TY - GEN
T1 - MARTINI
T2 - 11th ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW 2020
AU - Qin, Yujun
AU - Gonzalez, Samuel
AU - Angstadt, Kevin
AU - Wang, Xiaowei
AU - Forrest, Stephanie
AU - Das, Reetuparna
AU - Leach, Kevin
AU - Weimer, Westley
N1 - Funding Information:
This work was funded, in part, by: AFRL (FA8750-19-1-0501); DARPA (FA8750-19C-0003, HR001119S0089-AMP-FP-029, N6600120C4020); the NSF (CCF 1763918, CCF 1763674, CCF 1908633, IOS 2029696); and the Santa Fe Institute.
Publisher Copyright:
© 2020 ACM.
PY - 2020/11/9
Y1 - 2020/11/9
N2 - Hardware architectural vulnerabilities, such as Spectre and Meltdown, are difficult or inefficient to mitigate in software. Although revised hardware designs may address some architectural vulnerabilities going forward, most current remedies increase execution time significantly. Techniques are needed to rapidly and efficiently detect these and other emerging threats. We present an anomaly detector, MARTINI, that analyzes traces of memory accesses in real time to detect attacks. Our experimental evaluation shows that anomalies in these traces are strongly correlated with unauthorized program execution, including architectural side-channel attacks of multiple types. MARTINI consists of a finite automaton that models normal program behavior in terms of memory addresses that are read from, and written to, at runtime. The model uses a compact representation of n-grams, i.e., short sequences of memory accesses, which can be stored and processed efficiently. Once the system is trained on authorized behavior, it rapidly detects a variety of low-level anomalous behaviors and attacks not otherwise easily discernible at the software level. MARTINI's implementation leverages recent advances in in-cache and in-memory automata for computation, and we present a hardware unit that repurposes a small portion of a last-level cache slice to monitor memory addresses. Our detector directly inspects the addresses of memory accesses, using the pre-constructed automaton to identify anomalies with high accuracy, negligible runtime overhead, and trivial increase in CPU chip area. We present analyses of expected hardware properties based on indicative cache and memory hierarchy simulations and empirical evaluations.
AB - Hardware architectural vulnerabilities, such as Spectre and Meltdown, are difficult or inefficient to mitigate in software. Although revised hardware designs may address some architectural vulnerabilities going forward, most current remedies increase execution time significantly. Techniques are needed to rapidly and efficiently detect these and other emerging threats. We present an anomaly detector, MARTINI, that analyzes traces of memory accesses in real time to detect attacks. Our experimental evaluation shows that anomalies in these traces are strongly correlated with unauthorized program execution, including architectural side-channel attacks of multiple types. MARTINI consists of a finite automaton that models normal program behavior in terms of memory addresses that are read from, and written to, at runtime. The model uses a compact representation of n-grams, i.e., short sequences of memory accesses, which can be stored and processed efficiently. Once the system is trained on authorized behavior, it rapidly detects a variety of low-level anomalous behaviors and attacks not otherwise easily discernible at the software level. MARTINI's implementation leverages recent advances in in-cache and in-memory automata for computation, and we present a hardware unit that repurposes a small portion of a last-level cache slice to monitor memory addresses. Our detector directly inspects the addresses of memory accesses, using the pre-constructed automaton to identify anomalies with high accuracy, negligible runtime overhead, and trivial increase in CPU chip area. We present analyses of expected hardware properties based on indicative cache and memory hierarchy simulations and empirical evaluations.
KW - automata processing
KW - intrusion detection
KW - side-channel attacks
UR - http://www.scopus.com/inward/record.url?scp=85097445954&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85097445954&partnerID=8YFLogxK
U2 - 10.1145/3411495.3421353
DO - 10.1145/3411495.3421353
M3 - Conference contribution
AN - SCOPUS:85097445954
T3 - CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop
SP - 77
EP - 90
BT - CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop
PB - Association for Computing Machinery, Inc
Y2 - 9 November 2020
ER -