SCARF: Detecting Side-Channel Attacks at Real-time using Low-level Hardware Features

Abstract

Side-Channel Attacks (SCAs) are powerful attacks compromising the security of modern computer systems by exploiting hardware vulnerabilities. Prior studies on detection of SCAs based on low-level microarchitectural features captured from processors’ hardware performance counter (HPC) registers have considered collecting hardware events of both victim applications (cryptographic application, e.g. RSA, AES and etc.) and attack applications. However, in such techniques the attack HPCs data can be easily manipulated and/or corrupted resulting in misleading the SCA detection mechanism. Furthermore, the prior works have explored the suitability of a limited number of Machine Learning (ML) algorithms in detecting SCAs without examining the instance level false alarm rate that as we show in this work is a more important evaluation metric for SCA detection techniques. In response, in this paper, we propose SCARF, a machine learning-based real-time side-channel attack detection methodology using low-level hardware features. To this aim, we first only monitor the victim applications’ behavior using the HPC features and analyze the captured low-level traces of the victim applications under no attack and attack conditions to avoid manipulation of attackers’ HPCs. Next, a wide range of ML classifiers with customized HPC features are implemented to determine the most effective ML technique for detecting SCAs at real-time, while improving accuracy and reducing instance-level false alarm rate of ML-based SCA detectors. Lastly, the False Alarm Minimization (FAM) technique is proposed to further reduce the instance level false positive rate of the ML-based SCA detectors. The experimental results indicate that the SCARF methodology can obtain up to 100% attack detection accuracy with 0% instance level false alarm rate for detecting SCAs.