomaly detection model based on a single-classification Support Vector Machine (SVM) according to the obtained microstructure event data to obtain a trained anomaly detection model; the trained anomaly detection model is used for carrying out attack detection on the intelligent terminal equipment to be detected.
2. The method of claim 1, wherein the microstructure event data is obtained by:
respectively carrying out microstructure event monitoring on a plurality of appointed intelligent terminal devices in the running process of the plurality of appointed intelligent terminal devices in the running environment without attack to acquire a first quantity of microstructure event data of an appointed type;
the method comprises the steps of,
respectively carrying out microstructure event monitoring on a plurality of appointed intelligent terminal devices in the running process of the plurality of appointed intelligent terminal devices under the attacked running environment to acquire microstructure event data of a second quantity of appointed types;
Wherein, the system settings and the running programs of different appointed intelligent terminal devices are consistent.
3. The method of claim 2, wherein the anomaly detection model based on a single classification SVM is trained by:
generating a training set and a testing set according to the first number of microstructure event data of the specified type and the second number of microstructure event data of the specified type;
and carrying out iterative training on the abnormal detection model based on the single-classification SVM by utilizing the training set until the detection accuracy of the trained abnormal detection model on the test set meets the preset condition and/or the training round reaches the preset maximum round.
4. The method according to claim 1, wherein the training of the anomaly detection model based on the single-classification support vector machine SVM is performed according to the obtained microstructure event data to obtain a trained anomaly detection model, comprising:
generating an initial feature vector according to the acquired microstructure event data; the initial feature vector is an N1-dimensional feature vector, and one element in the initial feature vector corresponds to one type of microstructure event;
Performing feature selection on the initial feature vector by using a filtering algorithm to obtain a classified feature vector; the classification feature vector is an N2-dimensional feature vector, and N2 is less than N1;
and training an anomaly detection model based on the single-classification SVM by using the classification feature vector to obtain a trained anomaly detection model.
5. The method of claim 4, wherein the performing feature selection on the initial feature vector using a filtering algorithm to obtain a classified feature vector comprises:
and performing feature filtering on the initial feature vector by using a low variance filtering algorithm and/or a high correlation filtering algorithm to obtain a classification feature vector.
6. A lightweight detection device for terminal attack based on microstructure abnormal event is characterized by comprising:
an acquisition unit for acquiring microstructure event data of a specified type; the specified type of microstructure event data comprises N1 different types of microstructure event data; the microstructure event data are obtained by monitoring microstructure events in the running process of the specified intelligent terminal equipment in the specified running environment; n1 is more than or equal to 2;
the training unit is used for training the anomaly detection model based on the single-classification Support Vector Machine (SVM) according to the acquired microstructure event data to obtain a trained anomaly detection model; the trained anomaly detection model is used for carrying out attack detection on the intelligent terminal equipment to be detected.
7. The apparatus of claim 6, wherein the device comprises a plurality of sensors,
the acquisition unit is specifically configured to perform microstructure event monitoring on a plurality of specified intelligent terminal devices during a running process of the plurality of specified intelligent terminal devices in an operating environment in which no attack exists, so as to acquire a first number of microstructure event data of specified types;
the method comprises the steps of,
respectively carrying out microstructure event monitoring on a plurality of appointed intelligent terminal devices in the running process of the plurality of appointed intelligent terminal devices under the attacked running environment to acquire microstructure event data of a second quantity of appointed types;
the system setting and the running program of different appointed intelligent terminal equipment are consistent;
the training unit is specifically configured to generate a training set and a testing set according to the first number of microstructure event data of the specified type and the second number of microstructure event data of the specified type;
and carrying out iterative training on the abnormal detection model based on the single-classification SVM by utilizing the training set until the detection accuracy of the trained abnormal detection model on the test set meets the preset condition and/or the training round reaches the preset maximum round.
8. The apparatus of claim 6, wherein the training unit performs training of the anomaly detection model based on the single-classification support vector machine SVM according to the acquired microstructure event data to obtain a trained anomaly detection model, comprising:
generating an initial feature vector according to the acquired microstructure event data; the initial feature vector is an N1-dimensional feature vector, and one element in the initial feature vector corresponds to one type of microstructure event;
performing feature selection on the initial feature vector by using a filtering algorithm to obtain a classified feature vector; the classification feature vector is an N2-dimensional feature vector, and N2 is less than N1;
training an anomaly detection model based on a single-classification SVM by using the classification feature vector to obtain a trained anomaly detection model;
the training unit performs feature selection on the initial feature vector by using a filtering algorithm to obtain a classified feature vector, and the method comprises the following steps:
and performing feature filtering on the initial feature vector by using a low variance filtering algorithm and/or a high correlation filtering algorithm to obtain a classification feature vector.
9. An electronic device comprising a processor and a memory, wherein,
A memory for storing a computer program;
a processor configured to implement the method of any one of claims 1 to 5 when executing a program stored on a memory.
10. A computer program product, characterized in that the computer program product has stored therein a computer program which, when executed by a processor, implements the method of any of claims 1-5.
CN202410145365.7A 2024-02-01 2024-02-01 Terminal attack lightweight detection method and device based on microstructure abnormal event Active CN117688558B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410145365.7A CN117688558B (en) 2024-02-01 2024-02-01 Terminal attack lightweight detection method and device based on microstructure abnormal event

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410145365.7A CN117688558B (en) 2024-02-01 2024-02-01 Terminal attack lightweight detection method and device based on microstructure abnormal event

Publications (2)

Publication Number Publication Date
CN117688558A true CN117688558A (en) 2024-03-12
CN117688558B CN117688558B (en) 2024-05-07

Family

ID=90126898

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410145365.7A Active CN117688558B (en) 2024-02-01 2024-02-01 Terminal attack lightweight detection method and device based on microstructure abnormal event

Country Status (1)

Country Link
CN (1) CN117688558B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704103A (en) * 2014-11-26 2016-06-22 中国科学院沈阳自动化研究所 Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model
CN106339628A (en) * 2016-08-16 2017-01-18 天津大学 Hardware anti-virus device based on microarchitecture level
CN109194612A (en) * 2018-07-26 2019-01-11 北京计算机技术及应用研究所 A kind of network attack detecting method based on depth confidence network and SVM
CN109743300A (en) * 2018-12-20 2019-05-10 浙江鹏信信息科技股份有限公司 A kind of security incident automation method of disposal based on isomery model strategy library
CN110674991A (en) * 2019-09-25 2020-01-10 国家能源集团谏壁发电厂 OCSVM (online charging management system VM) -based method for detecting abnormality of primary fan of thermal power plant
CN113221118A (en) * 2021-05-11 2021-08-06 卓尔智联(武汉)研究院有限公司 Detection method and device for channel attack on cache side and electronic equipment
CN114221790A (en) * 2021-11-22 2022-03-22 浙江工业大学 BGP (Border gateway protocol) anomaly detection method and system based on graph attention network
CN114692162A (en) * 2020-12-30 2022-07-01 龙芯中科技术股份有限公司 Processor attack detection method, processor and electronic equipment
CN115473734A (en) * 2022-09-13 2022-12-13 四川大学 Remote code execution attack detection method based on single classification and federal learning

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704103A (en) * 2014-11-26 2016-06-22 中国科学院沈阳自动化研究所 Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model
CN106339628A (en) * 2016-08-16 2017-01-18 天津大学 Hardware anti-virus device based on microarchitecture level
CN109194612A (en) * 2018-07-26 2019-01-11 北京计算机技术及应用研究所 A kind of network attack detecting method based on depth confidence network and SVM
CN109743300A (en) * 2018-12-20 2019-05-10 浙江鹏信信息科技股份有限公司 A kind of security incident automation method of disposal based on isomery model strategy library
CN110674991A (en) * 2019-09-25 2020-01-10 国家能源集团谏壁发电厂 OCSVM (online charging management system VM) -based method for detecting abnormality of primary fan of thermal power plant
CN114692162A (en) * 2020-12-30 2022-07-01 龙芯中科技术股份有限公司 Processor attack detection method, processor and electronic equipment
CN113221118A (en) * 2021-05-11 2021-08-06 卓尔智联(武汉)研究院有限公司 Detection method and device for channel attack on cache side and electronic equipment
CN114221790A (en) * 2021-11-22 2022-03-22 浙江工业大学 BGP (Border gateway protocol) anomaly detection method and system based on graph attention network
CN115473734A (en) * 2022-09-13 2022-12-13 四川大学 Remote code execution attack detection method based on single classification and federal learning

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
A. KARIMI等: "A Resilient Control Method Against False Data Injection Attack in DC Microgrids", 2021 7TH INTERNATIONAL CONFERENCE ON CONTROL, INSTRUMENTATION AND AUTOMATION (ICCIA), 16 April 2021 (2021-04-16) *
盛铭;陈凌珊;汪俊杰;杜红亮;: "基于单分类支持向量机的CAN总线异常检测方法", 汽车技术, vol. 2020, no. 05, 2 June 2020 (2020-06-02) *
陈财森等: "基于Cache Missing的RSA计时攻击", 微电子学与计算机, vol. 26, no. 05, 5 May 2009 (2009-05-05) *

Also Published As

Publication number Publication date
CN117688558B (en) 2024-05-07

Similar Documents

Publication Publication Date Title
Zilles et al. A programmable co-processor for profiling
US9280438B2 (en) Autonomic hotspot profiling using paired performance sampling
US9032375B2 (en) Performance bottleneck identification tool
US8782629B2 (en) Associating program execution sequences with performance counter events
US20030135720A1 (en) Method and system using hardware assistance for instruction tracing with secondary set of interruption resources
US7617385B2 (en) Method and apparatus for measuring pipeline stalls in a microprocessor
US9715377B1 (en) Behavior based code recompilation triggering scheme
US9251340B2 (en) Malicious activity detection of a processing thread
EP3582115A1 (en) Method and system for log data analytics based on superminhash signatures
Zhou et al. Hardware-assisted rootkit detection via on-line statistical fingerprinting of process execution
Li et al. Detecting and diagnosing energy issues for mobile applications
Oshana et al. Real-time edge processing detection of malicious attacks using machine learning and processor core events
US9088597B2 (en) Malicious activity detection of a functional unit
Barboza et al. Automatic microprocessor performance bug detection
CN117688558B (en) Terminal attack lightweight detection method and device based on microstructure abnormal event
Kasarapu et al. Resource-and workload-aware malware detection through distributed computing in iot networks
Cronin et al. Lowering the barrier to online malware detection through low frequency sampling of HPCs
US20140075164A1 (en) Temporal locality aware instruction sampling
Biswas et al. Performance counters and DWT enabled control flow integrity
Wang et al. Locality Based Cache Side-channel Attack Detection∗
Hu et al. CARE: Enabling hardware performance counter based malware detection resilient to system resource competition
CN114661601A (en) Fuzzy test method and device
CN114692162A (en) Processor attack detection method, processor and electronic equipment
Biswas et al. Control Flow Integrity in IoT Devices with Performance Counters and DWT
Alam et al. Side-Channel Assisted Malware Classifier with Gradient Descent Correction for Embedded Platforms.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant