AST-Based Deep Learning for Detecting Malicious PowerShell

Rusak, Gili; Al-Dujaili, Abdullah; O’Reilly, Una-May

doi:10.1145/3243734.3278496

Cited by 31 publications

(18 citation statements)

References 4 publications

(11 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Rusak and others [15] used the depth and node count information of the AST nodes to classify a malicious PowerShell script based on its family type information. They utilized 4079 malicious PowerShell scripts as a dataset.…”

Section: Related Workmentioning

confidence: 99%

Evaluations of AI‐based malicious PowerShell detection with feature optimizations

et al. 2021

View full text Add to dashboard Cite

Cyberattacks are often difficult to identify with traditional signature‐based detection, because attackers continually find ways to bypass the detection methods. Therefore, researchers have introduced artificial intelligence (AI) technology for cybersecurity analysis to detect malicious PowerShell scripts. In this paper, we propose a feature optimization technique for AI‐based approaches to enhance the accuracy of malicious PowerShell script detection. We statically analyze the PowerShell script and preprocess it with a method based on the tokens and abstract syntax tree (AST) for feature selection. Here, tokens and AST represent the vocabulary and structure of the PowerShell script, respectively. Performance evaluations with optimized features yield detection rates of 98% in both machine learning (ML) and deep learning (DL) experiments. Among them, the ML model with the 3‐gram of selected five tokens and the DL model with experiments based on the AST 3‐gram deliver the best performance.

show abstract

Section: Related Workmentioning

confidence: 99%

Evaluations of AI‐based malicious PowerShell detection with feature optimizations

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Recently, Rusak et al [48] presented a classifier of malicious PowerShell scripts into malware families. Their classifier is based on an Abstract Syntax Tree (AST) representation of PowerShell scripts.…”

Section: Related Workmentioning

confidence: 99%

Detecting Malicious PowerShell Commands using Deep Neural Networks

Hendler

Kels

Rubin

2018

Proceedings of the 2018 on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

PowerShell is a command line shell, supporting a scripting language, that is widely used in organizations for configuration management and task automation. Unfortunately, PowerShell is also increasingly used by cybercriminals for launching cyber attacks against organizations, mainly because it is pre-installed on Windows machines, exposes strong functionality that may be leveraged by attackers, and its code can be deeply obfuscated in many ways. This makes the problem of detecting malicious PowerShell scripts both urgent and challenging.To the best of our knowledge, our work is the first to address this important problem. We do so by presenting several novel deep learning based detectors of malicious PowerShell scripts. Our best model obtains a true positive rate of nearly 90% while maintaining a low false positive rate of less than 0.1%, indicating that it can be of practical value.Our models employ pre-trained contextual embeddings of words from the PowerShell "language". A contextual word embedding is able to project semantically similar words to proximate vectors in the embedding space. A known problem in the cybersecurity domain is that labeled data is relatively scarce in comparison with unlabeled data, making it difficult to devise effective supervised detection of malicious activity of many types. This is also the case with PowerShell scripts. Our work shows that this problem can be largely mitigated by learning a pre-trained contextual embedding based on unlabeled data.We trained our models' embedding layer using a scripts dataset that was enriched by a large corpus of unlabeled Power-Shell scripts collected from public repositories. As established by our performance analysis, the use of unlabeled data for the embedding significantly improved the performance of our detectors. We estimate that the usage of pre-trained contextual embeddings based on unlabeled data for improved classication accuracy will find additional applications in the cybersecurity domain.

show abstract

“…The reason behind it is that ASTs tend to provide the structure of a program rather than internal behaviors [62]. However, ASTs have been successfully used to detect Powershell-based malware in [63] and Javascript-based malware in [64].…”

Section: B Graph/tree-based Features A: Graph-based Featuresmentioning

confidence: 99%

A Survey on Cross-Architectural IoT Malware Threat Hunting

et al. 2021

View full text Add to dashboard Cite

In recent years, the increase in non-Windows malware threats had turned the focus of the cybersecurity community. Research works on hunting Windows PE-based malwares are maturing, whereas the developments on Linux malware threat hunting are relatively scarce. With the advent of the Internet of Things (IoT) era, smart devices that are getting integrated into human life have become a hackers' highway for their malicious activities. The IoT devices employ various Unix-based architectures that follow ELF (Executable and Linkable Format) as their standard binary file specification. This study aims at providing a comprehensive survey on the latest developments in cross-architectural IoT malware detection and classification approaches. Aided by a modern taxonomy, we discuss the feature representations, feature extraction techniques, and machine learning models employed in the surveyed works. We further provide more insights on the practical challenges involved in cross-architectural IoT malware threat hunting and discuss various avenues to instill potential future research.

show abstract

AST-Based Deep Learning for Detecting Malicious PowerShell

Cited by 31 publications

References 4 publications

Evaluations of AI‐based malicious PowerShell detection with feature optimizations

Evaluations of AI‐based malicious PowerShell detection with feature optimizations

Detecting Malicious PowerShell Commands using Deep Neural Networks

A Survey on Cross-Architectural IoT Malware Threat Hunting

Contact Info

Product

Resources

About