Deep Learning-Based Detection for Multiple Cache Side-Channel Attacks

A cache side-channel attack retrieves victim's sensitive information from a system by exploiting shared cache of CPUs. Since conventional cache side-channel attacks such as FLUSH+RELOAD and PRIME+PROBE are likely to incur numerous cache events, such as cache hits and misses, many previous strategies have focused on monitoring cache events for attack detection. However, as recently proposed attacks such as PRIME+ABORT have exploited the other events as side-channels, it has become challenging to detect them by monitoring only cache events. In this paper, we investigate PRIME+ABORT attack and identifies Intel TSX hardware events are tightly coupled with it as well as cache events. Based on our finding, we propose a novel deep learning-based cache side-channel attack detection method called FRIME. It can concurrently detect not only the conventional attacks such as FLUSH+RELOAD, PRIME+PROBE, but also PRIME+ABORT by leveraging both event types. In order to demonstrate the efficacy of our cache side-channel attack detection scheme in diverse workload conditions in the real world, we implement it using MLP, RNN, and LSTM deep learning models, demonstrating LSTM-based method outperforms the other implementations in terms of detection accuracy.