Skip to main content
SpringerLink
Log in

Feature Creation Towards the Detection of Non-control-Flow Hijacking Attacks

  • Conference paper
  • First Online:
Artificial Neural Networks and Machine Learning – ICANN 2021 (ICANN 2021)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12891))

Included in the following conference series:

  • 3021 Accesses

Abstract

With malware attacks on the rise, approaches using low-level hardware information to detect these attacks have been gaining popularity recently. This is achieved by using hardware event counts as features to describe the behavior of the software program. Then a classifier, such as support vector machine (SVM) or neural network, can be used to detect the anomalous behavior caused by malware attacks. The collected datasets to describe the program behavior, however, are normally imbalanced, as it is much easier to gather regular program behavior than abnormal ones, which can lead to high false negative rates (FNR). In an effort to provide a remedy to this situation, we propose the usage of Genetic Programming (GP) to create new features to augment the original features in conjunction with the classifier. One key component that will affect the classifier performance is to construct the Hellinger distance as the fitness function. As a result, we perform design space exploration in estimating the Hellinger distance. The performance of different approaches is evaluated using seven real-world attacks that target three vulnerabilities in the OpenSSL library and two vulnerabilities in modern web-servers. Our experimental results show, by using the new features evolved with GP, we are able to reduce the FNR and improve the performance characteristics of the classifier.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The datasets may be found at https://github.com/camel-clarkson/non-controlflow-hijacking-datasets.

References

  1. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium, SSYM 2005, vol. 14, p. 12 (2005)

    Google Scholar 

  2. Cieslak, D.A., Hoens, T.R., Chawla, N.V., Kegelmeyer, W.P.: Hellinger distance decision trees are robust and skew-insensitive. Data Min. Knowl. Disc. 24(1), 136–158 (2012). https://doi.org/10.1007/s10618-011-0222-1

    Article  MathSciNet  MATH  Google Scholar 

  3. Fortin, F.A., De Rainville, F.M., Gardner, M.A., Parizeau, M., Gagné, C.: DEAP: evolutionary algorithms made easy. J. Mach. Learn. Res. 13, 2171–2175 (2012)

    MathSciNet  Google Scholar 

  4. Härdle, W., Müller, M., Sperlich, S., Werwatz, A.: Nonparametric and Semiparametric Models. Springer Series in Statistics, Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-642-17146-8

    Book  MATH  Google Scholar 

  5. Hart, E., Sim, K., Gardiner, B., Kamimura, K.: A hybrid method for feature construction and selection to improve wind-damage prediction in the forestry sector. In: GECCO 2017, vol. 8, pp. 1121–1128

    Google Scholar 

  6. Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: 24th USENIX Security Symposium, pp. 177–192 (2015)

    Google Scholar 

  7. Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: On the expressiveness of non-control data attacks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 969–986 (2016)

    Google Scholar 

  8. Kittel, T., Vogl, S., Kirsch, J., Eckert, C.: Counteracting data-only malware with code pointer examination. In: Bos, H., Monrose, F., Blanc, G. (eds.) Research in Attacks, Intrusions, and Defenses. LNCS, vol. 7462, pp. 177–197. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-642-33338-5

    Chapter  Google Scholar 

  9. Koza, J., Rice, J.: Genetic Programming: On the Programming of Computers by Means of Natural Selection. A Bradford Book, Bradford (1992)

    Google Scholar 

  10. Liu, C., Yang, Z., Blasingame, Z., Torres, G., Bruska, J.: Detecting data exploits using low-level hardware information: a short time series approach. In: Proceedings of the First Workshop on Radical and Experiential Security, pp. 41–47 (2018)

    Google Scholar 

  11. Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy, pp. 305–316, May 2010. https://doi.org/10.1109/SP.2010.25

  12. Tang, A., Sethumadhavan, S., Stolfo, S.J.: Unsupervised anomaly-based malware detection using hardware features. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 109–129. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_6

    Chapter  Google Scholar 

  13. Torres, G., Liu, C.: Can data-only exploits be detected at runtime using hardware events?: a case study of the heartbleed vulnerability. In: Proceedings of the Hardware and Architectural Support for Security and Privacy, pp. 2:1–2:7 (2016)

    Google Scholar 

  14. Torres, G., Yang, Z., Blasingame, Z., Bruska, J., Liu, C.: Detecting non-control-flow hijacking attacks using contextual execution information. In: Proceedings of the 8th International Workshop on Hardware and Architectural Support for Security and Privacy, HASP@ISCA 2019, 23 June 2019, pp. 1:1–1:8 (2019)

    Google Scholar 

  15. Tran, B., Xue, B., Zhang, M.: Genetic programming for feature construction and selection in classification on high-dimensional data. Memetic Comput. 8 (2015). https://doi.org/10.1007/s12293-015-0173-y

  16. van der Veen, V., dutt Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Proceedings of the 15th International Conference on Research in Attacks, Intrusions, and Defenses, pp. 86–106 (2012)

    Google Scholar 

  17. Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: Proceedings of the 21th Annual Network & Distributed System Security Symposium (NDSS), February 2014

    Google Scholar 

  18. Wang, X., Karri, R.: NumChecker: detecting kernel control-flow modifying rootkits by using hardware performance counters. In: 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–7, May 2013

    Google Scholar 

  19. Xue, B., Zhang, M., Browne, W.N., Yao, X.: A survey on evolutionary computation approaches to feature selection. IEEE Trans. Evol. Comput. 20(4), 606–626 (2016). https://doi.org/10.1109/TEVC.2015.2504420

    Article  Google Scholar 

Download references

Acknowledgements

This work was partially supported by Shenzhen Science and Technology Program through the Research Institute of Trustworthy Autonomous Systems (RITAS).

Author information

Authors and Affiliations

  1. Clarkson University, Potsdam, NY, 13699, USA

    Zander Blasingame & Chen Liu

  2. Research Institute of Trustworthy Autonomous Systems, Southern University of Science and Technology, Shenzhen, Guangdong, China

    Xin Yao

Authors
  1. Zander Blasingame
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chen Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xin Yao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zander Blasingame .

Editor information

Editors and Affiliations

  1. Comenius University in Bratislava, Bratislava, Slovakia

    Igor Farkaš

  2. iMotions A/S, Copenhagen, Denmark

    Paolo Masulli

  3. University of Tübingen, Tübingen, Baden-Württemberg, Germany

    Sebastian Otte

  4. Universität Hamburg, Hamburg, Germany

    Stefan Wermter

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Blasingame, Z., Liu, C., Yao, X. (2021). Feature Creation Towards the Detection of Non-control-Flow Hijacking Attacks. In: Farkaš, I., Masulli, P., Otte, S., Wermter, S. (eds) Artificial Neural Networks and Machine Learning – ICANN 2021. ICANN 2021. Lecture Notes in Computer Science(), vol 12891. Springer, Cham. https://doi.org/10.1007/978-3-030-86362-3_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-86362-3_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-86361-6

  • Online ISBN: 978-3-030-86362-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation