ABSTRACT
In recent years, scale, frequency and complexity of cyber-attacks have been continuously on the rise. As a result, it has significantly impacted our daily lives and society as a whole. Never before have we had such an urgent need to defend against cyber-attacks. Previous studies suggest that it is possible to detect rootkits and control-flow attacks with high accuracy using information collected from hardware level. For data-only exploits, however, where the control-flow of the victim application is strictly conserved while its behavior may only be slightly modified, high accuracy detection is much more difficult to achieve. In this study, we propose the use of low-level hardware information collected as a short time series for the detection of data-only malware attacks. We employed several representative classification algorithms, e.g., linear regression (LR), autoencoder (AE), stacked denoising autoencoder (SDA), and echo state network (ESN). We build one-class classifiers that either use individual samples collected via monitoring hardware-level events or use multiple samples of hardware events collected at different time during execution, but all with only the knowledge from regular behavior. Using several real-life attacks as case studies, we examined their detection accuracy when confronted with malicious behavior. Our experimental results show that our SDA- and ESN-based approaches can achieve an average detection accuracy of 97.75% and 98.36% for the exploits studied, respectively. Our study suggests that when the hardware events are monitored at different time spots during the execution of the vulnerable application, our SDA- and ESN-based approaches have the potential to boost the detection accuracy for data exploits.
- 2017. The Heartbleed Bug. (2017). http://www.heartbleed.comGoogle Scholar
- 2018. Nginx web server. http://www.nginx.org. (2018). http://www.nginx.orgGoogle Scholar
- Martín Abadi, Ashish Agarwal, Paul Barham, Eugene Brevdo, Zhifeng Chen, Craig Citro, Greg S. Corrado, Andy Davis, Jeffrey Dean, Matthieu Devin, Sanjay Ghemawat, Ian Goodfellow, Andrew Harp, Geoffrey Irving, Michael Isard, Yangqing Jia, Rafal Jozefowicz, Lukasz Kaiser, Manjunath Kudlur, Josh Levenberg, Dan Mané, Rajat Monga, Sherry Moore, Derek Murray, Chris Olah, Mike Schuster, Jonathon Shlens, Benoit Steiner, Ilya Sutskever, Kunal Talwar, Paul Tucker, Vincent Vanhoucke, Vijay Vasudevan, Fernanda Viégas, Oriol Vinyals, Pete Warden, Martin Wattenberg, Martin Wicke, Yuan Yu, and Xiaoqiang Zheng. 2015. TensorFlow: Large-Scale Machine Learning on Heterogeneous Systems. (2015). http://tensorflow.org/ Software available from tensorflow.org.Google Scholar
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-flow Integrity Principles, Implementations, and Applications. ACM Trans. Inf. Syst. Secur. 13, 1, Article 4 (Nov. 2009), 40 pages. Google ScholarDigital Library
- B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, and J. Zinzindohour. 2015. State Machine Attacks against TLS (SMACK TLS). (2015). Smacktls.comGoogle Scholar
- Eep Bhatkar, Daniel C. Duvarney, and R. Sekar. 2003. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In In Proceedings of the 12th USENIX Security Symposium. 105--120. Google ScholarDigital Library
- Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. 2005. Non-control-data Attacks Are Realistic Threats. In Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14 (SSYM'05). USENIX Association, Berkeley, CA, USA, 12--12. http://dl.acm.org/citation.cfm?id=1251398.1251410 Google ScholarDigital Library
- John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. 2013. On the Feasibility of Online Malware Detection with Performance Counters. In Proceedings of the 40th Annual International Symposium on Computer Architecture (ISCA '13). ACM, New York, NY, USA, 559--570. Google ScholarDigital Library
- Roy T. Fielding, James Gettys, Jeffrey C. Mogul, Henrik Frystyk Nielsen, Larry Masinter, Paul J. Leach, and Tim Berners-Lee. 1999. Hypertext Transfer Protocol -- HTTP/1.1. RFC 2616. RFC Editor. http://www.rfc-editor.org/rfc/rfc2616.txt Google ScholarDigital Library
- Jerome Friedman, Trevor Hastie, and Robert Tibshirani. 2009. The elements of statistical learning. Vol. 2. Springer series in statistics Springer, Berlin.Google Scholar
- Ian Goodfellow, Yoshua Bengio, and Aaron Courville. 2016. Deep Learning. MIT Press. http://www.deeplearningbook.org. Google ScholarDigital Library
- Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang. 2015. Automatic Generation of Data-Oriented Exploits. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 177--192. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/hu Google ScholarDigital Library
- Intel. 2013. Intel 64 and IA-32 Architectures Software Developer Manual. Technical Report. Intel. http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf{Dec. 5,2013}Google Scholar
- Herbert Jaeger. 2001. The "Jecho state" approach to analysing and training recurrent neural networks-with an erratum note. Bonn, Germany: German National Research Center for Information Technology GMD Technical Report 148, 34 (2001), 13.Google Scholar
- Herbert Jaeger. 2003. Adaptive nonlinear system identification with echo state networks. networks 8, 9 (2003), 17.Google Scholar
- H. Jaeger. 2007. Echo state network. Scholarpedia 2, 9 (2007), 2330. revision #151757.Google ScholarCross Ref
- David Mosberger and Tai Jin. 1998. Httperf&Mdash;a Tool for Measuring Web Server Performance. SIGMETRICS Perform. Eval. Rev. 26, 3 (Dec. 1998), 31--37. Google ScholarDigital Library
- Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2014. Unsupervised Anomaly-Based Malware Detection Using Hardware Features. In Research in Attacks, Intrusions and Defenses, Angelos Stavrou, Herbert Bos, and Georgios Portokalidis (Eds.). Lecture Notes in Computer Science, Vol. 8688. Springer International Publishing, 109--129.Google Scholar
- Gildo Torres and Chen Liu. 2014. Adaptive Virtual Machine Management in the Cloud: A Performance-Counter-Driven Approach. Int. J. Syst. Serv.-Oriented Eng. 4, 2 (April 2014), 28--43. Google ScholarDigital Library
- Gildo Torres and Chen Liu. 2016. Can Data-Only Exploits Be Detected at Runtime Using Hardware Events?: A Case Study of the Heartbleed Vulnerability. In Proceedings of the Hardware and Architectural Support for Security and Privacy 2016 (HASP 2016). ACM, New York, NY, USA, Article 2, 7 pages. Google ScholarDigital Library
- Pascal Vincent, Hugo Larochelle, Isabelle Lajoie, Yoshua Bengio, and Pierre-Antoine Manzagol. 2010. Stacked Denoising Autoencoders: Learning Useful Representations in a Deep Network with a Local Denoising Criterion. J. Mach. Learn. Res. 11 (Dec. 2010), 3371--3408. http://dl.acm.org/citation.cfm?id=1756006.1953039 Google ScholarDigital Library
- Xueyang Wang and R. Karri. 2013. NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters. In Design Automation Conference (DAC), 2013 50th ACM/EDAC/IEEE. 1--7. Google ScholarDigital Library
- Lichen Weng, Chen Liu, and Jean-Luc Gaudiot. 2013. Scheduling Optimization in Multicore Multithreaded Microprocessors Through Dynamic Modeling. In Proceedings of the ACM International Conference on Computing Frontiers (CF '13). ACM, New York, NY, USA, Article 5, 10 pages. Google ScholarDigital Library
- Wucherl Yoo, Kevin Larson, Lee Baugh, Sangkyum Kim, and Roy H. Campbell. 2012. ADP: Automated Diagnosis of Performance Pathologies Using Hardware Events (SIGMETRICS '12). ACM, New York, NY, USA, 283--294. Google ScholarDigital Library
- Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen Mc- Camant, Dawn Song, and Wei Zou. 2013. Practical Control Flow Integrity and Randomization for Binary Executables. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP '13). IEEE Computer Society, Washington, DC, USA, 559--573. Google ScholarDigital Library
Index Terms
- Detecting Data Exploits Using Low-level Hardware Information: A Short Time Series Approach
Recommendations
Hardware Performance Counters Can Detect Malware: Myth or Fact?
ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications SecurityThe ever-increasing prevalence of malware has led to the explorations of various detection mechanisms. Several recent works propose to use Hardware Performance Counters (HPCs) values with machine learning classification models for malware detection. ...
Detecting Non-Control-Flow Hijacking Attacks Using Contextual Execution Information
HASP '19: Proceedings of the 8th International Workshop on Hardware and Architectural Support for Security and PrivacyIn recent years, we see a rise of non-control-flow hijacking attacks, which manipulate key data elements to corrupt the integrity of a victim application while upholding a valid control-flow during its execution. Consequently, they are more difficult to ...
Feature Creation Towards the Detection of Non-control-Flow Hijacking Attacks
Artificial Neural Networks and Machine Learning – ICANN 2021AbstractWith malware attacks on the rise, approaches using low-level hardware information to detect these attacks have been gaining popularity recently. This is achieved by using hardware event counts as features to describe the behavior of the software ...
Comments