DeepReturn: A deep neural network can learn how to detect previously-unseen ROP payloads without using any heuristics

Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present DeepR...

Full description

Saved in:
Bibliographic Details
Published inJournal of computer security Vol. 28; no. 5; pp. 499 - 523
Main Authors Li, Xusheng, Hu, Zhisheng, Wang, Haizhou, Fu, Yiwei, Chen, Ping, Zhu, Minghui, Liu, Peng
Format Journal Article
LanguageEnglish
Published Amsterdam IOS Press BV 01.01.2020
Subjects
Artificial neural networks
Chains
Code reuse
Dismantling
Neural networks
Payloads
Run time (computers)
Target detection
Online AccessGet full text

Cover

Abstract Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present DeepReturn, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that DeepReturn has high detection rate (99.3%) and a very low false positive rate (0.01%). DeepReturn successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. DeepReturn is non-intrusive and does not incur any runtime overhead to the protected program.
AbstractList Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present DeepReturn, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that DeepReturn has high detection rate (99.3%) and a very low false positive rate (0.01%). DeepReturn successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. DeepReturn is non-intrusive and does not incur any runtime overhead to the protected program.
Author Hu, Zhisheng
Chen, Ping
Wang, Haizhou
Li, Xusheng
Liu, Peng
Fu, Yiwei
Zhu, Minghui
Author_xml – sequence: 1
  givenname: Xusheng
  surname: Li
  fullname: Li, Xusheng
  organization: College of Information Sciences and Technology, Pennsylvania State University, PA, USA. E-mails: xul200@psu.edu, hjw5074@psu.edu, pliu@ist.psu.edu
– sequence: 2
  givenname: Zhisheng
  surname: Hu
  fullname: Hu, Zhisheng
  organization: Baidu Security, CA, USA. E-mail: zhishenghu@baidu.com
– sequence: 3
  givenname: Haizhou
  surname: Wang
  fullname: Wang, Haizhou
  organization: College of Information Sciences and Technology, Pennsylvania State University, PA, USA. E-mails: xul200@psu.edu, hjw5074@psu.edu, pliu@ist.psu.edu
– sequence: 4
  givenname: Yiwei
  surname: Fu
  fullname: Fu, Yiwei
  organization: GE Research, NY, USA. E-mail: yiweifu1@gmail.com
– sequence: 5
  givenname: Ping
  surname: Chen
  fullname: Chen, Ping
  organization: JD.com American Technologies Corporation, CA, USA. E-mail: ping.chen@jd.com
– sequence: 6
  givenname: Minghui
  surname: Zhu
  fullname: Zhu, Minghui
  organization: School of Electrical Engineering and Computer Science, Pennsylvania State University, PA, USA. E-mail: muz16@psu.edu
– sequence: 7
  givenname: Peng
  surname: Liu
  fullname: Liu, Peng
  organization: College of Information Sciences and Technology, Pennsylvania State University, PA, USA. E-mails: xul200@psu.edu, hjw5074@psu.edu, pliu@ist.psu.edu
BookMark eNotkEtLw0AUhQdRsK1u_AUD7oTovJJM3JX6plCpCu7CdHJrU-NMnIcl_96RujpcOJzL943RobEGEDqj5JIzzq-eZi8ZrSgv5AEaUVnmmayYOEQjUrEiY6x8P0Zj77eEMEorOULxBqBfQojOXOMpbtKFDUSnuhRhZ90n1srgDpQzeGN3ONhUCqAD7h38tDb6bsii8QAGLxfPuFdDZ1Xj8a4NGxsDjr41H1iZAW_SbutDq_0JOlqrzsPpf07Q293t6-whmy_uH2fTeaZZXoWsLMq14FQx1RQrqYXgeZM3EqgEUuWQkFZixaqccdCkKRI3W1MuZEk056QhfILO97u9s98RfKi3NpGmlzUToiS54EnbBF3sW9pZ7x2s6961X8oNNSX1n9Y6aa33WvkvJhhshg
CitedBy_id crossref_primary_10_3390_electronics11203363
Cites_doi 10.1016/j.isprsjprs.2010.11.001
10.1145/2665936.2665937
10.14722/ndss.2017.23477
10.14722/ndss.2014.23156
10.1109/SP.2008.30
10.1007/978-3-642-41284-4_4
10.1109/SP.2013.45
10.2214/AJR.15.15996
10.1145/1102120.1102165
10.1109/ICCV.2015.512
10.1109/SP.2014.22
10.1109/MALWARE.2011.6112327
10.1145/1866307.1866370
10.1145/3054924
10.1145/3029806.3029812
10.1109/TDSC.2008.30
10.1145/3133956.3134015
10.1145/2076732.2076783
10.1109/CVPR.2009.5206848
10.1162/neco.1997.9.8.1735
10.1016/S0893-6080(98)00116-6
10.1145/2660267.2660309
10.1109/MIS.2016.45
10.1145/1966913.1966919
10.1145/1315245.1315313
10.1007/978-3-319-15618-7_6
10.1109/SP.2010.30
10.1145/3243734.3243813
10.1007/978-3-642-23644-0_6
10.1145/2810103.2813676
10.1145/1519144.1519145
10.1007/978-3-642-10772-6_13
10.1109/SP.2016.61
10.1007/978-3-319-46598-2_15
ContentType Journal Article
Copyright Copyright IOS Press BV 2020
Copyright_xml – notice: Copyright IOS Press BV 2020
DBID AAYXX
CITATION
7SC
8FD
JQ2
L7M
L~C
L~D
DOI 10.3233/JCS-191368
DatabaseName CrossRef
Computer and Information Systems Abstracts
Technology Research Database
ProQuest Computer Science Collection
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts – Academic
Computer and Information Systems Abstracts Professional
DatabaseTitle CrossRef
Computer and Information Systems Abstracts
Technology Research Database
Computer and Information Systems Abstracts – Academic
Advanced Technologies Database with Aerospace
ProQuest Computer Science Collection
Computer and Information Systems Abstracts Professional
DatabaseTitleList Computer and Information Systems Abstracts
CrossRef
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISSN 1875-8924
EndPage 523
ExternalDocumentID 10_3233_JCS_191368
GroupedDBID .4S
.DC
0R~
4.4
6KP
8VB
AAYXX
ABDBF
ABJNI
ACGFS
ACPQW
ADZMO
AEMOZ
AFRHK
AKVCP
ALMA_UNASSIGNED_HOLDINGS
ARCSS
ASPBG
AVWKF
CITATION
EAD
EAP
EAS
EAU
EBA
EBE
EBR
EBS
EBU
EDO
EIS
EMK
EPL
EST
ESX
FIL
HZ~
I-F
IOS
ITG
ITH
K1G
MET
MIO
MV1
NGNOM
O9-
P2P
PQQKQ
QWB
TH9
TUS
XJE
ZL0
7SC
8FD
JQ2
L7M
L~C
L~D
ID FETCH-LOGICAL-c259t-767f431a2ad6b8c4435d5d8e18e095e926b4b29523ec0d69132f134870c330d03
ISSN 0926-227X
IngestDate Thu Oct 10 20:09:05 EDT 2024
Fri Aug 23 03:02:17 EDT 2024
IsPeerReviewed true
IsScholarly true
Issue 5
Language English
LinkModel OpenURL
MergedId FETCHMERGED-LOGICAL-c259t-767f431a2ad6b8c4435d5d8e18e095e926b4b29523ec0d69132f134870c330d03
PQID 2447054332
PQPubID 2046403
PageCount 25
ParticipantIDs proquest_journals_2447054332
crossref_primary_10_3233_JCS_191368
PublicationCentury 2000
PublicationDate 2020-01-01
PublicationDateYYYYMMDD 2020-01-01
PublicationDate_xml – month: 01
  year: 2020
  text: 2020-01-01
  day: 01
PublicationDecade 2020
PublicationPlace Amsterdam
PublicationPlace_xml – name: Amsterdam
PublicationTitle Journal of computer security
PublicationYear 2020
Publisher IOS Press BV
Publisher_xml – name: IOS Press BV
References 10.3233/JCS-191368_ref17
10.3233/JCS-191368_ref18
10.3233/JCS-191368_ref15
10.3233/JCS-191368_ref59
10.3233/JCS-191368_ref16
10.3233/JCS-191368_ref38
10.3233/JCS-191368_ref19
10.3233/JCS-191368_ref31
10.3233/JCS-191368_ref53
10.3233/JCS-191368_ref1
10.3233/JCS-191368_ref10
10.3233/JCS-191368_ref54
10.3233/JCS-191368_ref2
10.3233/JCS-191368_ref51
10.3233/JCS-191368_ref3
10.3233/JCS-191368_ref30
10.3233/JCS-191368_ref52
10.3233/JCS-191368_ref13
10.3233/JCS-191368_ref14
10.3233/JCS-191368_ref36
10.3233/JCS-191368_ref11
10.3233/JCS-191368_ref55
10.3233/JCS-191368_ref56
Hochreiter (10.3233/JCS-191368_ref23) 1997; 9
10.3233/JCS-191368_ref50
Lai (10.3233/JCS-191368_ref27) 2016; 31
Wang (10.3233/JCS-191368_ref64) 2010; 7
Mountrakis (10.3233/JCS-191368_ref34) 2011; 66
10.3233/JCS-191368_ref21
Summers (10.3233/JCS-191368_ref62) 2016; 207
10.3233/JCS-191368_ref65
10.3233/JCS-191368_ref40
10.3233/JCS-191368_ref41
10.3233/JCS-191368_ref63
Srivastava (10.3233/JCS-191368_ref58) 2014; 15
10.3233/JCS-191368_ref68
10.3233/JCS-191368_ref22
10.3233/JCS-191368_ref66
10.3233/JCS-191368_ref45
10.3233/JCS-191368_ref8
10.3233/JCS-191368_ref9
10.3233/JCS-191368_ref4
10.3233/JCS-191368_ref60
10.3233/JCS-191368_ref5
Burow (10.3233/JCS-191368_ref7) 2017; 50
Qian (10.3233/JCS-191368_ref42) 1999; 12
References_xml – volume: 66
  start-page: 247
  issue: 3
  year: 2011
  ident: 10.3233/JCS-191368_ref34
  article-title: Support vector machines in remote sensing: A review
  publication-title: ISPRS Journal of Photogrammetry and Remote Sensing
  doi: 10.1016/j.isprsjprs.2010.11.001
  contributor:
    fullname: Mountrakis
– ident: 10.3233/JCS-191368_ref63
  doi: 10.1145/2665936.2665937
– ident: 10.3233/JCS-191368_ref45
  doi: 10.14722/ndss.2017.23477
– ident: 10.3233/JCS-191368_ref11
  doi: 10.14722/ndss.2014.23156
– volume: 15
  start-page: 1929
  issue: 1
  year: 2014
  ident: 10.3233/JCS-191368_ref58
  article-title: Dropout: A simple way to prevent neural networks from overfitting.
  publication-title: Journal of Machine Learning Research
  contributor:
    fullname: Srivastava
– ident: 10.3233/JCS-191368_ref2
  doi: 10.1109/SP.2008.30
– ident: 10.3233/JCS-191368_ref36
– ident: 10.3233/JCS-191368_ref59
  doi: 10.1007/978-3-642-41284-4_4
– ident: 10.3233/JCS-191368_ref38
– ident: 10.3233/JCS-191368_ref54
  doi: 10.1109/SP.2013.45
– volume: 207
  start-page: 67
  issue: 1
  year: 2016
  ident: 10.3233/JCS-191368_ref62
  article-title: Progress in fully automated abdominal CT interpretation
  publication-title: American Journal of Roentgenology
  doi: 10.2214/AJR.15.15996
  contributor:
    fullname: Summers
– ident: 10.3233/JCS-191368_ref1
  doi: 10.1145/1102120.1102165
– ident: 10.3233/JCS-191368_ref66
  doi: 10.1109/ICCV.2015.512
– ident: 10.3233/JCS-191368_ref3
  doi: 10.1109/SP.2014.22
– ident: 10.3233/JCS-191368_ref41
  doi: 10.1109/MALWARE.2011.6112327
– ident: 10.3233/JCS-191368_ref9
  doi: 10.1145/1866307.1866370
– volume: 50
  start-page: 16
  issue: 1
  year: 2017
  ident: 10.3233/JCS-191368_ref7
  article-title: Control-flow integrity: Precision, security, and performance
  publication-title: ACM Computing Surveys (CSUR)
  doi: 10.1145/3054924
  contributor:
    fullname: Burow
– ident: 10.3233/JCS-191368_ref14
– ident: 10.3233/JCS-191368_ref18
  doi: 10.1145/3029806.3029812
– ident: 10.3233/JCS-191368_ref22
– ident: 10.3233/JCS-191368_ref8
– volume: 7
  start-page: 65
  issue: 1
  year: 2010
  ident: 10.3233/JCS-191368_ref64
  article-title: Sigfree: A signature-free buffer overflow attack blocker
  publication-title: IEEE transactions on dependable and secure computing
  doi: 10.1109/TDSC.2008.30
  contributor:
    fullname: Wang
– ident: 10.3233/JCS-191368_ref17
  doi: 10.1145/3133956.3134015
– ident: 10.3233/JCS-191368_ref4
  doi: 10.1145/2076732.2076783
– ident: 10.3233/JCS-191368_ref68
– ident: 10.3233/JCS-191368_ref16
  doi: 10.1109/CVPR.2009.5206848
– volume: 9
  start-page: 1735
  issue: 8
  year: 1997
  ident: 10.3233/JCS-191368_ref23
  article-title: Long short-term memory
  publication-title: Neural computation
  doi: 10.1162/neco.1997.9.8.1735
  contributor:
    fullname: Hochreiter
– volume: 12
  start-page: 145
  issue: 1
  year: 1999
  ident: 10.3233/JCS-191368_ref42
  article-title: On the momentum term in gradient descent learning algorithms
  publication-title: Neural networks
  doi: 10.1016/S0893-6080(98)00116-6
  contributor:
    fullname: Qian
– ident: 10.3233/JCS-191368_ref51
  doi: 10.1145/2660267.2660309
– ident: 10.3233/JCS-191368_ref50
– volume: 31
  start-page: 5
  issue: 6
  year: 2016
  ident: 10.3233/JCS-191368_ref27
  article-title: How to generate a good word embedding
  publication-title: IEEE Intelligent Systems
  doi: 10.1109/MIS.2016.45
  contributor:
    fullname: Lai
– ident: 10.3233/JCS-191368_ref5
  doi: 10.1145/1966913.1966919
– ident: 10.3233/JCS-191368_ref53
  doi: 10.1145/1315245.1315313
– ident: 10.3233/JCS-191368_ref40
  doi: 10.1007/978-3-319-15618-7_6
– ident: 10.3233/JCS-191368_ref65
  doi: 10.1109/SP.2010.30
– ident: 10.3233/JCS-191368_ref52
  doi: 10.1145/1315245.1315313
– ident: 10.3233/JCS-191368_ref56
  doi: 10.1145/3243734.3243813
– ident: 10.3233/JCS-191368_ref15
– ident: 10.3233/JCS-191368_ref30
  doi: 10.1007/978-3-642-23644-0_6
– ident: 10.3233/JCS-191368_ref31
  doi: 10.1145/2810103.2813676
– ident: 10.3233/JCS-191368_ref60
  doi: 10.1145/1519144.1519145
– ident: 10.3233/JCS-191368_ref13
– ident: 10.3233/JCS-191368_ref21
– ident: 10.3233/JCS-191368_ref10
  doi: 10.1007/978-3-642-10772-6_13
– ident: 10.3233/JCS-191368_ref55
  doi: 10.1109/SP.2016.61
– ident: 10.3233/JCS-191368_ref19
  doi: 10.1007/978-3-319-46598-2_15
SSID ssj0021198
Score 2.2898824
Snippet Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines....
SourceID proquest
crossref
SourceType Aggregation Database
StartPage 499
SubjectTerms Artificial neural networks
Chains
Code reuse
Dismantling
Neural networks
Payloads
Run time (computers)
Target detection
Title DeepReturn: A deep neural network can learn how to detect previously-unseen ROP payloads without using any heuristics
URI https://www.proquest.com/docview/2447054332
Volume 28
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1Lb9NAEF6FcuHCG1Fa0EhwixbWu36FWymJQlUa1CbCnCzbu1YiIScitqr2wG9n9mEnKQ8BFyvZWOto5svsfJN5EPKqlF5eIO-ihccU9cuA0SwUGR2IEO1lGebMjE74eBaOZ_5JEiS93vft6pI6f11c_7Ku5H-0imuoV10l-w-a7TbFBXyN-sUrahivf6Xj90qtzhUeGpUtMJf4vq87VKLcK5vfrbO67GiI_lxPj1viTbXpV6zze5H2f72iuipdVf3zyaf-ShP4TNqaN52y3KxtFeMVupSN6-r8G4e2cAMi-ms3E69L9jEZA0mznit3Thocmf9F5oud1c8ufD3OFtf4_A5d5uYvi0u12A5TcHYjTPFhcmGTStqgmQtC8pByHiX2NLImGBkUjQe2srq10TzewmKwZXB9O17p5kEguA5Uj06OLygSUmEn9-x22z6bpKPZ6Wk6HSbTW-Q2R0OlLeTw3awj7J5nZil339K2t9V7v9nsvOvQ7J7nxkmZ3id3nTLgyELlAemp6iG5107uAGfIH5Fmg5y3cAQaN2BxAw43gLgBgxtA3EC9BIsb-Ak3gLiBFjfgcAMGN4C4gQ1uHpPZaDg9HlM3gIMWyIprGoVRiQ5mxjMZ5nHho2stAxkrL1bomSsUS-7nfBBwoQomQxQHLz2BFJgVQjDJxBOyVy0r9ZQAQ5ogPCGCEv1XXkaZCvxc8txjEhfZYJ-8bKWYrmyflRT5qZZ1irJOraz3yWEr4NT9DtcpOqgREg8h-LM_f3xA7myQeUj26m-Neo4uZZ2_MHr_AUoaepg
link.rule.ids 315,783,787,27936,27937
linkProvider EBSCOhost
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=DeepReturn%3A+A+deep+neural+network+can+learn+how+to+detect+previously-unseen+ROP+payloads+without+using+any+heuristics&rft.jtitle=Journal+of+computer+security&rft.au=Li%2C+Xusheng&rft.au=Hu%2C+Zhisheng&rft.au=Wang%2C+Haizhou&rft.au=Fu%2C+Yiwei&rft.date=2020-01-01&rft.pub=IOS+Press+BV&rft.issn=0926-227X&rft.eissn=1875-8924&rft.volume=28&rft.issue=5&rft.spage=499&rft_id=info:doi/10.3233%2FJCS-191368&rft.externalDBID=NO_FULL_TEXT
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0926-227X&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0926-227X&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0926-227X&client=summon