Using page offsets for detecting control-flow anomalies

Official URL: https://dx.doi.org/10.1007/978-3-031-52947-4_2

In this study, we introduce an approach that leverages memory-page offsets as an abstraction mechanism for real-time detection of control-flow-affecting cyberattacks. We, in particular, leverage page offsets for a number of reasons. First, being a part of the memory addresses, they can efficiently be monitored by using some of the features directly supported by modern CPUs, such as Intel Processor Trace (intel PT). Second, they are not affected by the presence or absence of address space layout randomization (ASLR). Finally, they can be extracted from the system binaries statically without the need for historical program executions for analysis. At runtime, we monitor the sequences of page offsets being processed, mark the “suspicious” sequences, and raise alarms as needed. In the experiments, which we carried out on real-life, document-based malware instances for Adobe PDF Reader and MS Word, the proposed approach successfully detected the malicious executions with F-measures of 0.9903 and 0.9771, respectively.