On one method for detecting exploitation of vulnerabilities and its parameters

When a program vulnerability is successfully exploited, the exploit often calls some system function. Therefore, one of the possible ways to detect exploitation of a vulnerability of a specific program is to check for atypical distance between the call with the number $i$ and the call with the number $i-j$ where $j \in \{1, \ldots, T \}$, $T \in \mathbb {N} $. Distance is understood as the difference between the addresses of the call of these functions and the typicality is determined by checking whether it belongs to the distance profile. In addition to the $T$ parameter, the detection algorithm uses the parameter $W (\in \mathbb {N})$: it is the number of profiles against which the call is checked. In this case, for $j \in \{1, \ldots, W \}$, the profile with the number $j$ is constructed from pairs of calls from a legitimate sequence, the difference of call indices in which is equal to $j$. The aim of this work is, on the one hand, to describe the detection algorithm and, on the other, to provide an experimental estimate of the sufficient values of the parameters $W$ and $T$. As a result, in particular, it was found that the values of these parameters depend on the set of monitored functions; therefore, for each set of functions (and each protected program), these parameters must be found separately.