{"title":"Can Data-Only Exploits be Detected at Runtime Using Hardware Events?: A Case Study of the Heartbleed Vulnerability","authors":"G. Torres, Chen Liu","doi":"10.1145/2948618.2948620","DOIUrl":null,"url":null,"abstract":"In this study, we investigate the feasibility of using an anomaly-based detection scheme that utilizes information collected from hardware performance counters at runtime to detect data-oriented attacks in user space libraries. Using the Heartbleed vulnerability as a test case, we studied twelve different hardware events and used a Support Vector Machine (SVM) model to classify between regular and abnormal behaviors. Our results demonstrated a detection accuracy over 92% for the two-class SVM model and over 70% for the one-class SVM model. We also studied the limitations of using certain type of hardware events and discussed possible implications of their use in detection schemes. Overall, the experiments conducted suggest that data-oriented attacks can be more difficult to detect than control-data exploits, as certain events are susceptible to interference hence less reliable.","PeriodicalId":141766,"journal":{"name":"Hardware and Architectural Support for Security and Privacy","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"25","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Hardware and Architectural Support for Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2948618.2948620","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 25
Abstract
In this study, we investigate the feasibility of using an anomaly-based detection scheme that utilizes information collected from hardware performance counters at runtime to detect data-oriented attacks in user space libraries. Using the Heartbleed vulnerability as a test case, we studied twelve different hardware events and used a Support Vector Machine (SVM) model to classify between regular and abnormal behaviors. Our results demonstrated a detection accuracy over 92% for the two-class SVM model and over 70% for the one-class SVM model. We also studied the limitations of using certain type of hardware events and discussed possible implications of their use in detection schemes. Overall, the experiments conducted suggest that data-oriented attacks can be more difficult to detect than control-data exploits, as certain events are susceptible to interference hence less reliable.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
