A Two-Stage Out-Of-Box Method for Detecting Side-Channel Attacks in Cloud Computing

Abstract

In this paper, we proposed a two-stage out-of-box method for detecting side-channel attacks in cloud computing. The method detects side-channel attacks from outside of the virtual machine, utilizing hardware support of performance events and hypervisor's ability to introspect the virtual machine, which is robust and stealthy to attackers. By utilizing information of hardware performance counters to train a classification model, we can quickly locate the suspicious attacking virtual machine with 96.7% of precision and 95% of recall rate. By adjusting the sampling duration and interval, we can get a F1-score of 98.9%. By utilizing virtual machine introspection method to extract syscall information of suspicious virtual machine, we can precisely locate the suspicious process. Experiments demonstrate our method's effectiveness in detecting cache side-channel attacks.