首页 | 本学科首页   官方微博 | 高级检索  
     

利用字节模式二维特征的ROP链智能检测方法
引用本文:王剑,黄恺杰,张梦杰,刘星彤,杨刚. 利用字节模式二维特征的ROP链智能检测方法[J]. 国防科技大学学报, 2023, 45(5): 184-192
作者姓名:王剑  黄恺杰  张梦杰  刘星彤  杨刚
作者单位:国防科技大学 电子科学学院, 湖南 长沙 410073
基金项目:教育部中国移动科研基金资助项目(MCM20200103)
摘    要:面向返回编程(return oriented programming, ROP)攻击是网络攻击者突破操作系统安全防护、实现漏洞攻击的一种主要手段,ROP链是ROP攻击的重要组成部分。为检测网络流量中的ROP链,提出了一种能自动提取ROP链特征、具有良好泛化性能的智能检测方法。该方法采用顺序抽取的方式将被测流量分成多个序列,利用滑动窗口和数值量化将输入的一维流量数据转换为二维特征向量,基于卷积神经网络模型实现对ROP链的检测。不同于已有的静态检测方法,该方法不依赖程序内存地址的上下文信息,实现简单、部署方便,且具有优异的检测性能。实验结果表明,模型最高准确率为99.4%,漏报率为0.6%,误报率为0.4%,时间开销在0.1 s以内,对真实ROP攻击流量的漏报率为0.2%。

关 键 词:面向返回编程  静态检测  序列抽取  图像特征
收稿时间:2023-02-23

Intelligent detection method of ROP chain using two-dimensional feature of byte pattern
WANG Jian,HUANG Kaijie,ZHANG Mengjie,LIU Xingtong,YANG Gang. Intelligent detection method of ROP chain using two-dimensional feature of byte pattern[J]. Journal of National University of Defense Technology, 2023, 45(5): 184-192
Authors:WANG Jian  HUANG Kaijie  ZHANG Mengjie  LIU Xingtong  YANG Gang
Affiliation:College of Electronic Science and Technology, National University of Defense Technology, Changsha 410073, China
Abstract:ROP(return oriented programming) attack is an important method for network attackers to break through the protection of operating system and realize vulnerability attacks, and ROP chain is the main component of ROP attack. In order to detect the ROP chain in network traffic, an intelligent detection method that can automatically extract the characteristics of ROP chain and has good generalization performance was proposed. The sequential extraction method was adopted to divide the measured network traffic into multiple sequences, one-dimensional traffic data was converted into two-dimensional feature vectors by using sliding window and numerical quantization, and the detection of ROP chain was realized based on the convolution neural network model. Different from the existing static detection methods, the proposed method did not rely on the context information of the program memory address, was simple to implement, easy to deploy, and had excellent detection performance. The experimental results show that the highest accuracy rate of the model is 99.4%, the false negative rate is 0.6%, the false positive rate is 0.4%, the time cost is within 0.1 s, and the false negative rate for the real ROP attack traffic is 0.2%.
Keywords:return oriented programming   static detection   sequence extraction   image feature
点击此处可从《国防科技大学学报》浏览原始摘要信息
点击此处可从《国防科技大学学报》下载免费的PDF全文
设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号