SPADA

Abstract

One of the main challenges in system security is the detection of vulnerability exploitation, especially valid control flow exploitation. The specificity of state-of-the-art methods, such as signature-based detection, becomes a limiting factor when detecting the latest exploits and attacks uncovered. We propose the detection of exploit executions by partitioning applications into phases, characterized by their Basic Block activity, and a phase behavior analysis. In contrast to previous works, our technique can detect exploits which use proper application control flows, such as Heartbleed. Moreover, our method identifies instances under attack using simple and statistically relevant phase features to profile control flow.