Generic, efficient, and effective deobfuscation and semantic-aware attack detection for PowerShell scripts
Guardado en:
| Publicado en: | Frontiers of Information Technology & Electronic Engineering vol. 23, no. 3 (Mar 2022), p. 361 |
|---|---|
| Autor principal: | |
| Otros Autores: | , , , , , |
| Publicado: |
Springer Nature B.V.
|
| Materias: | |
| Acceso en línea: | Citation/Abstract Full Text - PDF |
| Etiquetas: |
Sin Etiquetas, Sea el primero en etiquetar este registro!
|
MARC
| LEADER | 00000nab a2200000uu 4500 | ||
|---|---|---|---|
| 001 | 2918726569 | ||
| 003 | UK-CbPIL | ||
| 022 | |a 2095-9184 | ||
| 022 | |a 2095-9230 | ||
| 022 | |a 1869-1951 | ||
| 022 | |a 1869-196X | ||
| 024 | 7 | |a 10.1631/FITEE.2000436 |2 doi | |
| 035 | |a 2918726569 | ||
| 045 | 2 | |b d20220301 |b d20220331 | |
| 100 | 1 | |a Xiong, Chunlin |u Zhejiang University, College of Computer Science and Technology, Hangzhou, China (GRID:grid.13402.34) (ISNI:0000 0004 1759 700X) | |
| 245 | 1 | |a Generic, efficient, and effective deobfuscation and semantic-aware attack detection for PowerShell scripts | |
| 260 | |b Springer Nature B.V. |c Mar 2022 | ||
| 513 | |a Journal Article | ||
| 520 | 3 | |a In recent years, PowerShell has increasingly been reported as appearing in a variety of cyber attacks. However, because the PowerShell language is dynamic by design and can construct script fragments at different levels, state-of-the-art static analysis based PowerShell attack detection approaches are inherently vulnerable to obfuscations. In this paper, we design the first generic, effective, and lightweight deobfuscation approach for PowerShell scripts. To precisely identify the obfuscated script fragments, we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology. Furthermore, we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures. The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5% to 93.2%. By deploying our deobfuscation method, the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33% and 2.65% to 78.9% and 94.0%, respectively. Moreover, our detection system outperforms both existing tools with a 96.7% true positive rate and a 0% false positive rate on average. 摘要近年来, PowerShell攻击越来越多见诸报道. 然而, 由于PowerShell语言的动态特性, 且可在不同级别构造脚本片段, 即使基于最先进的静态脚本分析的PowerShell攻击检测方法, 其本质上也容易受到混淆的影响. 本文为PowerShell脚本设计了一种通用、有效且轻量的去混淆方法. 首先, 为精准识别模糊脚本片段, 根据混淆方法对PowerShell抽象语法树的影响, 提出一种全新混淆片段检测方法, 在此基础上提出一种基于仿真的恢复技术. 此外, 设计了一个语义敏感的PowerShell攻击检测系统, 该系统利用经典的面向目标的关联挖掘算法, 新识别31个用于恶意脚本检测的语义特征. 在2342个良性样本和4141个恶意样本上的实验结果表明, 所提去混淆方法平均耗时不到0.5秒, 且将模糊脚本和原始脚本的相似度从0.5%提至93.2%. 采用该去混淆方法, Windows Defender和VirusTotal的攻击检测率分别从0.33%和2.65%提至78.9%和94.0%. 实验还表明, 我们的检测系统优于现有两种工具(平均真正例率为96.7%, 假正例率为0%). | |
| 653 | |a Scripts | ||
| 653 | |a Algorithms | ||
| 653 | |a Semantics | ||
| 653 | |a Fragments | ||
| 653 | |a Cybersecurity | ||
| 700 | 1 | |a Li, Zhenyuan |u Zhejiang University, College of Computer Science and Technology, Hangzhou, China (GRID:grid.13402.34) (ISNI:0000 0004 1759 700X) | |
| 700 | 1 | |a Chen, Yan |u Northwestern University, Department of Electrical Engineering and Computer Science, Evanston, USA (GRID:grid.16753.36) (ISNI:0000 0001 2299 3507) | |
| 700 | 1 | |a Zhu, Tiantian |u Zhejiang University of Technology, College of Computer Science and Technology, Hangzhou, China (GRID:grid.469325.f) (ISNI:0000 0004 1761 325X) | |
| 700 | 1 | |a Wang, Jian |u Zhejiang University, College of Computer Science and Technology, Hangzhou, China (GRID:grid.13402.34) (ISNI:0000 0004 1759 700X) | |
| 700 | 1 | |a Yang, Hai |u Magic Shield Co., Ltd., Hangzhou, China (GRID:grid.13402.34) | |
| 700 | 1 | |a Ruan, Wei |u Zhejiang University, College of Control Science and Engineering, Hangzhou, China (GRID:grid.13402.34) (ISNI:0000 0004 1759 700X) | |
| 773 | 0 | |t Frontiers of Information Technology & Electronic Engineering |g vol. 23, no. 3 (Mar 2022), p. 361 | |
| 786 | 0 | |d ProQuest |t Advanced Technologies & Aerospace Database | |
| 856 | 4 | 1 | |3 Citation/Abstract |u https://www.proquest.com/docview/2918726569/abstract/embedded/7BTGNMKEMPT1V9Z2?source=fedsrch |
| 856 | 4 | 0 | |3 Full Text - PDF |u https://www.proquest.com/docview/2918726569/fulltextPDF/embedded/7BTGNMKEMPT1V9Z2?source=fedsrch |