MAD-EN: Microarchitectural Attack Detection Through System-Wide Energy Consumption

Microarchitectural attacks have become increasingly threatening the society with diverse set of attacks such as Spectre and Meltdown. Vendor patches cannot keep up with the pace of the new threats, which makes the dynamic anomaly detection tools more evident than before. Unfortunately, hardware performance counters (HPCs) utilized in previous works can detect a few microarchitectural attacks due to the small number of counters that can be profiled concurrently while introducing high performance overhead. These challenges consequently yield to inefficient detection tools in real-world security-critical systems. In this study, we introduce MAD-EN dynamic detection tool that leverages system-wide energy consumption traces collected from a generic Intel RAPL tool to detect ongoing anomalies in two different microarchitectures, namely Intel Comet Lake and Intel Tiger Lake. In the first phase of MAD-EN, we can distinguish 16 variants from 11 different micro-architectural attacks from benign applications by utilizing a binary-class CNN-based model with an F1 score of 0.998, which makes our tool the most generic attack detection tool so far. In the second phase, MAD-EN can recognize the respective attack types with a 95% accuracy by utilizing a multi-class CNN-based classification technique after the anomaly is detected. We demonstrate that MAD-EN introduces 69.3% less performance overhead compared to performance counter-based detection mechanisms, allowing more feasible real-time detection tool for generic purpose systems.