Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data Stream

Yang, Gang; Liu, Xingtong; Tang, Chaojing

doi:10.3390/electronics11203363

Cited by 2 publications

(3 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This review of the existing literature on the use of ML for exploitation detection focuses on papers that use runtime traces from processors as signals. Research that uses network traffic, such as [18], [19], [20], [26] static file analysis, [21], [22], [23] is excluded from the scope of this literature review. Furthermore, research on the use of heuristic-based techniques is also excluded.…”

Section: Related Workmentioning

confidence: 99%

“…Machine Learning (ML)-based exploitation detection research is limited in terms of quantity and content. To the best of our knowledge, we were able to find only 14 papers [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25], [26] that discussed the use of ML for exploitation detection. None of the 14 papers publicly presented their datasets.…”

Section: Introductionmentioning

confidence: 99%

“…None of the 14 papers publicly presented their datasets. These research papers were segmented into seven that relied on runtime traces [13], [14], [15], [16], [17], [24], [25], four that relied on network traces, [18], [19], [20], [26] and three that relied on static analysis of the application under test (AUT) (i.e., vulnerable program) [21], [22], [23]. Of the 14 papers, 13 did not discuss feature importance and only one paper discussed feature importance by providing a single table with the Fisher score of each feature [16].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Use of Ensemble Learning to Detect Buffer Overflow Exploitation

2023

View full text Add to dashboard Cite

Software exploitation detection remains unresolved problem. Software exploits that target known and unknown vulnerabilities are constantly used in attacks. Signature-based detection techniques are limited to known exploits and susceptible to circumvention. Current research on the use of Machine Learning (ML) for software exploitation detection is limited in quantity and use cases. Existing research lacks the use of public datasets, discussions of feature importance, and elaboration of parameters that affect data preparation and subsequently model performance. This paper presents ML models based on different ensemble algorithms to detect software exploitation using runtime traces. We focus on buffer overflow vulnerabilities in user-space applications within Windows Operating Systems (OS), given the prevalence of the type of vulnerability and the OS. We utilized a publicly available raw dataset of 11 Windows applications under exploitation. Multiple distinct models (based on Random Forest and XGBoost) are created and tested. Testing was performed several times using various aggregation parameters and different testing applications.Our results demonstrate that we can achieve up to 100% recall with 0% false positive rate. We report on the different parameters that must be addressed to curate runtime traces and demonstrate their impact on the performance of the ML models. We demonstrate that the proper training of models on a subset of exploitation techniques enables the model to detect techniques never seen before, such as return-oriented programming. Finally, we conclude with a discussion of the important features that had the highest impact on each of the models, along with the key takeaways.

show abstract