Abstract
Control flow graphs (CFG) have long been an effective and elegant way to represent program execution. In particular, many anomaly detection systems employ CFGs. Unfortunately, typical CFG-based systems rely on inaccurate or impractical heuristics. For example, the state space may be restricted by considering only a call graph, thus reducing accuracy and precision. In this paper, we combine control flow graphs with resource consumption information to more accurately model a program's behavior during execution. Intuitively, this technique allows access to more information within each state, providing opportunities for more accurate decisions when considering anomalous behavior. Additionally, because we do not need as many states to represent an application's execution, we can achieve lower overhead than existing CFG-based systems. We anticipate this technique can be used to detect jump-based return-oriented programming (ROP) attacks on the Linux platform.