Where's Waldo?
- 17 May 2022
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM) in Proceedings of the 19th ACM International Conference on Computing Frontiers
Abstract
In recent years, multiple techniques have been proposed to defend computing systems against control-oriented attacks that hijack the control-flow of the victim program. Data-only attacks, on the other hand, are a less common and more subtle type of exploit which are more difficult to detect using traditional mitigation techniques that target control-oriented attacks. In this paper we introduce a novel methodology for the detection of data-only attacks through modeling the execution behavior of an application using low-level hardware information collected as a data series during execution. One unique aspect of the proposed methodology is that it uses a compilation flag based approach to collect hardware counts, eliminating the need for manual code instrumentation. Another unique aspect is the introduction of a data compression algorithm as the classifier. Using several representative real-world data-only exploits, our experiments show that data-only attacks can be detected with high accuracy using the proposed methodology. We also performed analysis on how to select the most relevant hardware events for the detection of the studied data-only attack, as well as a quantitative study of hardware events' sensitivity to interference.Keywords
This publication has 17 references indexed in Scilit:
- Can Data-Only Exploits be Detected at Runtime Using Hardware Events?Published by Association for Computing Machinery (ACM) ,2016
- Ensemble Learning for Low-Level Hardware-Supported Malware DetectionLecture Notes in Computer Science, 2015
- Malware-aware processors: A framework for efficient online malware detectionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2015
- Unsupervised Anomaly-Based Malware Detection Using Hardware FeaturesPublished by Springer Science and Business Media LLC ,2014
- On the feasibility of online malware detection with performance countersPublished by Association for Computing Machinery (ACM) ,2013
- Practical Control Flow Integrity and Randomization for Binary ExecutablesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2013
- Memory Errors: The Past, the Present, and the FutureLecture Notes in Computer Science, 2012
- LIBSVMACM Transactions on Intelligent Systems and Technology, 2011
- Control-flow integrity principles, implementations, and applicationsACM Transactions on Information and System Security, 2009
- httperf—a tool for measuring web server performanceACM SIGMETRICS Performance Evaluation Review, 1998