Abstract
In cyber attacks, PowerShell has become a convenient tool for attackers. A previous study proposed a classification method for PowerShell scripts that combines natural language processing (NLP) techniques and machine learning models. Although it has been pointed out that the accuracy of machine learning is degraded by adversarial input, no evaluation has been reported for PowerShell classification. In this study, we evaluated the possibility of evasion attacks to the machine learning-based model for malicious PowerShell detection. In addition to Bag-of-Words, Latent Semantic Indexing (LSI), and Support Vector Machine (SVM), we combined Doc2Vec, RandomForest, and XGBoost with the previous models. As a result, we confirmed that evasion attacks are possible in PowerShell. In particular, the models using Doc2Vec decreased the recall rate by 0.78 at maximum. The effect mainly depends on the NLP technique, and there was almost no difference in any machine learning models with LSI.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chen, B., Ren, Z., Yu, C., Hussain, I., Liu, J.: Adversarial examples for cnn-based malware detectors. IEEE Access 7, 54360–54371 (2019). https://doi.org/10.1109/ACCESS.2019.2913439
Chen, S., Xue, M., Fan, L., Hao, S., Xu, L., Zhu, H., Li, B.: Automated poisoning attacks and defenses in malware detection systems: An adversarial machine learning approach. Comput. Secur. 73, 326–344 (2018). https://doi.org/10.1016/j.cose.2017.11.007
Fang, Y., Zhou, X., Huang, C.: Effective method for detecting malicious powershell scripts based on hybrid features. Neurocomputing 448, 30–39 (2021). https://doi.org/10.1016/j.neucom.2021.03.117
Grosse, K., Papernot, N., Manoharan, P., Backes, M., McDaniel, P.: Adversarial examples for malware detection. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 62–79. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_4
Hendler, D., Kels, S., Rubin, A.: Detecting malicious powershell commands using deep neural networks. In: Kim, J., Ahn, G., Kim, S., Kim, Y., López, J., Kim, T. (eds.) Proceedings of the 2018 on Asia Conference on Computer and Communications Security, AsiaCCS 2018, Incheon, Republic of Korea, 04–08 June 2018, pp. 187–197. ACM (2018). https://doi.org/10.1145/3196494.3196511
Hendler, D., Kels, S., Rubin, A.: Amsi-based detection of malicious powershell code using contextual embeddings. In: Sun, H., Shieh, S., Gu, G., Ateniese, G. (eds.) ASIA CCS 2020: The 15th ACM Asia Conference on Computer and Communications Security, Taipei, Taiwan, 5–9 October 2020, pp. 679–693. ACM (2020). https://doi.org/10.1145/3320269.3384742
Japkowicz, N.: The class imbalance problem: significance and strategies. In: Proceedings of the 2000 International Conference on Artificial Intelligence (ICAI), pp. 111–117 (2000)
Le, Q.V., Mikolov, T.: Distributed representations of sentences and documents. In: Proceedings of the 31th International Conference on Machine Learning, ICML 2014, Beijing, China, 21–26 June 2014, JMLR Workshop and Conference Proceedings, vol. 32, pp. 1188–1196. JMLR.org (2014). https://proceedings.mlr.press/v32/le14.html
Li, Z., Chen, Q.A., Xiong, C., Chen, Y., Zhu, T., Yang, H.: Effective and light-weight deobfuscation and semantic-aware attack detection for powershell scripts. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, 11–15 November 2019, pp. 1831–1847. ACM (2019). https://doi.org/10.1145/3319535.3363187
Liu, C., Xia, B., Yu, M., Liu, Y.: PSDEM: a feasible de-obfuscation method for malicious powershell detection. In: 2018 IEEE Symposium on Computers and Communications, ISCC 2018, Natal, Brazil, 25–28 June 2018, pp. 825–831. IEEE (2018). https://doi.org/10.1109/ISCC.2018.8538691
Maiorca, D., Biggio, B., Giacinto, G.: Towards adversarial malware detection: Lessons learned from pdf-based attacks. ACM Comput. Surv. 52(4), 78:1–78:36 (2019). https://doi.org/10.1145/3332184
Mimura, M., Tajiri, Y.: Static detection of malicious powershell based on word embeddings. Internet Things 15, 100404 (2021). https://www.sciencedirect.com/science/article/pii/S2542660521000482
Rusak, G., Al-Dujaili, A., O’Reilly, U.: Ast-based deep learning for detecting malicious powershell. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 2276–2278. ACM (2018). https://doi.org/10.1145/3243734.3278496
Tajiri, Y., Mimura, M.: Detection of malicious powershell using word-level language models. In: Aoki, K., Kanaoka, A. (eds.) IWSEC 2020. LNCS, vol. 12231, pp. 39–56. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58208-1_3
Ugarte, D., Maiorca, D., Cara, F., Giacinto, G.: PowerDrive: accurate de-obfuscation and analysis of powershell malware. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 240–259. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_12
WatchGuard Technologies: Internet Security Report - Q4 2020 (2021). https://www.watchguard.com/wgrd-resource-center/security-report-q4-2020. Accessed 21 July 2021
White, J.: Practical behavioral profiling of powershell scripts through static analysis (part 1). https://unit42.paloaltonetworks.com/practical-behavioral-profiling-of-powershell-scripts-through-static-analysis-part-1/. Accessed 20 Aug 2021
White, J.: Pulling back the curtains on encodedcommand powershell attacks. https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/. Accessed 20 Aug 2021
Yamamoto, R., Mimura, M.: On the possibility of evasion attacks with macro malware. In: Ranganathan, G., Fernando, X., Shi, F., El Allioui, Y. (eds.) Soft Computing for Security Applications. AISC, vol. 1397, pp. 43–59. Springer, Singapore (2022). https://doi.org/10.1007/978-981-16-5301-8_4
Acknowledgments
This work was supported by JSPS KAKENHI Grant Number 21K11898.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Mezawa, Y., Mimura, M. (2022). Evaluating the Possibility of Evasion Attacks to Machine Learning-Based Models for Malicious PowerShell Detection. In: Su, C., Gritzalis, D., Piuri, V. (eds) Information Security Practice and Experience. ISPEC 2022. Lecture Notes in Computer Science, vol 13620. Springer, Cham. https://doi.org/10.1007/978-3-031-21280-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-21280-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-21279-6
Online ISBN: 978-3-031-21280-2
eBook Packages: Computer ScienceComputer Science (R0)