Machine learned model for generating opinionated threat assessments of security vulnerabilities
US-2024411898-A1 · Dec 12, 2024 · US
Technologies for cache side channel attack detection and mitigation
US10860714B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10860714-B2 |
| Application number | US-201816022976-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 29, 2018 |
| Priority date | Jun 29, 2018 |
| Publication date | Dec 8, 2020 |
| Grant date | Dec 8, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Technologies for cache side channel attack detection and mitigation include an analytics server and one or more monitored computing devices. The analytics server polls each computing device for analytics counter data. The computing device generates the analytics counter data using a resource manager of a processor of the computing device. The analytics counter data may include last-level cache data or memory bandwidth data. The analytics server identifies suspicious core activity based on the analytics counter data and, if identified, deploys a detection process to the computing device. The computing device executes the detection process to identify suspicious application activity. If identified, the computing device may perform one or more corrective actions. Corrective actions include limiting resource usage by a suspicious process using the resource manager of the processor. The resource manager may limit cache occupancy or memory bandwidth used by the suspicious process. Other embodiments are described and claimed.
First claim
Opening claim text (preview).
The invention claimed is: 1. A computing device for exploit detection and correction, the computing device comprising: a hardware processor; and one or more memory devices having stored therein a plurality of instructions that, when executed by the hardware processor, cause the computing device to establish: a core activity monitor to (i) receive activity data from a remote monitored computing device and (ii) determine whether suspicious core activity exists based on the activity data, wherein the suspicious core activity is indicative of a cache side channel attack; an application activity monitor to (i) cause execution of a detection process by the remote monitored computing device in response to a determination that suspicious core activity exists, wherein the detection process is based on one or more performance counters local to the monitored computing device, and (ii) determine whether a suspicious application exists in response to a causing of execution of the detection process, wherein the suspicious application is indicative of the cache side channel attack; and a corrective action manager to cause the monitored computing device to perform a corrective action in response to a determination that the suspicious application exists. 2. The computing device of claim 1 , wherein: the core activity monitor is further to poll the monitored computing device for the activity data, wherein to poll the monitored computing device comprises to wait a predetermined monitoring interval; wherein to receive the activity data comprises to receive the activity data in response to polling of the monitored computing device. 3. The computing device of claim 1 , wherein: the application activity monitor is further to determine whether the suspicious application is included in a predetermined list of allowed applications in response to the determination that the suspicious application exists; wherein to cause the monitored computing device to perform the corrective action further comprises to cause the monitored computing device to perform the corrective action in response to a determination that the suspicious application is not included in the predetermined list of allowed applications. 4. The computing device of claim 1 , wherein: to receive the activity data comprises to receive last-level cache data from a resource manager of the monitored computing device; and to determine whether the suspicious core activity exists comprises to compare cache misses of the activity data to a predetermined cache miss threshold. 5. The computing device of claim 1 , wherein: to receive the activity data comprises to receive memory bandwidth data from a resource manager of the monitored computing device; and to determine whether the suspicious core activity exists comprises to compare memory bandwidth usage of the activity data to a predetermined memory bandwidth threshold. 6. The computing device of claim 1 , wherein: to receive the activity data comprises to receive first activity data for one or more primary applications of the monitored computing device from a resource manager of the monitored computing device and to receive second activity data for the monitored computing device from the resource manager of the monitored computing device; and to determine whether the suspicious core activity exists comprises to compare the first activity data to the second activity data. 7. One or more non-transitory, computer-readable storage media comprising a plurality of instructions stored thereon that, in response to being executed, cause a computing device to: receive activity data from a remote monitored computing device; determine whether suspicious core activity exists based on the activity data, wherein the suspicious core activity is indicative of a cache side channel attack; cause execution of a detection process by the remote monitored computing device in response to determining that suspicious core activity exists, wherein the detection process is based on one or more performance counters local to the monitored computing device; determine whether a suspicious application exists in response to causing execution of the detection process, wherein the suspicious application is indicative of the cache side channel attack; and cause the monitored computing device to perform a corrective action in response to determining that the suspicious application exists. 8. The one or more non-transitory, computer-readable storage media of claim 7 , further comprising a plurality of instructions stored thereon that, in response to being executed, cause the computing device to: poll the monitored computing device for the activity data, wherein polling the monitored computing device comprises waiting a predetermined monitoring interval; wherein to receive the activity data comprises to receive the activity data in response to polling the monitored computing device. 9. The one or more non-transitory, computer-readable storage media of claim 7 , wherein: to receive the activity data comprises to receive last-level cache data from a resource manager of the monitored computing device; and to determine whether the suspicious core activity exists comprises to compare cache misses of the activity data to a predetermined cache miss threshold. 10. The one or more non-transitory, computer-readable storage media of claim 7 , wherein: to receive the activity data comprises to receive memory bandwidth data from a resource manager of the monitored computing device; and to determine whether the suspicious core activity exists comprises to compare memory bandwidth usage of the activity data to a predetermined memory bandwidth threshold. 11. The one or more non-transitory, computer-readable storage media of claim 7 , wherein: to receive the activity data comprises to receive first activity data for one or more primary applications of the monitored computing device from a resource manager of the monitored computing device and to receive second activity data for the monitored computing device from the resource manager of the monitored computing device; and to determine whether the suspicious core activity exists comprises to compare the first activity data to the second activity data. 12. A computing device for exploit detection and correction, the computing device comprising: a hardware processor comprising an uncore and one or more processor cores; and one or more memory devices having stored therein a plurality of instructions that, when executed by the hardware processor, cause the computing device to establish: a core activity monitor to send activity data to an analytics server, wherein the activity data is generated by a resource manager of the uncore of the hardware processor of the computing device; an application activity monitor to (i) determine whether suspicious application activity exists based on performance counter data of the computing device in response to sending of the activity data, wherein the performance counter data is generated by one or more performance counters local to a processor core of the hardware processor of the computing device, and wherein the suspicious application activity is indicative of a cache side channel attack, and (ii) report whether the suspicious application activity exists to the analytics server in response to a determination of whether suspicious application activity exists; and a corrective action manager to perform a corrective action in response to a determination that the suspicious application activity exists. 13. The computing device of claim 12 , wherein to determine whether the suspicious application activity exists co
Assignees
Inventors
Classifications
involving covert channels, i.e. data leakage between processes (inhibiting the analysis of circuitry or operation with measures against power attack G06F21/755) · CPC title
- G06F21/577Primary
Assessing vulnerabilities and evaluating computer system security · CPC title
- G06F21/554Primary
involving event detection and direct action · CPC title
using dedicated hardware · CPC title
eliminating virus, restoring damaged files · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10860714B2 cover?
- Technologies for cache side channel attack detection and mitigation include an analytics server and one or more monitored computing devices. The analytics server polls each computing device for analytics counter data. The computing device generates the analytics counter data using a resource manager of a processor of the computing device. The analytics counter data may include last-level cache …
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/577. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 08 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).