Program Characterization for Software Exploitation Detection
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security
Article No.: 77, Pages 1 - 8
Abstract
Software exploitation is an ever-growing problem. Signature-based exploitation detection techniques have not been effective as malicious actors continuously develop circumvention techniques. Current ML-based (signature-less) exploitation detection research is limited in quantity and use cases. Key to the success of any ML model is the characteristics used to depict program behaviour (i.e., features). Current work on using ML for software exploitation is focused on novelty ML algorithms while neglecting program characterization and under-reporting the approach for data preparation. There are two main competing program characterization techniques, micro-architecture independent (MAI) and micro-architecture dependent (MAD) techniques. This study evaluates MAI program characterization techniques for use with ML-based exploitation detection. A publicly available runtime-based traces of 11 Windows applications under buffer-overflow exploitation is used to replicate the feature engineering work found in research that uses MAI for ML-based exploitation detection. The performance and feature importance are evaluated with two different ensemble ML models (Random Forests and XGBoost). The results demonstrate that, although 0% FPR has been achieved in all datasets, MAI features that are purely fine-grained in nature can achieve a maximum recall value of 100% and an average recall of 40%, respectively. While features that contain a higher coarse-grained to fine-grained features ratio can achieve a maximum recall of 100% with an average value of 62%. The study provides a detailed discussion of the feature importance and reveals that the most important features relate to memory traffic characteristics.
References
[1]
[n. d.]. Intel® 64 and IA-32 Architectures Software Developer Manuals. https://software.intel.com/content/www/us/en/develop/articles/intel-sdm.html
[2]
[n. d.]. Runtime traces of buffer overflow exploitation | IEEE DataPort. https://ieee-dataport.org/documents/runtime-traces-buffer-overflow-exploitation
[3]
[n. d.]. What are Vulnerabilities, Exploits, and Threats? | Rapid7. https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/
[4]
Marcus Botacin and André Grégio. 2022. Why We Need a Theory of Maliciousness: Hardware Performance Counters in Security. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Vol. 13640 LNCS. Springer Science and Business Media Deutschland GmbH, 381–389. https://doi.org/10.1007/978-3-031-22390-7_22
[5]
Li Chen, Salmin Sultana, and Ravi Sahita. 2018. HeNet: A deep learning approach on Intel® processor trace for effective exploit detection. Proceedings - 2018 IEEE Symposium on Security and Privacy Workshops, SPW 2018 (2018), 109–115. https://doi.org/10.1109/SPW.2018.00025
[6]
Long Cheng, Danfeng Yao, and Chair Raheem Beyah Patrick Schaumont Naren Ramakrishnan Gang Wang. 2018. Program Anomaly Detection Against Data-Oriented Attacks. Technical Report.
[7]
Mohamed Elsabagh, Daniel Barbara, Dan Fleck, and Angelos Stavrou. 2017. Detecting ROP with Statistical Learning of Program Characteristics. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy. ACM, New York, NY, USA, 219–226. https://doi.org/10.1145/3029806.3029812
[8]
Sukritta Harnmetta and Sudsanguan Ngamsuriyaroj. 2018. Classification of Exploit-Kit behaviors via machine learning approach. International Conference on Advanced Communication Technology, ICACT 2018-Febru (2018), 468–473. https://doi.org/10.23919/ICACT.2018.8323798
[9]
Kenneth Hoste and Lieven Eeckhout. 2006. Comparing benchmarks using key microarchitecture-independent characteristics. In Proceedings of the 2006 IEEE International Symposium on Workload Characterization, IISWC - 2006. 83–92. https://doi.org/10.1109/IISWC.2006.302732
[10]
Xusheng Li, Zhisheng Hu, Yiwei Fu, Ping Chen, Minghui Zhu, and Peng Liu. 2018. ROPNN: Detection of ROP Payloads Using Deep Neural Networks. (2018). http://arxiv.org/abs/1807.11110
[11]
Chen Liu, Zhiliu Yang, Zander Blasingame, Gildo Torres, and James Bruska. 2018. Detecting data exploits using low-level hardware information: A short time series approach. RESEC 2018 - Proceedings of the 1st Workshop on Radical and Experiential Security, Co-located with ASIA CCS 2018 (2018), 41–47. https://doi.org/10.1145/3203422.3203433
[12]
Corey Malone, Mohamed Zahran, and Ramesh Karri. 2011. Are hardware performance counters a cost effective way for integrity checking of programs. In Proceedings of the sixth ACM workshop on Scalable trusted computing. ACM, New York, NY, USA, 71–76. https://doi.org/10.1145/2046582.2046596
[13]
Mohammad Masud, Latifur Khan, Bhavani Thuraisingham, Xinran Wang, Peng Liu, and Sencun Zhu. 2008. Detecting remote exploits Using data mining. IFIP International Federation for Information Processing 285 (2008), 177–189. https://doi.org/10.1007/978-0-387-84927-0_15
[14]
Adebayo Omotosho, Gebrehiwet B. Welearegai, and Christian Hammer. 2022. Detecting return-oriented programming on firmware-only embedded devices using hardware performance counters. In Proceedings of the ACM Symposium on Applied Computing. Association for Computing Machinery, 510–519. https://doi.org/10.1145/3477314.3507108
[15]
Yakun Sophia Shao and David Brooks. 2013. ISA-independent workload characterization and its implications for specialized architectures. In ISPASS 2013 - IEEE International Symposium on Performance Analysis of Systems and Software. IEEE Computer Society, 245–255. https://doi.org/10.1109/ISPASS.2013.6557175
[16]
Guillermo Suárez-Tangil, Santanu Kumar Dash, Pedro García-Teodoro, José Camacho, and Lorenzo Cavallaro. 2018. Anomaly-based exploratory analysis and detection of exploits in android mediaserver. IET Information Security 12, 5 (2018), 1–10. https://doi.org/10.1049/iet-ifs.2017.0460
[17]
Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2014. Unsupervised Anomaly-Based Malware Detection Using Hardware Features. In Lecture Notes in Computer Science (LNSC). 109–129. https://doi.org/10.1007/978-3-319-11379-1_6
[18]
Gildo Torres and Chen Liu. 2016. Can data-only exploits be detected at runtime using hardware events? A case study of the Heartbleed vulnerability. ACM International Conference Proceeding Series 18-June-20 (2016). https://doi.org/10.1145/2948618.2948620
[19]
Haizhou Wang and Peng Liu. 2021. Tackling Imbalanced Data in Cybersecurity with Transfer Learning: A Case with ROP Payload Detection. (5 2021). http://arxiv.org/abs/2105.02996
[20]
Steven Cameron Woo, Moriyoshi Ohara, Evan Torrie, Jaswinder Pal Singh, and Anoop Gupta. 1995. The SPLASH-2 programs: characterization and methodological considerations. ACM SIGARCH Computer Architecture News 23, 2 (5 1995), 24–36. https://doi.org/10.1145/225830.223990
[21]
Gang Yang, Xingtong Liu, and Chaojing Tang. 2022. Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data Stream. Electronics (Switzerland) 11, 20 (10 2022). https://doi.org/10.3390/electronics11203363
[22]
Suyeon Yoo, Sungjin Kim, and Brent Byunghoon Kang. 2020. The Image Game: Exploit Kit Detection Based on Recursive Convolutional Neural Networks. IEEE Access 8 (2020), 18808–18821. https://doi.org/10.1109/ACCESS.2020.2967746
[23]
Ayman Youssef, Mohamed Abdelrazek, and Chandan Karmakar. 2023. Use of Ensemble Learning to Detect Buffer Overflow Exploitation. IEEE Access (2023). https://doi.org/10.1109/ACCESS.2023.3279280
[24]
Ayman Youssef, Mohamed Abdelrazek, Chandan Karmakar, and Zubair Baig. 2021. Tracing Software Exploitation. Vol. 13041 LNCS. Springer International Publishing. 340–352 pages. https://doi.org/10.1007/978-3-030-92708-0_22
[25]
Xin Zhou and Jianmin Pang. 2019. Expdf: Exploits detection system based on machine-learning. International Journal of Computational Intelligence Systems 12, 2 (2019), 1019–1028. https://doi.org/10.2991/ijcis.d.190905.001
Index Terms
- Program Characterization for Software Exploitation Detection
Recommendations
Cascading Bagging and Boosting Ensemble Methods for Intrusion Detection in Cyber‐Physical Systems
ABSTRACTAn ensemble‐inspired intrusion detection approach for cyber‐physical systems (CPSs) has been proposed. CPSs are susceptible to different cyber‐attacks. Attacks on CPSs result in the hindrance of critical services made available by them. To ...
On the Interpretation of Ensemble Classifiers in Terms of Bayes Classifiers
Many of the best classifiers are ensemble methods such as bagging, random forests, boosting, and Bayes model averaging. We give conditions under which each of these four classifiers can be regarded as a Bayes classifier. We also give conditions under ...
A Robust Multi-Class Feature Selection Strategy Based on Rotation Forest Ensemble Algorithm for Diagnosis of Erythemato-Squamous Diseases
In biomedical studies, accuracy of classification algorithms used in disease diagnosis systems is certainly an important task and the accuracy of system is strictly related to extraction of discriminatory features from data. In this paper, we propose a ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
August 2023
1440 pages
ISBN:9798400707728
DOI:10.1145/3600160
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 29 August 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES 2023
ARES 2023: The 18th International Conference on Availability, Reliability and Security
August 29 - September 1, 2023
Benevento, Italy
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 24Total Downloads
- Downloads (Last 12 months)8
- Downloads (Last 6 weeks)1
Reflects downloads up to 23 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format