Litcius/Paper detail

Static detection of malicious PowerShell based on word embeddings

Mamoru Mimura, Yui Tajiri

2021Internet of Things29 citationsDOIOpen Access PDF

Abstract

While traditional malware relies on executables to function, fileless malware resides in memory to evade traditional detection methods. PowerShell which is a legitimate management tool used by system administrators provides an ideal cover for attackers. Many studies attempted to detect unknown malware with machine learning techniques. However, there are a few studies for detecting malicious PowerShell. Previous studies proposed methods of detecting malicious PowerShell with deep neural networks. Previous methods require decoding obfuscated samples for dynamic code evaluation. Decoding obfuscated samples is a troublesome task and is often time consuming. Security devices such as intrusion detection system (IDS) or sandbox are located at a point that can monitor all inbound traffic. In general, this traffic contains too massive samples to analyze by dynamic analysis. Therefore, a light-weight static method is desirable. In addition, some studies use their private dataset to evaluate their methods. In this paper, we propose a static method of detecting malicious PowerShell based on word embeddings. In our method, PowerShell scripts are separated into words, and these words are used as features for machine learning techniques. We improved the feature extraction method by selecting frequent words. To provide reproducibility, we obtained thousands of samples from multiple websites which are publicly available. The best F1 score achieves 0.995 in practical environment, and achieves 0.985 in 5-fold cross-validation. Furthermore, we identified their malware families, and confirmed our method is effective to new ones.

Topics & Concepts

Computer scienceMalwareSandbox (software development)Task (project management)Scripting languageExecutableWord (group theory)Artificial intelligenceMachine learningData miningComputer securityOperating systemEconomicsLinguisticsPhilosophyManagementNetwork Security and Intrusion DetectionAdvanced Malware Detection TechniquesSpam and Phishing Detection
Static detection of malicious PowerShell based on word embeddings | Litcius