Feature Creation Towards the Detection of Non-control-Flow Hijacking Attacks

Zander BLASINGAME*, Chen LIU, Xin YAO

*Corresponding author for this work

Research output: Book Chapters | Papers in Conference ProceedingsConference paper (refereed)Researchpeer-review

Abstract

With malware attacks on the rise, approaches using low-level hardware information to detect these attacks have been gaining popularity recently. This is achieved by using hardware event counts as features to describe the behavior of the software program. Then a classifier, such as support vector machine (SVM) or neural network, can be used to detect the anomalous behavior caused by malware attacks. The collected datasets to describe the program behavior, however, are normally imbalanced, as it is much easier to gather regular program behavior than abnormal ones, which can lead to high false negative rates (FNR). In an effort to provide a remedy to this situation, we propose the usage of Genetic Programming (GP) to create new features to augment the original features in conjunction with the classifier. One key component that will affect the classifier performance is to construct the Hellinger distance as the fitness function. As a result, we perform design space exploration in estimating the Hellinger distance. The performance of different approaches is evaluated using seven real-world attacks that target three vulnerabilities in the OpenSSL library and two vulnerabilities in modern web-servers. Our experimental results show, by using the new features evolved with GP, we are able to reduce the FNR and improve the performance characteristics of the classifier. © 2021, Springer Nature Switzerland AG.
Original languageEnglish
Title of host publicationArtificial Neural Networks and Machine Learning – ICANN 2021 : 30th International Conference on Artificial Neural Networks, Bratislava, Slovakia, September 14–17, 2021, Proceedings, Part I
EditorsIgor FARKAŠ, Paolo MASULLI, Sebastian OTTE, Stefan WERMTER
PublisherSpringer Science and Business Media Deutschland GmbH
Pages153-164
Number of pages12
ISBN (Electronic)9783030863623
ISBN (Print)9783030863616
DOIs
Publication statusPublished - 2021
Externally publishedYes
Event30th International Conference on Artificial Neural Networks - Bratislava, Slovakia
Duration: 14 Sept 202117 Sept 2021

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume12891
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349
NameTheoretical Computer Science and General Issues
PublisherSpringer
ISSN (Print)2512-2010
ISSN (Electronic)2512-2029

Conference

Conference30th International Conference on Artificial Neural Networks
Abbreviated titleICANN 2021
Country/TerritorySlovakia
CityBratislava
Period14/09/2117/09/21

Bibliographical note

This work was partially supported by Shenzhen Science and Technology Program through the Research Institute of Trustworthy Autonomous Systems (RITAS).

Keywords

  • Anomaly detection
  • Data-only attacks
  • Feature construction
  • Hardware performance counters
  • Machine learning

Fingerprint

Dive into the research topics of 'Feature Creation Towards the Detection of Non-control-Flow Hijacking Attacks'. Together they form a unique fingerprint.

Cite this