MAD-EN: Microarchitectural Attack Detection through System-wide Energy Consumption

TL;DR

MAD-EN is a system-wide energy consumption-based detection tool that effectively identifies microarchitectural attacks with high accuracy and significantly lower performance overhead than traditional performance counter methods.

Contribution

This paper introduces MAD-EN, a novel energy-based detection system that outperforms existing methods in detecting diverse microarchitectural attacks with minimal overhead.

Findings

Detects 10 microarchitectural attacks with 15 variants

Achieves an F1 score of 0.999 in attack detection

Reduces performance overhead by 69.3% compared to performance counters

Abstract

Microarchitectural attacks have become more threatening the hardware security than before with the increasing diversity of attacks such as Spectre and Meltdown. Vendor patches cannot keep up with the pace of the new threats, which makes the dynamic anomaly detection tools more evident than before. Unfortunately, previous studies utilize hardware performance counters that lead to high performance overhead and profile limited number of microarchitectural attacks due to the small number of counters that can be profiled concurrently. This yields those detection tools inefficient in real-world scenarios. In this study, we introduce MAD-EN dynamic detection tool that leverages system-wide energy consumption traces collected from a generic Intel RAPL tool to detect ongoing anomalies in a system. In our experiments, we show that CNN-based MAD-EN can detect 10 different microarchitectural attacks with a total of 15 variants with the highest F1 score of 0.999, which makes our tool the most generic attack detection tool so far. Moreover, individual attacks can be distinguished with a 98% accuracy after an anomaly is detected in a system. We demonstrate that MAD-EN introduces 69.3% less performance overhead compared to performance counter-based detection mechanisms.