IEICE TRANSACTIONS on Information
ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets
Summary :
Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.
- Publication
- IEICE TRANSACTIONS on Information Vol.E103-D No.7 pp.1476-1492
- Publication Date
- 2020/07/01
- Publicized
- 2020/04/07
- Online ISSN
- 1745-1361
- DOI
- 10.1587/transinf.2019ICP0016
- Type of Manuscript
- Special Section PAPER (Special Section on Information and Communication System Security)
- Category
- Network and System Security
Authors
Toshinori USUI
NTT Secure Platform Laboratories,The University of Tokyo
Tomonori IKUSE
NTT Secure Platform Laboratories
Yuto OTSUKI
NTT Secure Platform Laboratories
Yuhei KAWAKOYA
NTT Secure Platform Laboratories
Makoto IWAMURA
NTT Secure Platform Laboratories
Jun MIYOSHI
NTT Secure Platform Laboratories
Kanta MATSUURA
The University of Tokyo
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Toshinori USUI, Tomonori IKUSE, Yuto OTSUKI, Yuhei KAWAKOYA, Makoto IWAMURA, Jun MIYOSHI, Kanta MATSUURA, "ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets" in IEICE TRANSACTIONS on Information,
vol. E103-D, no. 7, pp. 1476-1492, July 2020, doi: 10.1587/transinf.2019ICP0016.
Abstract: Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2019ICP0016/_p
Copy
@ARTICLE{e103-d_7_1476,
author={Toshinori USUI, Tomonori IKUSE, Yuto OTSUKI, Yuhei KAWAKOYA, Makoto IWAMURA, Jun MIYOSHI, Kanta MATSUURA, },
journal={IEICE TRANSACTIONS on Information},
title={ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets},
year={2020},
volume={E103-D},
number={7},
pages={1476-1492},
abstract={Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.},
keywords={},
doi={10.1587/transinf.2019ICP0016},
ISSN={1745-1361},
month={July},}
Copy
TY - JOUR
TI - ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets
T2 - IEICE TRANSACTIONS on Information
SP - 1476
EP - 1492
AU - Toshinori USUI
AU - Tomonori IKUSE
AU - Yuto OTSUKI
AU - Yuhei KAWAKOYA
AU - Makoto IWAMURA
AU - Jun MIYOSHI
AU - Kanta MATSUURA
PY - 2020
DO - 10.1587/transinf.2019ICP0016
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E103-D
IS - 7
JA - IEICE TRANSACTIONS on Information
Y1 - July 2020
AB - Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generate false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.
ER -
English
