引用本文: | 王剑,黄恺杰,张梦杰,等.利用字节模式二维特征的ROP链智能检测方法.[J].国防科技大学学报,2023,45(5):184-192.[点击复制] |
WANG Jian,HUANG Kaijie,ZHANG Mengjie,et al.Intelligent detection method of ROP chain using two-dimensional feature of byte pattern[J].Journal of National University of Defense Technology,2023,45(5):184-192[点击复制] |
|
|
|
本文已被:浏览 3558次 下载 2877次 |
利用字节模式二维特征的ROP链智能检测方法 |
王剑,黄恺杰,张梦杰,刘星彤,杨刚 |
(国防科技大学 电子科学学院, 湖南 长沙 410073)
|
摘要: |
面向返回编程(return oriented programming,ROP)攻击是网络攻击者突破操作系统安全防护、实现漏洞攻击的一种主要手段,ROP链是ROP攻击的重要组成部分。为检测网络流量中的ROP链,提出了一种能自动提取ROP链特征、具有良好泛化性能的智能检测方法。该方法采用顺序抽取的方式将被测流量分成多个序列,利用滑动窗口和数值量化将输入的一维流量数据转换为二维特征向量,基于卷积神经网络模型实现对ROP链的检测。不同于已有的静态检测方法,该方法不依赖程序内存地址的上下文信息,实现简单、部署方便,且具有优异的检测性能。实验结果表明,模型最高准确率为99.4%,漏报率为0.6%,误报率为0.4%,时间开销在0.1 s以内,对真实ROP攻击流量的漏报率为0.2%。 |
关键词: 面向返回编程 静态检测 序列抽取 图像特征 |
DOI:10.11887/j.cn.202305021 |
投稿日期:2023-02-23 |
基金项目:教育部中国移动科研基金资助项目(MCM20200103) |
|
Intelligent detection method of ROP chain using two-dimensional feature of byte pattern |
WANG Jian, HUANG Kaijie, ZHANG Mengjie, LIU Xingtong, YANG Gang |
(College of Electronic Science and Technology, National University of Defense Technology, Changsha 410073, China)
|
Abstract: |
ROP(return oriented programming) attack is an important method for network attackers to break through the protection of operating system and realize vulnerability attacks, and ROP chain is the main component of ROP attack. In order to detect the ROP chain in network traffic, an intelligent detection method that can automatically extract the characteristics of ROP chain and has good generalization performance was proposed. The sequential extraction method was adopted to divide the measured network traffic into multiple sequences, one-dimensional traffic data was converted into two-dimensional feature vectors by using sliding window and numerical quantization, and the detection of ROP chain was realized based on the convolution neural network model. Different from the existing static detection methods, the proposed method did not rely on the context information of the program memory address, was simple to implement, easy to deploy, and had excellent detection performance. The experimental results show that the highest accuracy rate of the model is 99.4%, the false negative rate is 0.6%, the false positive rate is 0.4%, the time cost is within 0.1 s, and the false negative rate for the real ROP attack traffic is 0.2%. |
Keywords: return oriented programming static detection sequence extraction image feature |
|
|
|
|
|