ROPNN: Detection of ROP Payloads Using Deep Neural Networks

by   Xusheng Li, et al.

Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code (known as gadgets) to perform arbitrary operations on target machines. Existing detection mechanisms against ROP often rely on certain heuristic rules and/or require instrumentations to the program or the compiler. As a result, they exhibit low detection efficiency and/or have high runtime overhead. In this paper, we present ROPNN, which innovatively combines address space layout guided disassembly and deep neural networks, to detect ROP payloads in HTTP requests, PDF files, and images, etc. The disassembler treats application input data as code pointers to potential gadgets and aims to find any potential gadget chains. The identified potential gadget chains are then classified by the deep neural network as benign or malicious. We propose novel methods to generate the two training datasets, respectively, and process huge amount (TB-level) of raw input data to obtain sufficient training data. Our experiments show that ROPNN has high detection rate (98.3 very low false positive rate (0.01 scenario, we also test it against ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools Ropper and ROPC. ROPNN successfully detects all of the 80 exploits. Meanwhile, ROPNN is completely non-intrusive and does not incur any runtime overhead to the protected program.


page 1

page 2

page 3

page 4


DeepCheck: A Non-intrusive Control-flow Integrity Checking based on Deep Learning

Code reuse attack (CRA) is a powerful attack that reuses existing codes ...

The never ending war in the stack and the reincarnation of ROP attacks

Return Oriented Programming (ROP) is a technique by which an attacker ca...

Using Structured Input and Modularity for Improved Learning

We describe a method for utilizing the known structure of input data to ...

Runtime Prevention of Deserialization Attacks

Untrusted deserialization exploits, where a serialised object graph is u...

Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation

Largely known for attack scenarios, code reuse techniques at a closer lo...

Improving Java Deserialization Gadget Chain Mining via Overriding-Guided Object Generation

Java (de)serialization is prone to causing security-critical vulnerabili...

Hierarchical Training of Deep Neural Networks Using Early Exiting

Deep neural networks provide state-of-the-art accuracy for vision tasks ...

Please sign up or login with your details

Forgot password? Click here to reset