One of the main challenges for security systems is the detection of general vulnerability exploitation, especially when the exploit uses valid control flow. Detection and mitigation of memory corruption exploits have been thoroughly researched and applied through disabling the execution of instruction pages and randomizing the access space of vulnerable applications. However, advanced exploits already bypass these techniques, while other exploits abuse different vulnerabilities and are thus not mitigated by the current state of the art. Thus, the detection of anomalous behavior provides an exciting research direction, as the research in this field tries to describe what is the standard program execution, to then detect as anomalous any behavior that does not fit that description.

In this work, we compare two mechanisms that aim to detect general anomalies: SPADA and LAD. SPADA is an L-3 language mechanism that partitions phases and uses simple phase features to detect anomalies. LAD is a constrained L-1 language mechanism that applies complex clustering and machine learning models on specific functions to detect anomalies. In our experimental campaign with several real-world exploits, we show that SPADA's detection performs as well or better than LAD while being much simpler and easier to implement. We therefore show experimental evidence that further attests the highly efficient general attack detection of L-3 mechanisms.