{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:01:58Z","timestamp":1777806118633,"version":"3.51.4"},"reference-count":68,"publisher":"SAGE Publications","issue":"5","license":[{"start":{"date-parts":[[2020,9,10]],"date-time":"2020-09-10T00:00:00Z","timestamp":1599696000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2020,9,28]]},"abstract":"<jats:p>Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and\/or have high runtime overhead.<\/jats:p>\n                  <jats:p>In this paper, we present DeepReturn, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that DeepReturn has high detection rate (99.3%) and a very low false positive rate (0.01%). DeepReturn successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. DeepReturn is non-intrusive and does not incur any runtime overhead to the protected program.<\/jats:p>","DOI":"10.3233\/jcs-191368","type":"journal-article","created":{"date-parts":[[2020,9,11]],"date-time":"2020-09-11T13:48:20Z","timestamp":1599832100000},"page":"499-523","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":2,"title":["DeepReturn: A deep neural network can learn how to detect previously-unseen ROP payloads without using any heuristics"],"prefix":"10.1177","volume":"28","author":[{"given":"Xusheng","family":"Li","sequence":"first","affiliation":[{"name":"College of Information Sciences and Technology, Pennsylvania State University, PA, USA. E-mails:\u00a0,\u00a0,\u00a0"}]},{"given":"Zhisheng","family":"Hu","sequence":"additional","affiliation":[{"name":"Baidu Security, CA, USA. E-mail:\u00a0"}]},{"given":"Haizhou","family":"Wang","sequence":"additional","affiliation":[{"name":"College of Information Sciences and Technology, Pennsylvania State University, PA, USA. E-mails:\u00a0,\u00a0,\u00a0"}]},{"given":"Yiwei","family":"Fu","sequence":"additional","affiliation":[{"name":"GE Research, NY, USA. E-mail:\u00a0"}]},{"given":"Ping","family":"Chen","sequence":"additional","affiliation":[{"name":"JD.com American Technologies Corporation, CA, USA. E-mail:\u00a0"}]},{"given":"Minghui","family":"Zhu","sequence":"additional","affiliation":[{"name":"School of Electrical Engineering and Computer Science, Pennsylvania State University, PA, USA. E-mail:\u00a0"}]},{"given":"Peng","family":"Liu","sequence":"additional","affiliation":[{"name":"College of Information Sciences and Technology, Pennsylvania State University, PA, USA. E-mails:\u00a0,\u00a0,\u00a0"}]}],"member":"179","published-online":{"date-parts":[[2020,9,10]]},"reference":[{"key":"ref001","doi-asserted-by":"crossref","unstructured":"M.\u00a0Abadi, M.\u00a0Budiu, \u00da.\u00a0Erlingsson and J.\u00a0Ligatti, Control-flow integrity, in: ACM Conference on Computer and Communications Security (CCS \u201905), 2005.","DOI":"10.1145\/1102120.1102165"},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"P.\u00a0Akritidis, C.\u00a0Cadar, C.\u00a0Raiciu, M.\u00a0Costa and M.\u00a0Castro, Preventing memory error exploits with WIT, in: IEEE Symposium on Security and Privacy (Oakland \u201908), 2008.","DOI":"10.1109\/SP.2008.30"},{"key":"ref003","doi-asserted-by":"crossref","unstructured":"A.\u00a0Bittau, A.\u00a0Belay, A.\u00a0Mashtizadeh, D.\u00a0Mazieres and D.\u00a0Boneh, Hacking blind, in: IEEE Symposium on Security and Privacy (Oakland \u201914), 2014.","DOI":"10.1109\/SP.2014.22"},{"key":"ref004","doi-asserted-by":"crossref","unstructured":"T.\u00a0Bletsch, X.\u00a0Jiang and V.\u00a0Freeh, Mitigating code-reuse attacks with control-flow locking, in: Annual Computer Security Applications Conference (ACSAC \u201911), 2011.","DOI":"10.1145\/2076732.2076783"},{"key":"ref005","doi-asserted-by":"crossref","unstructured":"T.\u00a0Bletsch, X.\u00a0Jiang, V.W.\u00a0Freeh and Z.\u00a0Liang, Jump-oriented programming: A new class of code-reuse attack, in: ACM Symposium on Information, Computer and Communications Security (ASIACCS \u201911), 2011.","DOI":"10.1145\/1966913.1966919"},{"key":"ref006","doi-asserted-by":"crossref","unstructured":"K.\u00a0B\u00f6ttinger, P.\u00a0Godefroid and R.\u00a0Singh, Deep reinforcement fuzzing, arXiv preprint arXiv:1801.04589 (2018).","DOI":"10.1109\/SPW.2018.00026"},{"key":"ref007","doi-asserted-by":"publisher","DOI":"10.1145\/3054924"},{"key":"ref008","unstructured":"N.\u00a0Carlini and D.\u00a0Wagner, ROP is still dangerous: Breaking modern defenses, in: USENIX Security Symposium (Security \u201914), 2014."},{"key":"ref009","doi-asserted-by":"crossref","unstructured":"S.\u00a0Checkoway, L.\u00a0Davi, A.\u00a0Dmitrienko, A.R.\u00a0Sadeghi, H.\u00a0Shacham and M.\u00a0Winandy, Return-oriented programming without returns, in: ACM Conference on Computer and Communications Security (CCS \u201910), 2010.","DOI":"10.1145\/1866307.1866370"},{"key":"ref010","doi-asserted-by":"crossref","unstructured":"P.\u00a0Chen, H.\u00a0Xiao, X.\u00a0Shen, X.\u00a0Yin, B.\u00a0Mao and L.\u00a0Xie, DROP: Detecting return-oriented programming malicious code, in: International Conference on Information Systems Security (ICISS \u201909), 2009.","DOI":"10.1007\/978-3-642-10772-6_13"},{"key":"ref011","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Cheng, Z.\u00a0Zhou, M.\u00a0Yu, X.\u00a0Ding and R.H.\u00a0Deng, ROPecker: A generic and practical approach for defending against ROP attacks, in: Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS\u201914), 2014.","DOI":"10.14722\/ndss.2014.23156"},{"key":"ref012","unstructured":"F.\u00a0Chollet et al., Keras: Deep learning library for theano and tensorflow, URL: https:\/\/keras.io\/ 7(8) (2015)."},{"key":"ref013","unstructured":"D.C.\u00a0Ciresan, U.\u00a0Meier, J.\u00a0Masci, L.M.\u00a0Gambardella and J.\u00a0Schmidhuber, Flexible, high performance convolutional neural networks for image classification, in: IJCAI Proceedings \u2013 International Joint Conference on Artificial Intelligence, Vol.\u00a022, 2011, p.\u00a01237, Barcelona, Spain."},{"key":"ref014","unstructured":"L.\u00a0Davi, A.\u00a0Dmitrienko, M.\u00a0Egele, T.\u00a0Fischer, T.\u00a0Holz, R.\u00a0Hund, S.\u00a0N\u00fcrnberger and A.R.\u00a0Sadeghi, MoCFI: A framework to mitigate control-flow attacks on smartphones, in: Annual Network and Distributed System Security Symposium (NDSS\u201912), 2012."},{"key":"ref015","unstructured":"L.\u00a0Davi, A.R.\u00a0Sadeghi, D.\u00a0Lehmann and F.\u00a0Monrose, Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection, in: USENIX Security Symposium (Security \u201914), 2014."},{"key":"ref016","doi-asserted-by":"crossref","unstructured":"J.\u00a0Deng, W.\u00a0Dong, R.\u00a0Socher, L.J.\u00a0Li, K.\u00a0Li and L.\u00a0Fei-Fei, ImageNet: A large-scale hierarchical image database, in: CVPR09, 2009.","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"ref017","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134015"},{"key":"ref018","doi-asserted-by":"publisher","DOI":"10.1145\/3029806.3029812"},{"key":"ref019","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46598-2_15"},{"key":"ref020","unstructured":"P.\u00a0Ginsparg, arXiv.org e-Print archive, https:\/\/arxiv.org\/, Cornell University, 1991."},{"key":"ref021","unstructured":"E.\u00a0G\u00f6kta\u015fs, E.\u00a0Athanasopoulos, M.\u00a0Polychronakis, H.\u00a0Bos and G.\u00a0Portokalidis, Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard, in: USENIX Security Symposium (Security\u201914), 2014."},{"key":"ref022","unstructured":"I.\u00a0Goodfellow, Y.\u00a0Bengio, A.\u00a0Courville and Y.\u00a0Bengio, Deep Learning, Vol.\u00a01, MIT Press, Cambridge, 2016."},{"key":"ref023","doi-asserted-by":"publisher","DOI":"10.1162\/neco.1997.9.8.1735"},{"key":"ref024","unstructured":"C.W.\u00a0Hsu, C.C.\u00a0Chang, C.J.\u00a0Lin et al., A practical guide to support vector classification (2003)."},{"key":"ref025","unstructured":"S.\u00a0Ioffe and C.\u00a0Szegedy, Batch normalization: Accelerating deep network training by reducing internal covariate shift, arXiv preprint arXiv:1502.03167 (2015)."},{"key":"ref026","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Kim, Convolutional neural networks for sentence classification, arXiv preprint arXiv:1408.5882 (2014).","DOI":"10.3115\/v1\/D14-1181"},{"key":"ref027","doi-asserted-by":"publisher","DOI":"10.1109\/MIS.2016.45"},{"key":"ref028","unstructured":"J.\u00a0Leek, Don\u2019t use deep learning your data isn\u2019t that big, https:\/\/simplystatistics.org\/2017\/05\/31\/deeplearning-vs-leekasso\/, 2017."},{"key":"ref029","unstructured":"L.D.Long, Analysis of nginx 1.3.9\/1.4.0 stack buffer overflow and x64 exploitation (CVE-2013-2028), http:\/\/www.vnsecurity.net\/research\/2013\/05\/21\/analysis-of-nginx-cve-2013-2028.html, VNSECURITY, 2013."},{"key":"ref030","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_6"},{"key":"ref031","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813676"},{"key":"ref032","unstructured":"Microsoft, A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, 2008, http:\/\/support.microsoft.com\/kb\/875352."},{"key":"ref033","unstructured":"I.\u00a0Molnar, Exec Shield, 2003, http:\/\/people.redhat.com\/mingo\/exec-shield\/."},{"key":"ref034","doi-asserted-by":"publisher","DOI":"10.1016\/j.isprsjprs.2010.11.001"},{"key":"ref035","unstructured":"negux, Freefloat FTP Server 1.0 - DEP bypass with ROP, https:\/\/www.exploit-db.com\/exploits\/24944\/, 2013."},{"key":"ref036","unstructured":"C.\u00a0Nicholas, B.\u00a0Antonio, P.\u00a0Mathias, W.\u00a0David and R.G.\u00a0Thomas, Control-flow bending: On the effectiveness of control-flow integrity, in: USENIX Security Symposium (Security\u201915), 2015."},{"key":"ref037","unstructured":"pakt, pakt\/ropc: A Turing complete ROP compiler, https:\/\/github.com\/pakt\/ropc, GitHub, 2012."},{"key":"ref038","unstructured":"V.\u00a0Pappas, M.\u00a0Polychronakis and A.D.\u00a0Keromytis, Transparent ROP exploit mitigation using indirect branch tracing, in: Proceedings of the 22nd USENIX Security Symposium (Security\u201913), 2013."},{"key":"ref039","unstructured":"M.\u00a0Payer, A.\u00a0Barresi and T.R.\u00a0Gross, Fine-grained control-flow integrity through binary hardening."},{"key":"ref040","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-15618-7_6"},{"key":"ref041","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2011.6112327"},{"key":"ref042","doi-asserted-by":"publisher","DOI":"10.1016\/S0893-6080(98)00116-6"},{"key":"ref043","unstructured":"N.A.\u00a0Quynh, Capstone \u2013 the ultimate disassembler, https:\/\/github.com\/aquynh\/capstone, GitHub, 2013."},{"key":"ref044","unstructured":"N.A.\u00a0Quynh, Unicorn \u2013 the ultimate CPU emulator, https:\/\/www.unicorn-engine.org\/, Unicorn, 2015."},{"key":"ref045","doi-asserted-by":"crossref","unstructured":"R.\u00a0Rudd, R.\u00a0Skowyra, D.\u00a0Bigelow, V.\u00a0Dedhia, T.\u00a0Hobson, S.\u00a0Crane, C.\u00a0Liebchen, P.\u00a0Larsen, L.\u00a0Davi, M.\u00a0Franz et al., Address oblivious code reuse: On the effectiveness of leakage resilient diversity, in: NDSS, 2017.","DOI":"10.14722\/ndss.2017.23477"},{"key":"ref046","unstructured":"J.\u00a0Sacco, Crashmail 1.6 \u2013 stack-based buffer overflow (ROP), https:\/\/www.exploit-db.com\/exploits\/44331\/, 2018."},{"key":"ref047","unstructured":"J.\u00a0Sacco, PMS 0.42 \u2013 local stack-based overflow (ROP), https:\/\/www.exploit-db.com\/exploits\/44426\/, 2018."},{"key":"ref048","unstructured":"J.\u00a0Salwan, ROPgadget, https:\/\/github.com\/JonathanSalwan\/ROPgadget, GitHub, 2015."},{"key":"ref049","unstructured":"S.\u00a0Schirra, Ropper \u2013 rop gadget finder and binary information tool, https:\/\/github.com\/sashs\/Ropper, GitHub, 2016."},{"key":"ref050","unstructured":"E.J.\u00a0Schwartz, T.\u00a0Avgerinos and D.\u00a0Brumley, Q: Exploit hardening made easy, in: USENIX Conference on Security (Security \u201911), 2011."},{"key":"ref051","doi-asserted-by":"crossref","unstructured":"J.\u00a0Seibert, H.\u00a0Okhravi and E.\u00a0S\u00f6derstr\u00f6m, Information leaks without memory disclosures: Remote side channel attacks on diversified code, in: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 2014, pp.\u00a054\u201365, ACM.","DOI":"10.1145\/2660267.2660309"},{"key":"ref052","doi-asserted-by":"crossref","unstructured":"H.\u00a0Shacham, The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86), in: ACM Conference on Computer and Communications Security (CCS\u201907), 2007.","DOI":"10.1145\/1315245.1315313"},{"key":"ref053","doi-asserted-by":"crossref","unstructured":"H.\u00a0Shacham, The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86), in: ACM Conference on Computer and Communications Security (CCS \u201907), 2007.","DOI":"10.1145\/1315245.1315313"},{"key":"ref054","doi-asserted-by":"crossref","unstructured":"K.Z.\u00a0Snow, F.\u00a0Monrose, L.\u00a0Davi, A.\u00a0Dmitrienko, C.\u00a0Liebchen and A.R.\u00a0Sadeghi, Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization, in: IEEE Symposium on Security and Privacy (Oakland \u201913), 2013, pp.\u00a0574\u2013588.","DOI":"10.1109\/SP.2013.45"},{"key":"ref055","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.61"},{"key":"ref056","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243813"},{"key":"ref057","unstructured":"A.\u00a0Souchet, rp++, https:\/\/github.com\/0vercl0k\/rp, GitHub, 2012."},{"issue":"1","key":"ref058","first-page":"1929","volume":"15","author":"Srivastava N.","year":"2014","journal-title":"Journal of Machine Learning Research"},{"key":"ref059","doi-asserted-by":"crossref","unstructured":"B.\u00a0Stancill, K.Z.\u00a0Snow, N.\u00a0Otterness, F.\u00a0Monrose, L.\u00a0Davi and A.R.\u00a0Sadeghi, Check my profile: Leveraging static analysis for fast and accurate detection of ROP gadgets, in: International Workshop on Recent Advances in Intrusion Detection, 2013, pp.\u00a062\u201381, Springer.","DOI":"10.1007\/978-3-642-41284-4_4"},{"key":"ref060","doi-asserted-by":"crossref","unstructured":"R.\u00a0Strackx, Y.\u00a0Younan, P.\u00a0Philippaerts, F.\u00a0Piessens, S.\u00a0Lachmund and T.\u00a0Walter, Breaking the memory secrecy assumption, in: Second European Workshop on System Security, 2009.","DOI":"10.1145\/1519144.1519145"},{"key":"ref061","unstructured":"P.\u00a0Sue, Ropper \u2013 rop gadget finder and binary information tool, https:\/\/github.com\/oblivia-simplex\/roper, GitHub, 2017."},{"key":"ref062","doi-asserted-by":"publisher","DOI":"10.2214\/AJR.15.15996"},{"key":"ref063","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Tanaka and A.\u00a0Goto, n-ROPdetector: Proposal of a method to detect the ROP attack code on the network, in: Proceedings of the 2014 Workshop on Cyber Security Analytics, Intelligence and Automation, 2014, pp.\u00a033\u201336, ACM.","DOI":"10.1145\/2665936.2665937"},{"key":"ref064","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2008.30"},{"key":"ref065","doi-asserted-by":"crossref","unstructured":"Z.\u00a0Wang and X.\u00a0Jiang, HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity, in: IEEE Symposium on Security and Privacy (Oakland \u201910), 2010.","DOI":"10.1109\/SP.2010.30"},{"key":"ref066","doi-asserted-by":"crossref","unstructured":"L.\u00a0Yao, A.\u00a0Torabi, K.\u00a0Cho, N.\u00a0Ballas, C.\u00a0Pal, H.\u00a0Larochelle and A.\u00a0Courville, Describing videos by exploiting temporal structure, in: Proceedings of the IEEE International Conference on Computer Vision, 2015, pp.\u00a04507\u20134515.","DOI":"10.1109\/ICCV.2015.512"},{"key":"ref067","unstructured":"ZadYree, HT Editor 2.0.20 \u2013 local buffer overflow (ROP), https:\/\/www.exploit-db.com\/exploits\/22683\/, 2012."},{"key":"ref068","unstructured":"M.\u00a0Zhang and R.\u00a0Sekar, Control flow integrity for COTS binaries, in: USENIX Conference on Security (Security \u201913), 2013."}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191368","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-191368","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191368","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:24Z","timestamp":1777495524000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-191368"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,9,10]]},"references-count":68,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2020,9,28]]}},"alternative-id":["10.3233\/JCS-191368"],"URL":"https:\/\/doi.org\/10.3233\/jcs-191368","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,9,10]]}}}