Heap spraying is probably the most simple andeffective memory corruption attack, which fills the memory withmalicious payloads and then jumps at a random location inhopes of starting the attacker’s routines. To counter this threat,GRAFFITIhas been recently proposed as the first OS-agnosticframework for monitoring memory allocations of arbitrary appli-cations at runtime; however, the main contributions of GRAFFITIare on the monitoring system, and its detection engine onlyconsiders simple heuristics which are tailored to certain attackvectors and are easily evaded. In this article, we aim to overcomethis limitation and propose GLY P Has the first ML-based heapspraying detection system, which is designed to be effective,efficient, and resilient to evasive attackers. GLY P Hrelies onthe information monitored by GRAFFITI, and we investigate theeffectiveness of different feature spaces based on informationentropy and memory n-grams, and discuss the several engineer-ing challenges we have faced to make GLY P Hefficient withan overhead compatible with that of GRAFFITI.ToevaluateGLY P H, we build a representative dataset with several variantsof heap spraying attacks, and assess GLY P H’s resilience againstevasive attackers through selective hold-out experiments. Resultsshow that GLY P Hachieves high accuracy in detecting sprayingand is able to generalize well, outperforming the state-of-the-artapproach for heap spraying detection, NOZZLE. Finally, we thor-oughly discuss the trade-offs between detection performance andruntime overhead of GLY P H’s different configurations.
Glyph: Efficient ML-Based Detection of Heap Spraying Attacks / F. Pierazzi, S. Cristalli, D. Bruschi, M. Colajanni, M. Marchetti, A. Lanzi. - In: IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY. - ISSN 1556-6013. - 16(2021), pp. 740-755. [10.1109/TIFS.2020.3017925]
Glyph: Efficient ML-Based Detection of Heap Spraying Attacks
S. CristalliSecondo
;D. Bruschi;A. LanziUltimo
2021
Abstract
Heap spraying is probably the most simple andeffective memory corruption attack, which fills the memory withmalicious payloads and then jumps at a random location inhopes of starting the attacker’s routines. To counter this threat,GRAFFITIhas been recently proposed as the first OS-agnosticframework for monitoring memory allocations of arbitrary appli-cations at runtime; however, the main contributions of GRAFFITIare on the monitoring system, and its detection engine onlyconsiders simple heuristics which are tailored to certain attackvectors and are easily evaded. In this article, we aim to overcomethis limitation and propose GLY P Has the first ML-based heapspraying detection system, which is designed to be effective,efficient, and resilient to evasive attackers. GLY P Hrelies onthe information monitored by GRAFFITI, and we investigate theeffectiveness of different feature spaces based on informationentropy and memory n-grams, and discuss the several engineer-ing challenges we have faced to make GLY P Hefficient withan overhead compatible with that of GRAFFITI.ToevaluateGLY P H, we build a representative dataset with several variantsof heap spraying attacks, and assess GLY P H’s resilience againstevasive attackers through selective hold-out experiments. Resultsshow that GLY P Hachieves high accuracy in detecting sprayingand is able to generalize well, outperforming the state-of-the-artapproach for heap spraying detection, NOZZLE. Finally, we thor-oughly discuss the trade-offs between detection performance andruntime overhead of GLY P H’s different configurations.File | Dimensione | Formato | |
---|---|---|---|
09171343.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
3.51 MB
Formato
Adobe PDF
|
3.51 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.