Aluno: Francis Birck Moreira
Orientador: Prof. Dr. Philippe Olivier Alexandre Navaux
Título: Anomalous Behavior Detection Through Phase Profiling
Linha de Pesquisa: Processamento Paralelo e Distribuído
Esta banca ocorrerá excepcionalmente de forma totalmente remota. Caso alguém deseje participar da defesa, poderá acessar o link: https://mconf.ufrgs.br/webconf/00152311.
– Prof. Dr. Edson Borin (UNICAMP)
– Prof. Dr. Luciano Paschoal Gaspary (UFRGS)
– Prof. Dr. Otto Carlos Muniz Bandeira Duarte (UFRJ)
Presidente da Banca: Prof. Dr. Philippe Olivier Alexandre Navaux (firstname.lastname@example.org)
Abstract: One of the main challenges for security systems is the detection of general vulnerability exploitation, especially valid control flow exploitation. Detection and mitigation of specific and regular exploitation of memory corruption have been thoroughly researched and applied through disabling the execution of instruction pages and randomizing the access space of vulnerable applications. However, advanced exploits already bypass these techniques, while other exploits abuse different vulnerabilities and are thus not mitigated by the current state of the art. In general, the specificity of current approaches, such as signature-based detection, is unable to detect new types of exploits and attacks, even though their behavior is anomalous to what can be considered normal system execution. In this work, we propose the detection of general anomalies by partitioning applications into phases characterized by their basic block activity. The mechanism implementation inserts checks for each phase in the target application binary. These checks determine whether the phases behave as expected. They can be implemented purely in software, or with hardware aid, offering a trade-off between overhead against detection rate and flexibility. In contrast to previous work, our mechanism can detect exploits that use valid application control flow, such as Heartbleed, and is extensible to detect other types of anomalies. Experiments with several exploitations show that we can detect attacked instances with simple phase features, such as the number of distinct basic blocks in the phase.
Keywords: Attack Detection. Basic Block. Hardware