TrapMP: malicious process detection by utilising program phase detection

Zirak Allaf; Mo Adda; Alexander Gegov

doi:10.1109/CyberSecPODS.2019.8885402

TrapMP: malicious process detection by utilising program phase detection

Zirak Allaf, Mo Adda, Alexander Gegov

School of Computing

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

224 Downloads (Pure)

Abstract

Hardware and software have failed to securely manage the sensitive elements of cryptographic algorithms in computational environment due to memory contentions. This opened new opportunities for hackers to carry out side channel attacks on a system and steal sensitive data. Existing Side-channel attack techniques show that attackers can exploit the microarchitecture and OS vulnerabilities. The recent Meltdown attack for instance, using Flush+Reload technique, exploits program execution attributes such as “out-of-order execution” to break the logical isolation between the memories and processes. In this paper, we have developed a real-time detection and identification system against side-channel attacks. Unlike previous works, the proposed approach does not rely on synchronisation between the attackers and victims. This is realised by taking a course of program phase analysis, through performance counters, to extract Malicious Loop (ML). Simulation has shown that the proposed approach attained higher accuracy for up to 99% and efficient detection of Flush+Reload activities, through classification methods. Furthermore, the detection process, in native and cloud systems, unlike others, takes shorter execution time without additional costs, and the model benefits from very low overhead performance of approximately less than 1% of the host system.

Original language	English
Title of host publication	Proceedings of the 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)
Editors	Cyril Onwubiko, Xavier Bellekens, Arnau Erola
Publisher	Institute of Electrical and Electronics Engineers Inc.
Number of pages	8
ISBN (Electronic)	978-1-7281-0229-0
ISBN (Print)	978-1-7281-0230-6
DOIs	https://doi.org/10.1109/CyberSecPODS.2019.8885402
Publication status	Published - 31 Oct 2019
Event	Cyber Science 2019 - University of Oxford, Oxford, United Kingdom Duration: 3 Jun 2019 → 4 Jun 2019

Conference

Conference	Cyber Science 2019
Country/Territory	United Kingdom
City	Oxford
Period	3/06/19 → 4/06/19

Access to Document

10.1109/CyberSecPODS.2019.8885402

TrapMP Malicious Process Detection By Utilising Program Phase Detection-Oxford Conference
© 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Accepted author manuscript (Post-print), 428 KB

Cite this

Allaf, Z., Adda, M., & Gegov, A. (2019). TrapMP: malicious process detection by utilising program phase detection. In C. Onwubiko, X. Bellekens, & A. Erola (Eds.), Proceedings of the 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security) Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CyberSecPODS.2019.8885402

@inproceedings{fde6c724280b4709928ada8a18f22a9b,

title = "TrapMP: malicious process detection by utilising program phase detection",

abstract = "Hardware and software have failed to securely manage the sensitive elements of cryptographic algorithms in computational environment due to memory contentions. This opened new opportunities for hackers to carry out side channel attacks on a system and steal sensitive data. Existing Side-channel attack techniques show that attackers can exploit the microarchitecture and OS vulnerabilities. The recent Meltdown attack for instance, using Flush+Reload technique, exploits program execution attributes such as “out-of-order execution” to break the logical isolation between the memories and processes. In this paper, we have developed a real-time detection and identification system against side-channel attacks. Unlike previous works, the proposed approach does not rely on synchronisation between the attackers and victims. This is realised by taking a course of program phase analysis, through performance counters, to extract Malicious Loop (ML). Simulation has shown that the proposed approach attained higher accuracy for up to 99% and efficient detection of Flush+Reload activities, through classification methods. Furthermore, the detection process, in native and cloud systems, unlike others, takes shorter execution time without additional costs, and the model benefits from very low overhead performance of approximately less than 1% of the host system.",

author = "Zirak Allaf and Mo Adda and Alexander Gegov",

year = "2019",

month = oct,

day = "31",

doi = "10.1109/CyberSecPODS.2019.8885402",

language = "English",

isbn = "978-1-7281-0230-6",

editor = "Cyril Onwubiko and Bellekens, { Xavier } and { Erola}, Arnau",

booktitle = "Proceedings of the 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

address = "United States",

note = "Cyber Science 2019 ; Conference date: 03-06-2019 Through 04-06-2019",

}

Allaf, Z, Adda, M & Gegov, A 2019, TrapMP: malicious process detection by utilising program phase detection. in C Onwubiko, X Bellekens & A Erola (eds), Proceedings of the 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). Institute of Electrical and Electronics Engineers Inc., Cyber Science 2019, Oxford, United Kingdom, 3/06/19. https://doi.org/10.1109/CyberSecPODS.2019.8885402

TrapMP: malicious process detection by utilising program phase detection. / Allaf, Zirak; Adda, Mo ; Gegov, Alexander.
Proceedings of the 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). ed. / Cyril Onwubiko; Xavier Bellekens; Arnau Erola. Institute of Electrical and Electronics Engineers Inc., 2019.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - TrapMP: malicious process detection by utilising program phase detection

AU - Allaf, Zirak

AU - Adda, Mo

AU - Gegov, Alexander

PY - 2019/10/31

Y1 - 2019/10/31

N2 - Hardware and software have failed to securely manage the sensitive elements of cryptographic algorithms in computational environment due to memory contentions. This opened new opportunities for hackers to carry out side channel attacks on a system and steal sensitive data. Existing Side-channel attack techniques show that attackers can exploit the microarchitecture and OS vulnerabilities. The recent Meltdown attack for instance, using Flush+Reload technique, exploits program execution attributes such as “out-of-order execution” to break the logical isolation between the memories and processes. In this paper, we have developed a real-time detection and identification system against side-channel attacks. Unlike previous works, the proposed approach does not rely on synchronisation between the attackers and victims. This is realised by taking a course of program phase analysis, through performance counters, to extract Malicious Loop (ML). Simulation has shown that the proposed approach attained higher accuracy for up to 99% and efficient detection of Flush+Reload activities, through classification methods. Furthermore, the detection process, in native and cloud systems, unlike others, takes shorter execution time without additional costs, and the model benefits from very low overhead performance of approximately less than 1% of the host system.

AB - Hardware and software have failed to securely manage the sensitive elements of cryptographic algorithms in computational environment due to memory contentions. This opened new opportunities for hackers to carry out side channel attacks on a system and steal sensitive data. Existing Side-channel attack techniques show that attackers can exploit the microarchitecture and OS vulnerabilities. The recent Meltdown attack for instance, using Flush+Reload technique, exploits program execution attributes such as “out-of-order execution” to break the logical isolation between the memories and processes. In this paper, we have developed a real-time detection and identification system against side-channel attacks. Unlike previous works, the proposed approach does not rely on synchronisation between the attackers and victims. This is realised by taking a course of program phase analysis, through performance counters, to extract Malicious Loop (ML). Simulation has shown that the proposed approach attained higher accuracy for up to 99% and efficient detection of Flush+Reload activities, through classification methods. Furthermore, the detection process, in native and cloud systems, unlike others, takes shorter execution time without additional costs, and the model benefits from very low overhead performance of approximately less than 1% of the host system.

UR - https://www.c-mric.com/conferences/

U2 - 10.1109/CyberSecPODS.2019.8885402

DO - 10.1109/CyberSecPODS.2019.8885402

M3 - Conference contribution

SN - 978-1-7281-0230-6

BT - Proceedings of the 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)

A2 - Onwubiko, Cyril

A2 - Bellekens, Xavier

A2 - Erola, Arnau

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - Cyber Science 2019

Y2 - 3 June 2019 through 4 June 2019

ER -

TrapMP: malicious process detection by utilising program phase detection

Abstract

Conference

Access to Document

Fingerprint

Cite this