{"id":"https://openalex.org/W2597604324","doi":"https://doi.org/10.1145/3029806.3029812","title":"Detecting ROP with Statistical Learning of Program Characteristics","display_name":"Detecting ROP with Statistical Learning of Program Characteristics","publication_year":2017,"publication_date":"2017-03-20","ids":{"openalex":"https://openalex.org/W2597604324","doi":"https://doi.org/10.1145/3029806.3029812","mag":"2597604324"},"language":"en","primary_location":{"id":"doi:10.1145/3029806.3029812","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3029806.3029812","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=3029812&type=pdf","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"http://dl.acm.org/ft_gateway.cfm?id=3029812&type=pdf","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5029805433","display_name":"Mohamed Elsabagh","orcid":"https://orcid.org/0000-0002-5320-4985"},"institutions":[{"id":"https://openalex.org/I162714631","display_name":"George Mason University","ror":"https://ror.org/02jqj7156","country_code":"US","type":"education","lineage":["https://openalex.org/I162714631"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Mohamed Elsabagh","raw_affiliation_strings":["George Mason University, Fairfax, VA, USA"],"affiliations":[{"raw_affiliation_string":"George Mason University, Fairfax, VA, USA","institution_ids":["https://openalex.org/I162714631"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089029917","display_name":"Daniel Barbar\u00e1","orcid":"https://orcid.org/0000-0002-2830-1038"},"institutions":[{"id":"https://openalex.org/I162714631","display_name":"George Mason University","ror":"https://ror.org/02jqj7156","country_code":"US","type":"education","lineage":["https://openalex.org/I162714631"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Daniel Barbara","raw_affiliation_strings":["George Mason University, Fairfax, VA, USA"],"affiliations":[{"raw_affiliation_string":"George Mason University, Fairfax, VA, USA","institution_ids":["https://openalex.org/I162714631"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5003091242","display_name":"Dan Fleck","orcid":null},"institutions":[{"id":"https://openalex.org/I162714631","display_name":"George Mason University","ror":"https://ror.org/02jqj7156","country_code":"US","type":"education","lineage":["https://openalex.org/I162714631"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Dan Fleck","raw_affiliation_strings":["George Mason University, Fairfax, VA, USA"],"affiliations":[{"raw_affiliation_string":"George Mason University, Fairfax, VA, USA","institution_ids":["https://openalex.org/I162714631"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5041500780","display_name":"Angelos Stavrou","orcid":"https://orcid.org/0000-0001-9888-0592"},"institutions":[{"id":"https://openalex.org/I162714631","display_name":"George Mason University","ror":"https://ror.org/02jqj7156","country_code":"US","type":"education","lineage":["https://openalex.org/I162714631"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Angelos Stavrou","raw_affiliation_strings":["George Mason University, Fairfax, VA, USA"],"affiliations":[{"raw_affiliation_string":"George Mason University, Fairfax, VA, USA","institution_ids":["https://openalex.org/I162714631"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5029805433"],"corresponding_institution_ids":["https://openalex.org/I162714631"],"apc_list":null,"apc_paid":null,"fwci":2.0786,"has_fulltext":true,"cited_by_count":25,"citation_normalized_percentile":{"value":0.89917757,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":91,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"219","last_page":"226"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9968000054359436,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11005","display_name":"Radiation Effects in Electronics","score":0.9750000238418579,"subfield":{"id":"https://openalex.org/subfields/2208","display_name":"Electrical and Electronic Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8702161312103271},{"id":"https://openalex.org/keywords/compiler","display_name":"Compiler","score":0.6861901879310608},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.6514395475387573},{"id":"https://openalex.org/keywords/control-flow","display_name":"Control flow","score":0.6064354181289673},{"id":"https://openalex.org/keywords/debugging","display_name":"Debugging","score":0.5780416131019592},{"id":"https://openalex.org/keywords/overhead","display_name":"Overhead (engineering)","score":0.5714074373245239},{"id":"https://openalex.org/keywords/cache","display_name":"Cache","score":0.4616910219192505},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4399043023586273},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.43252187967300415},{"id":"https://openalex.org/keywords/microarchitecture","display_name":"Microarchitecture","score":0.4237293004989624},{"id":"https://openalex.org/keywords/embedded-system","display_name":"Embedded system","score":0.41622394323349},{"id":"https://openalex.org/keywords/optimizing-compiler","display_name":"Optimizing compiler","score":0.4126646816730499},{"id":"https://openalex.org/keywords/parallel-computing","display_name":"Parallel computing","score":0.38268494606018066},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.3258875012397766},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.20248571038246155}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8702161312103271},{"id":"https://openalex.org/C169590947","wikidata":"https://www.wikidata.org/wiki/Q47506","display_name":"Compiler","level":2,"score":0.6861901879310608},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.6514395475387573},{"id":"https://openalex.org/C160191386","wikidata":"https://www.wikidata.org/wiki/Q868299","display_name":"Control flow","level":2,"score":0.6064354181289673},{"id":"https://openalex.org/C168065819","wikidata":"https://www.wikidata.org/wiki/Q845566","display_name":"Debugging","level":2,"score":0.5780416131019592},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.5714074373245239},{"id":"https://openalex.org/C115537543","wikidata":"https://www.wikidata.org/wiki/Q165596","display_name":"Cache","level":2,"score":0.4616910219192505},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4399043023586273},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.43252187967300415},{"id":"https://openalex.org/C107598950","wikidata":"https://www.wikidata.org/wiki/Q259864","display_name":"Microarchitecture","level":2,"score":0.4237293004989624},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.41622394323349},{"id":"https://openalex.org/C190902152","wikidata":"https://www.wikidata.org/wiki/Q1325106","display_name":"Optimizing compiler","level":3,"score":0.4126646816730499},{"id":"https://openalex.org/C173608175","wikidata":"https://www.wikidata.org/wiki/Q232661","display_name":"Parallel computing","level":1,"score":0.38268494606018066},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.3258875012397766},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.20248571038246155},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3029806.3029812","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3029806.3029812","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=3029812&type=pdf","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3029806.3029812","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3029806.3029812","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=3029812&type=pdf","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1842110758","display_name":null,"funder_award_id":"SATC 1421747","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G3386313366","display_name":null,"funder_award_id":"60NANB16D285","funder_id":"https://openalex.org/F4320332178","funder_display_name":"National Institute of Standards and Technology"},{"id":"https://openalex.org/G4999837227","display_name":"TWC: TTP Option: Small: Collaborative: Scalable Techniques for Better Situational Awareness: Algorithmic Frameworks and Large-Scale Empirical Analyses","funder_award_id":"1421747","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G848032724","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320332178","display_name":"National Institute of Standards and Technology","ror":"https://ror.org/05xpvk416"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W2597604324.pdf","grobid_xml":"https://content.openalex.org/works/W2597604324.grobid-xml"},"referenced_works_count":36,"referenced_works":["https://openalex.org/W44853875","https://openalex.org/W70478248","https://openalex.org/W93261043","https://openalex.org/W109212222","https://openalex.org/W109982125","https://openalex.org/W233021882","https://openalex.org/W1486570429","https://openalex.org/W1490482062","https://openalex.org/W1495630617","https://openalex.org/W1538332098","https://openalex.org/W1544471297","https://openalex.org/W1587559447","https://openalex.org/W1594536929","https://openalex.org/W1631846088","https://openalex.org/W1968002620","https://openalex.org/W1969501726","https://openalex.org/W1982829328","https://openalex.org/W2087300543","https://openalex.org/W2088503757","https://openalex.org/W2089448621","https://openalex.org/W2091250014","https://openalex.org/W2103006842","https://openalex.org/W2113261561","https://openalex.org/W2121468041","https://openalex.org/W2134633067","https://openalex.org/W2159216827","https://openalex.org/W2162800072","https://openalex.org/W2163567029","https://openalex.org/W2308566534","https://openalex.org/W2315350509","https://openalex.org/W2534461193","https://openalex.org/W2573650634","https://openalex.org/W2776428598","https://openalex.org/W2950774332","https://openalex.org/W3007346474","https://openalex.org/W4239813889"],"related_works":["https://openalex.org/W4321442002","https://openalex.org/W2015265939","https://openalex.org/W2480874422","https://openalex.org/W2953905390","https://openalex.org/W260118405","https://openalex.org/W2128306572","https://openalex.org/W4254603964","https://openalex.org/W2095357205","https://openalex.org/W2108112890","https://openalex.org/W2585893039"],"abstract_inverted_index":{"Return-Oriented":[0],"Programming":[1],"(ROP)":[2],"has":[3],"emerged":[4],"as":[5],"one":[6],"of":[7,25,40,48,75,88,146,181],"the":[8,81,84,119,129,163,179,182],"most":[9],"widely":[10],"used":[11],"techniques":[12],"to":[13,30,66,115,128,202],"exploit":[14],"software":[15],"vulnerabilities.":[16],"Unfortunately,":[17],"existing":[18],"ROP":[19,68,156,164,183],"protections":[20],"suffer":[21],"from":[22,118],"a":[23,63,109,142],"number":[24],"shortcomings:":[26],"they":[27],"require":[28],"access":[29],"source":[31,136],"code":[32,137],"and":[33,46,86,99,151,158,198],"compiler":[34,165],"support,":[35],"focus":[36],"on":[37,43,71,159],"specific":[38],"types":[39],"gadgets,":[41],"depend":[42],"accurate":[44],"disassembly":[45],"construction":[47],"Control":[49],"Flow":[50],"Graphs,":[51],"or":[52,138],"use":[53],"hardware-dependent":[54],"(microarchitectural)":[55],"characteristics.":[56,77],"In":[57],"this":[58],"paper,":[59],"we":[60],"propose":[61,108],"EigenROP,":[62],"novel":[64,110],"system":[65],"detect":[67],"payloads":[69,160],"based":[70,113],"unsupervised":[72],"statistical":[73],"learning":[74],"program":[76,91,121],"We":[78,107,140],"study,":[79],"for":[80,104],"first":[82],"time,":[83],"feasibility":[85],"effectiveness":[87],"using":[89,148],"microarchitecture-independent":[90],"characteristics":[92,122],"--":[93,103],"namely,":[94],"memory":[95,100],"locality,":[96],"register":[97],"traffic,":[98],"reuse":[101],"distance":[102],"detecting":[105],"ROP.":[106],"directional":[111],"statistics":[112],"algorithm":[114],"identify":[116],"deviations":[117],"expected":[120],"during":[123],"execution.":[124],"EigenROP":[125,147,168],"works":[126],"transparently":[127],"protected":[130],"program,":[131],"without":[132],"requiring":[133],"debug":[134],"information,":[135],"disassembly.":[139],"implemented":[141],"dynamic":[143],"instrumentation":[144],"prototype":[145],"Intel":[149],"Pin":[150],"measured":[152],"it":[153],"against":[154],"in-the-wild":[155],"exploits":[157],"generated":[161],"by":[162],"ROPC.":[166],"Overall,":[167],"achieved":[169],"significantly":[170],"higher":[171],"accuracy":[172],"than":[173],"prior":[174],"anomaly-based":[175],"solutions.":[176,205],"It":[177],"detected":[178],"execution":[180],"gadget":[184],"chains":[185],"with":[186],"81%":[187],"accuracy,":[188],"80%":[189],"true":[190],"positive":[191,196],"rate,":[192,197],"only":[193],"0.8%":[194],"false":[195],"incurred":[199],"comparable":[200],"overhead":[201],"similar":[203],"Pin-based":[204]},"counts_by_year":[{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":2},{"year":2023,"cited_by_count":4},{"year":2022,"cited_by_count":5},{"year":2021,"cited_by_count":3},{"year":2020,"cited_by_count":3},{"year":2019,"cited_by_count":4},{"year":2018,"cited_by_count":3}],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}