Home Science Detecting Malicious PowerShell Commands using Deep Neural Networks

Detecting Malicious PowerShell Commands using Deep Neural Networks

0
0
559

Microsoft’s PowerShell is a command-line shell and scripting language that is installed by default on Windows machines. While PowerShell can be configured by administrators for restricting access and reducing vulnerabilities, these restrictions can be bypassed. Moreover, PowerShell commands can be easily generated dynamically, executed from memory, encoded and obfuscated, thus making the logging and forensic analysis of code executed by PowerShell challenging. For all these reasons, PowerShell is increasingly used by cybercriminals as part of their attacks’ tool chain, mainly for downloading malicious contents and for lateral movement. Indeed, a recent comprehensive technical report by Symantec dedicated to PowerShell’s abuse by cybercrimials reported on a sharp increase in the number of malicious PowerShell samples they received and in the number of penetration tools and frameworks that use PowerShell. This highlights the urgent need of developing effective methods for detecting malicious PowerShell commands. In this work, the authors address this challenge by implementing several novel detectors of malicious PowerShell commands and evaluating their performance. They implemented both “traditional” natural language processing (NLP) based detectors and detectors based on character-level convolutional neural networks (CNNs). Detectors’ performance was evaluated using a large real-world dataset. Their evaluation results show that, although our detectors individually yield high performance, an ensemble detector that combines an NLP-based classifier with a CNN-based classifier provides the best performance, since the latter classifier is able to detect malicious commands that succeed in evading the former. Their analysis of these evasive commands reveals that some obfuscation patterns automatically detected by the CNN classifier are intrinsically difficult to detect using the NLP techniques they applied.

1804.04177
Load More Related Articles
Load More In Science

Leave a Reply

Your email address will not be published. Required fields are marked *