Multi Hardware-Attack Dataset and ML-based Detection Using Processor Stress Patterns on x86

Authors

  • David Andreu Universitat Politècnica de Catalunya
  • Beatriz Otero Universitat Politècnica de Catalunya
  • Ramon Canal Universitat Politècnica de Catalunya

DOI:

https://doi.org/10.64552/wipiec.v11i1.94

Keywords:

Security, hardware attack, Spectre, Meltdown, Fallout, machine learning

Abstract

Hardware attacks exploit the vulnerabilities discovered in state-of-the-art CPUs. As an example, attacks such as Meltdown and Spectre have made the headlines. To benefit from the vulnerabilities, hardware attacks stress tremendously some section/s of the processor, usually the branch-prediction unit and the different cache levels. This gives us a recognizable pattern and a way to implement a system capable of detecting the presence of these attacks while monitoring the computer.
In this paper, we describe the set of hardware attacks under focus, then we describe how we create the dataset and, finally, the use of machine learning to detect the attacks in three scenarios (i.e. training on both benign applications and attacks, training on only benign applications and training only on attacks). The techniques
proposed are capable of achieving over 99% detection rate with a machine learning model. This provides a run-time solution to quickly identify the attack as it starts running and take remedial actions.

References

M. Lipp et al., “Meltdown: Reading kernel memory from user space,” in 27th USENIX Security Symposium, 2018.

P. Kocher et al., “Spectre attacks: Exploiting speculative execution,” in 40th IEEE Symposium on Security and Privacy, 2019. DOI: https://doi.org/10.1109/SP.2019.00002

J. Corbet, Kaiser: Hiding the kernel from user space, https://lwn.net/Articles/738975/, Accessed: 13-05-2024.

D. Gens, O. Arias, D. Sullivan, C. Liebchen, Y. Jin, and A.-R. Sadeghi, “Lazarus: Practical side-channel resilient kernel-space randomization,” in Research in Attacks, Intrusions, and Defenses, Springer International Publishing, 2017, pp. 238–258. DOI: https://doi.org/10.1007/978-3-319-66332-6_11

C. Canella, M. Schwarz, M. Haubenwallner, M. Schwarzl, and D. Gruss, “Kaslr: Break it, fix it, repeat,” in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ser. ASIA CCS ’20, Taipei, Taiwan: Association for Computing Machinery, 2020, pp. 481–493. DOI: 10.1145/3320269. 3384747. DOI: https://doi.org/10.1145/3320269.3384747

C. Li and J.-L. Gaudiot, “Detecting spectre attacks using hardware performance counters,” IEEE Transactions on Computers, vol. 71, no. 6, pp. 1320–1331, 2022. DOI: 10.1109/TC.2021.3082471. DOI: https://doi.org/10.1109/TC.2021.3082471

S. Carn`a, S. Ferracci, F. Quaglia, and A. Pellegrini, “Fight hardware with hardware: Systemwide detection and mitigation of side-channel attacks using performance counters,” Digital Threats, vol. 4, no. 1, Mar. 2023. DOI: 10.1145/3519601. DOI: https://doi.org/10.1145/3519601

M. Chiappetta, E. Savas, and C. Yilmaz, “Real time detection of cache-based side-channel attacks using hardware performance counters,” Applied Soft Computing, vol. 49, pp. 1162–1174, 2016. DOI: https://doi.org/10.1016/j.asoc.2016.09.014. DOI: https://doi.org/10.1016/j.asoc.2016.09.014

S. Bhattacharya and D. Mukhopadhyay, “Who watches the watchmen?: Utilizing performance monitors for compromising keys of rsa on intel platforms,” in Cryp tographic Hardware and Embedded Systems, Springer Berlin Heidelberg, 2015, pp. 248–266. DOI: https://doi.org/10.1007/978-3-662-48324-4_13

W. Kosasih, Y. Feng, C. Chuengsatiansup, Y. Yarom, and Z. Zhu, “Sok: Can we really detect cache sidechannel attacks by monitoring performance counters?” In 19th ACM Asia Conference on Computer and Communications Security, 2024, pp. 172–185. DOI: 10.1145/3634737.3637649. DOI: https://doi.org/10.1145/3634737.3637649

B. Otero Calvi˜no, D. Andreu Gerique, and R. Canal Corretger, Replication Data for: Hardware Attack detectoR via Performance counters analYsis Dataset (HARPY Dataset), version V1, 2025. DOI: 10.34810/data1982.

C. D. Manning, P. Raghavan, and H. Sch¨utze, “Introduction to information retrieval,” 2008. DOI: https://doi.org/10.1017/CBO9780511809071

L. Rokach and O. Maimon, “Top-down induction of decision trees classifiers - a survey,” IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), vol. 35, no. 4, pp. 476–487, 2005. DOI: 10.1109/TSMCC.2004.843247. DOI: https://doi.org/10.1109/TSMCC.2004.843247

L. Breiman, “Random forests,” Machine Learning, vol. 45, pp. 5–32, 2001. DOI: https://doi.org/10.1023/A:1010933404324

W. H. Press, S. A. Teukolsky, W. T. Vetterling, and B. P. Flannery, “Numerical Recipes 3rd edition: The Art of Scientific Computing,” 2007.

S. L. (speed47), Spectre-meltdown-checker, https://github.com/speed47/spectre-meltdown-checker, 2023.

I. of Applied Information Processing and C. (IAIK), Meltdown, https://github.com/IAIK/meltdown.

R. C. (crozone), Spectrepoc, https://github.com/crozone/SpectrePoC.

A. C. (Anton-Cao), Spectrev2-poc, https://github.com/Anton-Cao/spectrev2-poc.

Y. S. (mmxsrup), Cve-2018-3639, https://github.com/mmxsrup/CVE-2018-3639.

M. Schwarz et al., “ZombieLoad: Cross-privilege-boundary data sampling,” in CCS, 2019. DOI: https://doi.org/10.1145/3319535.3354252

I. of Applied Information Processing and C. (IAIK), Zombieload, https://github.com/IAIK/ZombieLoad.

C. Canella et al., “Fallout: Leaking data on meltdown-resistant cpus,” in Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), ACM, 2019. DOI: https://doi.org/10.1145/3319535.3363219

S. van Schaik et al., “RIDL: Rogue in-flight data load,” in S&P, May 2019. DOI: https://doi.org/10.1109/SP.2019.00087

T. H. (tristan-hornetz), Fallout, https://github.com/tristan-hornetz/fallout.

H. Ragab, A. Milburn, K. Razavi, H. Bos, and C. Giuffrida, “CrossTalk: Speculative Data Leaks Across Cores Are Real,” in S&P, Intel Bounty Reward, May 2021. [Online]. Available: https://download.vusec.net/papers/crosstalk sp21.pdf. DOI: https://doi.org/10.1109/SP40001.2021.00020

T. H. (tristan-hornetz), Crosstalk, https://github.com/tristan-hornetz/crosstalk.

J. Van Bulck et al., “Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution,” in Proceedings of the 27th USENIX Security Symposium, See also technical report Foreshadow-NG, Aug. 2018.

O. Weisse et al., “Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution,” Technical report, 2018.

Intel® transactional synchronization extensions (intel®tsx) memory and performance monitoring update for intel® processors, https://www.intel.com/content/www/us / en / support / articles / 000059422 / processors . html, Accessed: 28-05-2024, 2023.

R. O. S. Projects, Stress, https://github.com/resurrecting-open-source-projects/stress.

U. of Michigan, Mibench version 1.0, https://vhosts.eecs.umich.edu/mibench/, Accessed: 14-05-2024, 2002.

Embecosm, Mibench, https://github.com/embecosm/mibench.

J. D. McCalpin, Stream: Sustainable memory bandwidth in high performance computers, https://www.cs.virginia.edu/stream/, Accessed: 28-05-2024.

J. H. (jeffhammond), Stream, https://github.com/jeffhammond/STREAM.

Bzip2, https://sourceware.org/bzip2/, Accessed: 28-05-2024.

Parallel bzip2 compression benchmarks — openbenchmarking.org, https://openbenchmarking.org/test/pts/compress-pbzip2, Accessed: 28-05-2024.

Ffmpeg, https://ffmpeg.org/, Accessed: 28-05-2024.

Big buck bunny, https://peach.blender.org/, Accessed: 28-05-2024.

Benchmark: Big buck bunny trailer, https://dcpomatic.com/benchmarks/input.php?id=2, Accessed: 28-05-2024.

Ffmpeg rabbit benchmarks — openbenchmarking.org, https://openbenchmarking.org/result/2311122 - NE - FFMPEGRAB69, Accessed: 28-05-2024.

x264 r, https://www.spec.org/cpu2017/Docs/benchmarks/525.x264r.html, Accessed: 28-05-2024.

P. M. Lerman, “Fitting segmented regression models by grid search,” Journal of the Royal Statistical Society Series C: Applied Statistics, vol. 29, no. 1, pp. 77–84, Dec. 2018. DOI: 10 . 2307 / 2346413. eprint: https://academic.oup.com/jrsssc/article-pdf/29/1/77/48620247/jrsssc 29 1 77.pdf. [Online]. Available: https://doi.org/10.2307/2346413. DOI: https://doi.org/10.2307/2346413

Gridsearch documentation, https://scikit-earn.org/stable/modules/generated/sklearn.modelselection.GridSearchCV.html#sklearn.modelselection.GridSearchCV, Accessed: 13-05-2025.

Re: Amd zen2 l3missesevent, https://www.spinics.net/lists/linux-perf-users/msg17608.html, Accessed:14-07-2024.

Downloads

Published

2025-09-02

How to Cite

Andreu, D., Otero, B., & Canal, R. (2025). Multi Hardware-Attack Dataset and ML-based Detection Using Processor Stress Patterns on x86. WiPiEC Journal - Works in Progress in Embedded Computing Journal, 11(1), 7. https://doi.org/10.64552/wipiec.v11i1.94

Issue

Vol. 11 No. 1 (2025): WiPiEC Journal — Special Issue

Section

Regular Paper

License

Copyright (c) 2025 David Andreu, Beatriz Otero, Ramon Canal

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

License Terms: 

Except where otherwise noted, content on this website is lincesed under a  Creative Commons Attribution Non-Commercial License (CC BY NC) 

Use, distribution and reproduction in any medium, provided the original work is properly cited and is not used for commercial purposes, is permitted.

Copyright to any article published by WiPiEC retained by the author(s). Authors grant WiPiEC Journal a license to publish the article and identify itself as the original publisher. Authors also grant any third party the right to use the article freely as long as it is not used for commercial purposes and its original authors, citation details, and publisher are identified, in accordance with CC BY NC license. Fore more information on license terms, click here