MAD-EN: Microarchitectural Attack Detection through System-wide Energy Consumption

Microarchitectural attacks have become more threatening the society than before with the increasing diversity of attacks such as Spectre and Meltdown. Vendor patches cannot keep up with the pace of the new threats, which makes the dynamic anomaly detection tools more evident than before. Unfortunately, hardware performance counters (HPCs) utilized in previous works lead to high performance overhead and detection of a few microarchitectural attacks due to the small number of counters that can be profiled concurrently. These challenges consequently yield to inefficient detection tools in real-world applications.

In this study, we introduce MAD-EN dynamic detection tool that leverages system-wide energy consumption traces collected from a generic Intel RAPL tool to detect ongoing anomalies in two different microarchitectures, namely Intel Comet Lake and Intel Tiger Lake. CNN-based MAD-EN can detect 11 different micro-architectural attacks in total of 16 variants with an F1 score of 0.998, which makes our tool the most generic attack detection tool so far. Moreover, individual attacks can be distinguished with a 95% accuracy after an anomaly is detected in a system by utilizing multi-class classification techniques. We demonstrate that MAD-EN introduces 69.3% less performance overhead compared to performance counter-based detection mechanisms, allowing more feasible real-time detection tool for generic purpose systems. The energy consumption data collected from the Intel RAPL framework are open sourced over here.