An Attention Mechanism for Visualizing Word Weights in Source Code of PowerShell Samples: Experimental Results and Analysis

Mezawa, Yuki; Mimura, Mamoru

doi:10.1007/978-3-031-20029-8_11

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 570))

Included in the following conference series:

International Conference on Broadband and Wireless Computing, Communication and Applications

326 Accesses

Abstract

Methods that utilize AI as a detection technique for malware have been studied, and this is also true for the detection of malicious PowerShell scripts. Previous studies have proposed models that use deep learning and machine learning to detect malicious PowerShell scripts and have achieved high detection rates. However, these studies have focused on improving the detection rate of malicious PowerShell scripts. Therefore, the reasons why the detection models are determining malicious and benign PowerShell samples are unclear. In this study, we use the attention mechanism to visualize the words that are important to the malicious PowerShell scripts detection model. Then, we analyze the distribution of important words for each sample classification result. The experimental results show that there were significant differences in the words that classify benign or malicious PowerShell scripts. In addition, the misclassified samples often contain words that were emphasized in the opposite class.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 169.00; Price excludes VAT (USA)

Softcover Book: USD 219.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Choi, S.: Malicious powershell detection using attention against adversarial attacks. Electronics 9(11) (2020). https://doi.org/10.3390/electronics9111817. https://www.mdpi.com/2079-9292/9/11/1817
Graves, A., Schmidhuber, J.: Framewise phoneme classification with bidirectional LSTM and other neural network architectures. Neural Netw. 18(5–6), 602–610 (2005). https://doi.org/10.1016/j.neunet.2005.06.042
Article Google Scholar
Graves, A., Schmidhuber, J.: Offline handwriting recognition with multidimensional recurrent neural networks. In: D. Koller, D. Schuurmans, Y. Bengio, L. Bottou (eds.) Advances in Neural Information Processing Systems 21, Proceedings of the Twenty-Second Annual Conference on Neural Information Processing Systems, Vancouver, British Columbia, Canada, 8–11 December 2008, pp. 545–552. Curran Associates, Inc. (2008). https://proceedings.neurips.cc/paper/2008/hash/66368270ffd51418ec58bd793f2d9b1b-Abstract.html
Hendler, D., Kels, S., Rubin, A.: Detecting malicious powershell commands using deep neural networks. In: J. Kim, G. Ahn, S. Kim, Y. Kim, J. López, T. Kim (eds.) Proceedings of the 2018 on Asia Conference on Computer and Communications Security, AsiaCCS 2018, Incheon, Republic of Korea, 04–08 June 2018, pp. 187–197. ACM (2018). https://doi.org/10.1145/3196494.3196511
Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997). https://doi.org/10.1162/neco.1997.9.8.1735
Article Google Scholar
Japkowicz, N.: The class imbalance problem: significance and strategies. In: Proceedings of the 2000 International Conference on Artificial Intelligence (ICAI), pp. 111–117 (2000)
Google Scholar
Mimura, M., Tajiri, Y.: Static detection of malicious powershell based on word embeddings. Internet Things 15, 100–404 (2021). https://doi.org/10.1016/j.iot.2021.100404. https://www.sciencedirect.com/science/article/pii/S2542660521000482
Tajiri, Y., Mimura, M.: Detection of malicious powershell using word-level language models. In: Aoki, K., Kanaoka, A. (eds.) IWSEC 2020. LNCS, vol. 12231, pp. 39–56. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58208-1_3
Chapter Google Scholar
WatchGuard Technologies: Internet security report - q1 2022 (2022). https://www.watchguard.com/wgrd-resource-center/security-report-q1-2022. Accessed 13 July 2022

Download references

Acknowledgment

This work was supported by JSPS, Japan KAKENHI, Japan Grant Number 21K11898.

Author information

Authors and Affiliations

National Defense Academy, Yokosuka, Japan
Yuki Mezawa & Mamoru Mimura

Authors

Yuki Mezawa
View author publications
You can also search for this author in PubMed Google Scholar
Mamoru Mimura
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yuki Mezawa .

Editor information

Editors and Affiliations

Department of Information and Communication Engineering, Fukuoka Institute of Technology, Fukuoka, Japan
Leonard Barolli

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Mezawa, Y., Mimura, M. (2023). An Attention Mechanism for Visualizing Word Weights in Source Code of PowerShell Samples: Experimental Results and Analysis. In: Barolli, L. (eds) Advances on Broad-Band Wireless Computing, Communication and Applications. BWCCA 2022. Lecture Notes in Networks and Systems, vol 570. Springer, Cham. https://doi.org/10.1007/978-3-031-20029-8_11

Download citation

DOI: https://doi.org/10.1007/978-3-031-20029-8_11
Published: 18 October 2022
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-20028-1
Online ISBN: 978-3-031-20029-8
eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

An Attention Mechanism for Visualizing Word Weights in Source Code of PowerShell Samples: Experimental Results and Analysis