Carter Yagemann


Carter Yagemann

Ph.D. Candidate

Georgia Institute of Technology

I am a Ph.D. candidate in the Institute for Information Security and Privacy at the Georgia Institute of Technology, where I am advised by Prof. Wenke Lee and Prof. Brendan Saltaformaggio. My research interests are in systems and software security, spanning vulnerability discovery via combined program analysis and machine learning, root cause analysis and exploit prevention, and simulation of attacks targeting financial markets.

About Awards Grants Media Patents Projects Publications Service Talks Teaching


Barnum Paper to Appear in Information Security Conference 2019 (ISC'19)

Sat 08 June 2019

My coauthors and I will be presenting a paper in the 22nd Information Security Conference (ISC'19) in September. Below is a preview:

Project Page

Title: Barnum: Detecting Document Malware via Control Flow Anomalies in Hardware Traces.

Authors: Carter Yagemann (Georgia Tech), Salmin Sultana (Intel Labs), Li Chen (Intel Labs), Wenke Lee (Georgia Tech).

Abstract: This paper proposes Barnum, an offline control flow attack detection system that applies deep learning on hardware execution traces to model a program's behavior and detect control flow anomalies. Our implementation analyzes document readers to detect exploits and ABI abuse. Recent work has proposed using deep learning based control flow classification to build more robust and scalable detection systems. These proposals, however, were not evaluated against different kinds of control flow attacks, programs, and adversarial perturbations.

We investigate anomaly detection approaches to improve the security coverage and scalability of control flow attack detection. Barnum is an end-to-end system consisting of three major components: 1) trace collection, 2) behavior modeling, and 3) anomaly detection via binary classification. It utilizes Intel® Processor Trace for low overhead execution tracing and applies deep learning on the basic block sequences reconstructed from the trace to train a normal program behavior model. Based on the path prediction accuracy of the model, Barnum then determines a decision boundary to classify benign vs. malicious executions.

We evaluate against 8 families of attacks to Adobe Acrobat Reader and 9 to Microsoft Word on Windows 7. Both readers are complex programs with over 50 dynamically linked libraries, just-in-time compiled code and frequent network I/O. Barnum shows its effectiveness with 0% false positive and 2.4% false negative on a dataset of 1,250 benign and 1,639 malicious PDFs. Barnum is robust against evasion techniques as it successfully detects 500 adversarially perturbed PDFs.