Spec-LAMP: Robust Spectre Attack Detection Under Web-Based LLM Workload via L1D Miss Pending Event

As Large Language Models (LLMs) become increasingly integrated into web environments, they introduce complex microarchitectural noise that challenges existing hardware security mechanisms. This paper investigates the impact of concurrent web-based LLM workloads on the detection accuracy of Spectre attacks. Firstly, we constructed a representative dataset by executing multiple web-accessible LLMs (e.g., DeepSeek, Kimi, Doubao and Qwen) alongside Spectre attacks, capturing the specific interference patterns introduced by these AI workloads. Experimental analysis reveals that traditional Hardware Performance Counter (HPC)-based detectors, relying primarily on branch prediction and Last-Level Cache (LLC) events, suffer significant accuracy degradation due to the masking effects of LLM-induced noise. To address this limitation, we then propose a novel Spectre attack detector Spec-LAMP via augmenting conventional HPC feature sets with the L1D Miss Pending event. This new metric specifically captures unresolved speculative memory dependencies, a distinctive characteristic of Spectre attacks that remains discernible even under web-accessible LLM interference. Comparative statistical analysis demonstrates that incorporating this event significantly enhances the separability between malicious and benign executions. Finally, experimental results show that our proposed feature augmentation effectively restores detection performance, increasing average accuracy from 85.15% to 98.43% and demonstrating superior robustness compared to traditional approaches in realistic web-based LLM scenarios.