Preprint Article Version 1 Preserved in Portico This version is not peer-reviewed

Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data Stream

Version 1 : Received: 15 September 2022 / Approved: 20 September 2022 / Online: 20 September 2022 (03:10:37 CEST)

A peer-reviewed article of this Preprint also exists.

Yang, G.; Liu, X.; Tang, C. Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data Stream. Electronics 2022, 11, 3363. Yang, G.; Liu, X.; Tang, C. Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data Stream. Electronics 2022, 11, 3363.

Abstract

Recent years have witnessed a rapid growth of code-reuse attacks in advance persistent threats and cyberspace crimes. Carefully crafted code-reuse exploits circumvent modern protection mechanisms and hijack the execution flow of a program to perform expected functionalities by chaining together existing codes. The sophistication and intrication of code-reuse exploits hinder the scrutinization and dissection on them. Although the previous literature has introduced some feasible approaches, effectiveness and reliability in practical applications remain severe challenges. To address this issue, we propose Horus, a data-driven framework for effective and reliable detection on code-reuse exploits. In order to raise the effectiveness against underlying noises, we comprehensively leverage the strengths of time-series and frequency-domain analysis, and propose a learning-based detector that synthesizes the contemporary twofold features. Then we employ a lightweight interpreter to speculatively and tentatively translate the suspicious bytes to open the black box and enhance the reliability and interpretability. Additionally, a functionality-preserving data augmentation is adopted to increase the diversity of limited training data and raise the generality for real-world deployment. Comparative experiments and ablation studies are conducted on a dataset composed of real-world instances to verify and prove the prevalence of Horus. The experimental results illustrate that Horus outperform existing methods on the identification of code-reuse exploits from data stream with an acceptable overhead. Horus does not rely on any dynamic executions and can be easily integrated into existing defense systems. Moreover, Horus is able to provide tentative interpretations about attack semantics irrespective of target program, which further improve system's effectiveness and reliability.

Keywords

intrusion detection; vulnerability exploit; machine learning; code-reuse attack; malware detection

Subject

Computer Science and Mathematics, Information Systems

Comments (0)

We encourage comments and feedback from a broad range of readers. See criteria for comments and our Diversity statement.

Leave a public comment
Send a private comment to the author(s)
* All users must log in before leaving a comment
Views 0
Downloads 0
Comments 0
Metrics 0


×
Alerts
Notify me about updates to this article or when a peer-reviewed version is published.
We use cookies on our website to ensure you get the best experience.
Read more about our cookies here.