United States. Malicious actors can use machine learning to launch powerful attacks that steal information in ways that are difficult to prevent and often even harder to study.
Attackers can capture data that is "leaked" between software programs running on the same computer. They then use machine learning algorithms to decode those signals, allowing them to get passwords or other private information. These are called "side channel attacks" because information is acquired through a channel that is not intended for communication.
MIT researchers have shown that side-channel attacks assisted by machine learning are extremely robust and poorly understood. The use of machine learning algorithms, which are often impossible to fully understand due to their complexity, is a particular challenge. In a new paper, the team studied a documented attack that was thought to work by capturing leaked signals when a computer accesses memory. They found that the mechanisms behind this attack were misidentified, which would prevent researchers from crafting effective defenses.
To study the attack, they removed all access to memory and noticed that the attack became even more powerful. They then looked for sources of information leakage and found that the attack actually monitors events that disrupt other processes on a computer. They show that an adversary can use this machine learning-assisted attack to exploit a security flaw and determine the website a user is browsing with near-perfect accuracy.
With this knowledge in hand, they developed two strategies that can thwart this attack.
"The focus of this work is really on the analysis to find the root cause of the problem. As researchers, we should really try to dig deeper and do more analysis work, rather than blindly using black box machine learning tactics to demonstrate one attack after another. The lesson we learned is that these machine learning-assisted attacks can be extremely deceptive," says lead author Mengjia Yan, Homer A. Burnell Career Development Assistant Professor of Electrical Engineering and Computer Science (EECS) and a member of the Computer Science and Artificial Intelligence Laboratory (CSAIL).
A side channel surprise
Cook launched the project while taking Yan's advanced seminar course. For a class assignment, he tried to replicate a machine learning-assisted side-channel attack from literature. Previous work had concluded that this attack counts how many times the computer accesses memory while loading a website and then uses machine learning to identify the website. This is known as a website fingerprint attack.
It showed that the previous work relied on flawed analysis based on machine learning to incorrectly identify the source of the attack. Machine learning can't prove causation in these types of attacks, Cook says.
"All I did was remove memory access and the attack worked just as well, or even better. So, I wondered, what really opens the side channel?" he says.
This led to a research project in which Cook and his collaborators embarked on a careful analysis of the attack. They designed an almost identical attack, but without access to memory, and studied it in detail.
They found that the attack actually records a computer's timer values at fixed intervals and uses that information to infer which website is being accessed. Essentially, the attack measures how busy the computer is over time.
A fluctuation in the value of the timer means that the computer is processing a different amount of information in that interval. This is due to system outages. A system outage occurs when computer processes are interrupted by requests for hardware devices; the computer should pause what it is doing to handle the new request.
When a website is loading, it sends instructions to a web browser to run scripts, render graphics, load videos, etc. Each of these can trigger many system outages.
An attacker monitoring the timer can use machine learning to infer high-level information from these system outages to determine which website a user is visiting. This is possible because the disruption activity generated by a website, such as CNN.com, is very similar every time it loads, but very different from other websites, such as Wikipedia.com, Cook explains.
"One of the really scary things about this attack is that we wrote it in JavaScript, so you don't need to download or install any code. All you have to do is open a website. Someone could embed this on a website and then theoretically could spy on other activities on your computer," he says.
The attack is extremely successful. For example, when a computer runs Chrome on the macOS operating system, the attack was able to identify websites with 94 percent accuracy. All of the commercial browsers and operating systems they tested resulted in an attack with more than 91 percent accuracy.
There are many factors that can affect a computer's timer, so determining what led to an attack so accurately was like finding a needle in a haystack, Cook says. They ran many controlled experiments, removing one variable at a time, until they realized that the signal must have come from system outages, which often cannot be processed separately from the attacker's code.
Defend yourself
Once the researchers understood the attack, they devised security strategies to prevent it.
First, they created a browser extension that generates frequent outages, such as pinging random websites to create bursts of activity. The added noise makes it much more difficult for the attacker to decode the signals. This reduced the accuracy of the attack from 96% to 62%, but reduced the performance of the computer.
For their second countermeasure, they modified the timer to return values that are close, but not the actual time. This makes it much harder for an attacker to measure computer activity over an interval, Cook explains. This mitigation reduced attack accuracy from 96% to just 1%.
"I was amazed at how mitigation as small as adding randomness to the timer could be so effective. This mitigation strategy could really be put into practice today. It doesn't affect the way you use most websites," he says.
From this work, the researchers plan to develop a systematic analysis framework for machine learning-assisted side-channel attacks. This could help researchers get to the root cause of more attacks, Yan says. They also want to see how they can use machine learning to uncover other types of vulnerabilities.
"This paper presents a new outage-based side-channel attack and demonstrates that it can be used effectively for website fingerprint attacks, whereas previously it was believed that such attacks were possible due to cache side channels," says Yanjing Li, an assistant professor in the Department of Computer Science at the University of Chicago. who was not involved in this research. "I liked this paper immediately after reading it for the first time, not only because the new attack is interesting and successfully challenges existing notions, but also because it points to a key limitation of ML-assisted side-channel attacks: blindly relying on machine learning. models without careful analysis cannot provide any understanding of the actual causes/sources of an attack, and can even be misleading. This is very insightful and I think it will inspire a lot of future work in this direction."
This research was funded, in part, by the National Science Foundation, the Air Force Office of Scientific Research, and the MIT-IBM Watson AI Laboratory.
