2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W)
Download PDF

Abstract

Control flow graphs (CFG) have long been an effective and elegant way to represent program execution. In particular, many anomaly detection systems employ CFGs. Unfortunately, typical CFG-based systems rely on inaccurate or impractical heuristics. For example, the state space may be restricted by considering only a call graph, thus reducing accuracy and precision. In this paper, we combine control flow graphs with resource consumption information to more accurately model a program's behavior during execution. Intuitively, this technique allows access to more information within each state, providing opportunities for more accurate decisions when considering anomalous behavior. Additionally, because we do not need as many states to represent an application's execution, we can achieve lower overhead than existing CFG-based systems. We anticipate this technique can be used to detect jump-based return-oriented programming (ROP) attacks on the Linux platform.
Like what you’re reading?
Already a member?
Get this article FREE with a new membership!

Related Articles