Effective method for detecting malicious PowerShell scripts based on hybrid features

At present, network attacks are rampant in the Internet world, and the attack methods of hackers are changing steadily. PowerShell is a programming language based on the command line and.NET framework, with powerful functions and good compatibility. Therefore, hackers often use PowerShell malicious scripts to attack the victims in APT attacks. When these malicious PowerShell scripts are executed, hackers can control the victim's computer or leave a backdoor on their computers. In this paper, a detection model of malicious PowerShell scripts based on hybrid features is proposed, we analyzed the differences between malicious and benign samples in text characters, functions, tokens and the nodes of the abstract syntax tree. Firstly, the script of PowerShell is embedded by FastText. Then the textual features, token features and the nodes features of PowerShell code extracted from the abstract syntax tree are added. Finally, the hybrid features of scrips will be classified by a Random Forest classifier. In the experiment, the malicious scripts are inserted into the benign scripts to weaken the features of the malicious samples in the level of abstract syntax tree nodes and tokens, which makes the scripts more complex. Even in such a complex data set, the proposed model which is based on hybrid features still achieves an accuracy of 97.76% in fivefold cross-validation. Moreover, the accuracy of this proposed model on the original scripts is 98.93%, which means that the proposed model has the ability to classify complex scripts. (c) 2021 Elsevier B.V. All rights reserved.

Automated summary

The article introduces a detection model for malicious PowerShell scripts based on hybrid features, which analyzes the differences in text characters, functions, tokens, and nodes of the abstract syntax tree to classify malicious and benign samples. The model achieves high accuracy even in a complex dataset.