{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,8,7]],"date-time":"2024-08-07T23:16:01Z","timestamp":1723072561075},"reference-count":37,"publisher":"Institute of Electronics, Information and Communications Engineers (IEICE)","issue":"7","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEICE Trans. Inf. & Syst."],"published-print":{"date-parts":[[2020,7,1]]},"DOI":"10.1587\/transinf.2019icp0016","type":"journal-article","created":{"date-parts":[[2020,6,30]],"date-time":"2020-06-30T22:15:40Z","timestamp":1593555340000},"page":"1476-1492","source":"Crossref","is-referenced-by-count":3,"title":["ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets"],"prefix":"10.1587","volume":"E103.D","author":[{"given":"Toshinori","family":"USUI","sequence":"first","affiliation":[{"name":"NTT Secure Platform Laboratories"},{"name":"Institute of Industrial Science, The University of Tokyo"}]},{"given":"Tomonori","family":"IKUSE","sequence":"additional","affiliation":[{"name":"NTT Secure Platform Laboratories"}]},{"given":"Yuto","family":"OTSUKI","sequence":"additional","affiliation":[{"name":"NTT Secure Platform Laboratories"}]},{"given":"Yuhei","family":"KAWAKOYA","sequence":"additional","affiliation":[{"name":"NTT Secure Platform Laboratories"}]},{"given":"Makoto","family":"IWAMURA","sequence":"additional","affiliation":[{"name":"NTT Secure Platform Laboratories"}]},{"given":"Jun","family":"MIYOSHI","sequence":"additional","affiliation":[{"name":"NTT Secure Platform Laboratories"}]},{"given":"Kanta","family":"MATSUURA","sequence":"additional","affiliation":[{"name":"Institute of Industrial Science, The University of Tokyo"}]}],"member":"532","reference":[{"key":"1","doi-asserted-by":"crossref","unstructured":"[1] H. Shacham, \u201cThe geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86),\u201d Proc. 14th ACM Conference on Computer and Communications Security (CCS '07), pp.552-561, ACM, 2007. 10.1145\/1315245.1315313","DOI":"10.1145\/1315245.1315313"},{"key":"2","unstructured":"[2] Sophos, \u201cOffice exploit generators.\u201d https:\/\/www.sophos.com\/en-us\/medialibrary\/PDFs\/technical%20papers\/sophos-office-exploit-generators-szappanos.pdf. (accessed: 2020-01-07)."},{"key":"3","unstructured":"[3] McAfee, \u201cThreadkit exploit kit.\u201d https:\/\/www.mcafee.com\/enterprise\/ja-jp\/threat-center\/threat-landscape-dashboard\/exploit-kits-details.threadkit-exploit-kit.html. (accessed: 2020-01-07)."},{"key":"4","doi-asserted-by":"crossref","unstructured":"[4] Z. Tzermias, G. Sykiotakis, M. Polychronakis, and E.P. Markatos, \u201cCombining static and dynamic analysis for the detection of malicious documents,\u201d Proc. Fourth European Workshop on System Security (EUROSEC '11), pp.1-6, ACM, 2011. 10.1145\/1972551.1972555","DOI":"10.1145\/1972551.1972555"},{"key":"5","doi-asserted-by":"publisher","unstructured":"[5] B. Stancill, K.Z. Snow, N. Otterness, F. Monrose, L. Davi, and A.-R. Sadeghi, \u201cCheck my profile: Leveraging static analysis for fast and accurate detection of rop gadgets,\u201d Lecture Notes in Computer Science, vol.8145 (Proc. 16th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID '13)), pp.62-81, Springer, 2013. 10.1007\/978-3-642-41284-4_4","DOI":"10.1007\/978-3-642-41284-4_4"},{"key":"6","doi-asserted-by":"publisher","unstructured":"[6] R. Roemer, E. Buchanan, H. Shacham, and S. Savage, \u201cReturn-oriented programming: Systems, languages, and applications,\u201d ACM Transactions on Information and System Security (TISSEC), vol.15, no.1, pp.1-34, 2012. 10.1145\/2133375.2133377","DOI":"10.1145\/2133375.2133377"},{"key":"7","doi-asserted-by":"crossref","unstructured":"[7] Y. Tanaka and A. Goto, \u201cn-ropdetector: Proposal of a method to detect the rop attack code on the network,\u201d Proc. 2014 Workshop on Cyber Security Analytics, Intelligence and Automation(SafeConfig '14), pp.33-36, ACM, 2014. 10.1145\/2665936.2665937","DOI":"10.1145\/2665936.2665937"},{"key":"8","doi-asserted-by":"publisher","unstructured":"[8] C. YoungHan and L. DongHoon, \u201cStrop: Static approach for detection of return-oriented programming attack in network,\u201d IEICE Trans. Commun., vol.E98-B, no.1, pp.242-251, 2015. 10.1587\/transcom.e98.b.242","DOI":"10.1587\/transcom.E98.B.242"},{"key":"9","doi-asserted-by":"crossref","unstructured":"[9] C. J\u00e4mthagen, L. Karlsson, P. Stankovski, and M. Hell, \u201ceavesrop: Listening for rop payloads in data streams,\u201d Lecture Notes in Computer Science, vol.8783 (Proc. 17th International Conference on Information Security (ISC '14)), pp.413-424, Springer, 2014. 10.1007\/978-3-319-13257-0_25","DOI":"10.1007\/978-3-319-13257-0_25"},{"key":"10","doi-asserted-by":"crossref","unstructured":"[10] K.Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi, \u201cJust-in-time code reuse: On the effectiveness of fine-grained address space layout randomization,\u201d Proc. 2013 IEEE Symposium on Security and Privacy (SP '13), pp.574-588, IEEE, 2013. 10.1109\/sp.2013.45","DOI":"10.1109\/SP.2013.45"},{"key":"11","unstructured":"[11] Microsoft, \u201cVmmap.\u201d https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/vmmap. (accessed: 2019-11-19)."},{"key":"12","doi-asserted-by":"publisher","unstructured":"[12] L.R. Rabiner, \u201cA tutorial on hidden markov models and selected applications in speech recognition,\u201d Proc. IEEE, vol.77, no.2, pp.257-286, IEEE, 1989. 10.1109\/5.18626","DOI":"10.1109\/5.18626"},{"key":"13","unstructured":"[13] H. Li and B. Sun, \u201cAttacking interoperability: An ole edition,\u201d Blackhat USA briefings 2015, https:\/\/www.blackhat.com\/docs\/us-15\/materials\/us-15-Li-Attacking-Interoperability-An-OLE-Edition.pdf. (accessed: 2017-03-21)."},{"key":"14","doi-asserted-by":"publisher","unstructured":"[14] S. Garfinkel, P. Farrell, V. Roussev, and G. Dinolt, \u201cBringing science to digital forensics with standardized forensic corpora,\u201d digital investigation, vol.6, pp.S2-S11, Elsevier, 2009. 10.1016\/j.diin.2009.06.016","DOI":"10.1016\/j.diin.2009.06.016"},{"key":"15","unstructured":"[15] Microsoft Azure, \u201cBing search apis.\u201d https:\/\/azure.microsoft.com\/en-us\/services\/cognitive-services\/search\/. (accessed: 2017-03-28)."},{"key":"16","unstructured":"[16] VirusTotal, \u201cVirustotal.\u201d https:\/\/www.virustotal.com\/. (accessed: 2017-03-09)."},{"key":"17","unstructured":"[17] Solar-Designer, \u201c\u201cReturn-to-libc\u201d attack.\u201d Bugtraq. Aug. 1997."},{"key":"18","unstructured":"[18] National Institute of Standards and Technology, \u201cNational software reference library.\u201d https:\/\/www.nist.gov\/software-quality-group\/national-software-reference-library-nsrl. (accessed: 2017-08-09)."},{"key":"19","doi-asserted-by":"crossref","unstructured":"[19] T. Bletsch, X. Jiang, V.W. Freeh, and Z. Liang, \u201cJump-oriented programming: a new class of code-reuse attack,\u201d Proc. 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS '11), pp.30-40, ACM, 2011. 10.1145\/1966913.1966919","DOI":"10.1145\/1966913.1966919"},{"key":"20","unstructured":"[20] N. Carlini and D. Wagner, \u201cRop is still dangerous: Breaking modern defenses,\u201d Proc. 23rd USENIX Security Symposium (USENIX Security '14), pp.385-399, USENIX Association, 2014."},{"key":"21","doi-asserted-by":"crossref","unstructured":"[21] L. Davi, A.-R. Sadeghi, and M. Winandy, \u201cRopdefender: A detection tool to defend against return-oriented programming attacks,\u201d Proc. 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS '11), pp.40-51, ACM, 2011. 10.1145\/1966913.1966920","DOI":"10.1145\/1966913.1966920"},{"key":"22","unstructured":"[22] Microsoft, \u201cEmet.\u201d https:\/\/support.microsoft.com\/en-us\/help\/2458544\/the-enhanced-mitigation-experience-toolkit. (accessed: 2019-08-29)."},{"key":"23","doi-asserted-by":"crossref","unstructured":"[23] P. Chen, X. Xing, H. Han, B. Mao, and L. Xie, \u201cEfficient detection of the return-oriented programming malicious code,\u201d Lecture Notes in Computer Science, vol.6503 (Proc. 6th International Conference on Information Systems Security (ICISS '10)), pp.140-155, Springer, 2010. 10.1007\/978-3-642-17714-9_11","DOI":"10.1007\/978-3-642-17714-9_11"},{"key":"24","doi-asserted-by":"crossref","unstructured":"[24] P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, \u201cDrop: Detecting return-oriented programming malicious code,\u201d Lecture Notes in Computer Science, vol.5905 (Proc. 5th International Conference on Information Systems Security (ICISS '09)), pp.163-177, Springer, 2009. 10.1007\/978-3-642-10772-6_13","DOI":"10.1007\/978-3-642-10772-6_13"},{"key":"25","unstructured":"[25] E. G\u00f6kta\u015f, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis, \u201cSize does matter: Why using gadget-chain length to prevent code-reuse attacks is hard,\u201d Proc. 23rd USENIX Security Symposium (USENIX Security '14), pp.417-432, USENIX Association, 2014."},{"key":"26","unstructured":"[26] D. Williams-King, G. Gobieski, K. Williams-King, J.P. Blake, X. Yuan, P. Colp, M. Zheng, V.P. Kemerlis, J. Yang, and W. Aiello, \u201cShuffler: Fast and deployable continuous code re-randomization,\u201d Proc. 12th USENIX conference on Operating Systems Design and Implementation (OSDI '16), pp.367-382, USENIX Association, 2016."},{"key":"27","doi-asserted-by":"crossref","unstructured":"[27] E. Shioji, Y. Kawakoya, M. Iwamura, and T. Hariu, \u201cCode shredding: byte-granular randomization of program layout for detecting code-reuse attacks,\u201d Proc. 28th Annual Computer Security Applications Conference (ACSAC '12), pp.309-318, ACM, 2012. 10.1145\/2420950.2420996","DOI":"10.1145\/2420950.2420996"},{"key":"28","unstructured":"[28] PaX Team, \u201cRap: Rip rop,\u201d Hacker to Hacker Conference (H2HC) 12th Edition, https:\/\/pax.grsecurity.net\/docs\/PaXTeam-H2HC15-RAP-RIP-ROP.pdf. (accessed: 2017-03-21)."},{"key":"29","doi-asserted-by":"crossref","unstructured":"[29] M. Graziano, D. Balzarotti, and A. Zidouemba, \u201cRopmemu: A framework for the analysis of complex code-reuse attacks,\u201d Proc. 11th ACM Asia Conference on Computer and Communications Security (ASIACCS '16), pp.47-58, ACM, 2016. 10.1145\/2897845.2897894","DOI":"10.1145\/2897845.2897894"},{"key":"30","doi-asserted-by":"crossref","unstructured":"[30] M. Elsabagh, D. Barbar\u00e1, D. Fleck, and A. Stavrou, \u201cDetecting rop with statistical learning of program characteristics,\u201d Proc. Seventh ACM Conference on Data and Application Security and Privacy (CODA '17), pp.219-226, ACM, 2017. 10.1145\/3029806.3029812","DOI":"10.1145\/3029806.3029812"},{"key":"31","doi-asserted-by":"crossref","unstructured":"[31] B. Gu, X. Bai, Z. Yang, A.C. Champion, and D. Xuan, \u201cMalicious shellcode detection with virtual memory snapshots,\u201d Proc. 29th IEEE Conference on Computer Communications (INFOCOM '10), pp.974-982, IEEE, 2010. 10.1109\/infcom.2010.5461950","DOI":"10.1109\/INFCOM.2010.5461950"},{"key":"32","doi-asserted-by":"crossref","unstructured":"[32] M. Polychronakis, K.G. Anagnostakis, and E.P. Markatos, \u201cComprehensive shellcode detection using runtime heuristics,\u201d Proc. 26th Annual Computer Security Applications Conference (ACSAC '10), pp.287-296, ACM, 2010. 10.1145\/1920261.1920305","DOI":"10.1145\/1920261.1920305"},{"key":"33","unstructured":"[33] K.Z. Snow, S. Krishnan, F. Monrose, and N. Provos, \u201cShellos: Enabling fast detection and forensic analysis of code injection attacks,\u201d Proc. 21st USENIX Security Symposium (USENIX Security '11), pp.183-200, USENIX Association, 2011."},{"key":"34","doi-asserted-by":"publisher","unstructured":"[34] K. Iwamoto and K. Wasaki, \u201cA method for shellcode extractionfrom malicious document files using entropy and emulation,\u201d International Journal of Engineering and Technology, vol.8, no.2, pp.101-106, 2016. 10.7763\/ijet.2016.v6.866","DOI":"10.7763\/IJET.2016.V6.866"},{"key":"35","unstructured":"[35] F. Boldewin, \u201cAnalyzing msoffice malware with officemalscanner.\u201d http:\/\/www.reconstructer.org\/code\/OfficeMalScanner.zip. (accessed: 2016-01-15)."},{"key":"36","doi-asserted-by":"crossref","unstructured":"[36] S.M. Tabish, M.Z. Shafiq, and M. Farooq, \u201cMalware detection using statistical analysis of byte-level file content,\u201d Proc. ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics (CSI-KPD '09), pp.23-31, ACM, 2009. 10.1145\/1599272.1599278","DOI":"10.1145\/1599272.1599278"},{"key":"37","doi-asserted-by":"crossref","unstructured":"[37] C. Smutz and A. Stavrou, \u201cPreventing exploits in microsoft office documents through content randomization,\u201d Lecture Notes in Computer Science, vol.9404 (18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID '15)), pp.225-246, Springer, 2015. 10.1007\/978-3-319-26362-5_11","DOI":"10.1007\/978-3-319-26362-5_11"}],"container-title":["IEICE Transactions on Information and Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.jstage.jst.go.jp\/article\/transinf\/E103.D\/7\/E103.D_2019ICP0016\/_pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,7,4]],"date-time":"2020-07-04T03:24:58Z","timestamp":1593833098000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.jstage.jst.go.jp\/article\/transinf\/E103.D\/7\/E103.D_2019ICP0016\/_article"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,7,1]]},"references-count":37,"journal-issue":{"issue":"7","published-print":{"date-parts":[[2020]]}},"URL":"https:\/\/doi.org\/10.1587\/transinf.2019icp0016","relation":{},"ISSN":["0916-8532","1745-1361"],"issn-type":[{"value":"0916-8532","type":"print"},{"value":"1745-1361","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,7,1]]}}}