Methods and Systems for Side Channel Analysis Detection and Protection

US 20150373036A1
Filed: 06/24/2014
Published: 12/24/2015
Est. Priority Date: 06/24/2014
Status: Active Grant

First Claim

Patent Images

1. A method of detecting side channel attacks in a computing device, comprising:

monitoring an activity of the computing device;

generating a behavior vector based on the monitored activity; and

applying the generated behavior vector to a classifier model to determine whether a side channel attack is underway.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device may use machine learning techniques to determine whether a side channel attack is underway and perform obfuscation operations (e.g., operations to raise the noise floor) or other similar operations to stop or prevent a detected side channel attack. The computing device may determine that a side channel attack is underway in response to determining that the computing device is in airplane mode, that the battery of the computing device the battery has been replaced with a stable DC power supply, that the touch-screen display of the computing device has been disconnected, that there are continuous calls to a cipher application programming interface (API) using the same cipher key, that there has been tampering with a behavioral analysis engine of the computing device, or any combination thereof.

Citations

28 Claims

1. A method of detecting side channel attacks in a computing device, comprising:
- monitoring an activity of the computing device;
  
  generating a behavior vector based on the monitored activity; and
  
  applying the generated behavior vector to a classifier model to determine whether a side channel attack is underway.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein applying the generated behavior vector to the classifier model to determine whether a side channel attack is underway comprises applying the generated behavior vector to the classifier model to determine two or more of:
    - whether the computing device is in airplane mode;
      
      whether a battery of the computing device the battery has been replaced with a stable DC power supply;
      
      whether a touch-screen display of the computing device has been disconnected;
      
      whether there are continuous calls to a cipher application programming interface (API); and
      
      whether there has been tampering with a behavioral analysis engine of the computing device.
  - 3. The method of claim 2, further comprising:
    - performing an obfuscation operation in response to determining that the monitored activity is associated with the side channel attack.
  - 4. The method of claim 2, further comprising:
    - terminating the monitored activity in response to determining that the monitored activity is associated with the side channel attack.
  - 5. The method of claim 2, wherein monitoring the activity of the computing device comprises:
    - determining a feature that is to be observed in the computing device in order to identify the side channel attack; and
      
      monitoring the determined feature by collecting behavior information from a hardware component associated with the determined feature.
  - 6. The method of claim 5, wherein collecting the behavior information from the hardware component associated with the feature comprises collecting information from a log of API calls that stores API call information for use of the hardware component by software applications of the computing device.
  - 7. The method of claim 2, wherein applying the generated behavior vector to the classifier model to determine whether the side channel attack is underway further comprises:
    - applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors;
      
      determining which factors in the first family of classifier models have a high probability of enabling the computing device to conclusively determine whether a behavior is indicative of a side channel attack;
      
      generating a second family of classifier models that identify fewer factors and data points as being relevant for enabling the computing device to determine whether the behavior is indicative of a side channel attack; and
      
      generating the classifier model based on the second family of classifier models.

8. A computing device, comprising:
- means for monitoring an activity of the computing device;
  
  means for generating a behavior vector based on the monitored activity; and
  
  means for applying the generated behavior vector to a classifier model to determine whether a side channel attack is underway.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computing device of claim 8, wherein means for applying the generated behavior vector to the classifier model to determine whether a side channel attack is underway comprises means for applying the generated behavior vector to the classifier model to determine two or more of:
    - whether the computing device is in airplane mode;
      
      whether a battery of the computing device the battery has been replaced with a stable DC power supply;
      
      whether a touch-screen display of the computing device has been disconnected;
      
      whether there are continuous calls to a cipher application programming interface (API); and
      
      whether there has been tampering with a behavioral analysis engine of the computing device.
  - 10. The computing device of claim 9, further comprising:
    - means for performing an obfuscation operation in response to determining that the monitored activity is associated with the side channel attack.
  - 11. The computing device of claim 9, further comprising:
    - means for terminating the monitored activity in response to determining that the monitored activity is associated with the side channel attack.
  - 12. The computing device of claim 9, wherein means for monitoring the activity of the computing device comprises:
    - means for determining a feature that is to be observed in the computing device in order to identify the side channel attack; and
      
      means for monitoring the determined feature by collecting behavior information from a hardware component associated with the determined feature.
  - 13. The computing device of claim 12, wherein means for collecting behavior information from the hardware component associated with the feature comprises means for collecting information from a log of API calls that stores API call information for use of the hardware component by software applications of the computing device.
  - 14. The computing device of claim 9, wherein means for applying the generated behavior vector to the classifier model to determine whether the side channel attack is underway comprises:
    - means for applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors;
      
      means for determining which factors in the first family of classifier models have a high probability of enabling the computing device to conclusively determine whether a behavior is indicative of a side channel attack;
      
      means for generating a second family of classifier models that identify fewer factors and data points as being relevant for enabling the computing device to determine whether the behavior is indicative of a side channel attack; and
      
      means for generating the classifier model based on the second family of classifier models.

15. A computing device, comprising:
- a processor configured with processor-executable instructions to perform operations further comprising;
  
  monitoring an activity of the computing device;
  
  generating a behavior vector based on the monitored activity; and
  
  applying the generated behavior vector to a classifier model to determine whether a side channel attack is underway.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computing device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that applying the generated behavior vector to the classifier model to determine whether a side channel attack is underway comprises applying the generated behavior vector to the classifier model to determine two or more of:
    - whether the computing device is in airplane mode;
      
      whether a battery of the computing device the battery has been replaced with a stable DC power supply;
      
      whether a touch-screen display of the computing device has been disconnected;
      
      whether there are continuous calls to a cipher application programming interface (API); and
      
      whether there has been tampering with a behavioral analysis engine of the computing device.
  - 17. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - performing an obfuscation operation in response to determining that the monitored activity is associated with the side channel attack.
  - 18. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - terminating the monitored activity in response to determining that the monitored activity is associated with the side channel attack.
  - 19. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations such that monitoring the activity of the computing device comprises:
    - determining a feature that is to be observed in the computing device in order to identify the side channel attack; and
      
      monitoring the determined feature by collecting behavior information from a hardware component associated with the determined feature.
  - 20. The computing device of claim 19, wherein the processor is configured with processor-executable instructions to perform operations such that collecting the behavior information from the hardware component associated with the feature comprises collecting information from a log of API calls that stores API call information for use of the hardware component by software applications of the computing device.
  - 21. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations such that applying the generated behavior vector to the classifier model to determine whether the side channel attack is underway further comprises:
    - applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors;
      
      determining which factors in the first family of classifier models have a high probability of enabling the computing device to conclusively determine whether a behavior is indicative of a side channel attack;
      
      generating a second family of classifier models that identify fewer factors and data points as being relevant for enabling the computing device to determine whether the behavior is indicative of a side channel attack; and
      
      generating the classifier model based on the second family of classifier models.

22. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a computing device to perform operations for detecting side channel attacks, the operations comprising:
- monitoring an activity of the computing device;
  
  generating a behavior vector based on the monitored activity; and
  
  applying the generated behavior vector to a classifier model to determine whether a side channel attack is underway.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that applying the generated behavior vector to the classifier model to determine whether a side channel attack is underway comprises applying the generated behavior vector to the classifier model to determine two or more of:
    - whether the computing device is in airplane mode;
      
      whether a battery of the computing device the battery has been replaced with a stable DC power supply;
      
      whether a touch-screen display of the computing device has been disconnected;
      
      whether there are continuous calls to a cipher application programming interface (API); and
      
      whether there has been tampering with a behavioral analysis engine of the computing device.
  - 24. The non-transitory computer readable storage medium of claim 23, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations further comprising:
    - performing an obfuscation operation in response to determining that the monitored activity is associated with the side channel attack.
  - 25. The non-transitory computer readable storage medium of claim 23, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations further comprising:
    - terminating the monitored activity in response to determining that the monitored activity is associated with the side channel attack.
  - 26. The non-transitory computer readable storage medium of claim 23, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that monitoring the activity of the computing device comprises:
    - determining a feature that is to be observed in the computing device in order to identify the side channel attack; and
      
      monitoring the determined feature by collecting behavior information from a hardware component associated with the determined feature.
  - 27. The non-transitory computer readable storage medium of claim 26, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that collecting the behavior information from the hardware component associated with the feature comprises collecting information from a log of API calls that stores API call information for use of the hardware component by software applications of the computing device.
  - 28. The non-transitory computer readable storage medium of claim 23, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that applying the generated behavior vector to the classifier model to determine whether the side channel attack is underway further comprises:
    - applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors;
      
      determining which factors in the first family of classifier models have a high probability of enabling the computing device to conclusively determine whether a behavior is indicative of a side channel attack;
      
      generating a second family of classifier models that identify fewer factors and data points as being relevant for enabling the computing device to determine whether the behavior is indicative of a side channel attack; and
      
      generating the classifier model based on the second family of classifier models.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Patne, Satyajit Prabhakar, Gupta, Rajarshi, Xiao, Lu

Granted Patent

US 9,774,614 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/556   involving covert channels, ...

G06F 21/755   with measures against power...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

Methods and Systems for Side Channel Analysis Detection and Protection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and Systems for Side Channel Analysis Detection and Protection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links