Skip to main content
main-content
Top

Hint

Swipe to navigate through the chapters of this book

2020 | OriginalPaper | Chapter

IMShell-Dec: Pay More Attention to External Links in PowerShell

Authors : RuiDong Han, Chao Yang, JianFeng Ma, Siqi Ma, YunBo Wang, Feng Li

Published in: ICT Systems Security and Privacy Protection

Publisher: Springer International Publishing

share
SHARE

Abstract

Windows proposes the PowerShell shell command line to substitute the traditional CMD. However, it is often utilized by the attacker to invade the victim because of its versatile functionality. In this paper, we investigate an attack combined PowerShell and image steganography. Compared with the traditional method, this attack can deceive the defender by hiding its malicious contents in benign images. To effectively detect this attack, we propose a framework IMShell-Dec, whose main target is to check external links before the execution of PowerShell script. IMShell-Dec trains a machine learning classifier with image examples, where the features are generated by merging histograms of three image color channels. Then IMShell-Dec examines the script through tracking and classifying the related images. The detector achieves more than 95% precision in 9,589 high-definition images.
Literature
1.
go back to reference Abadi, M., Xie, Y., Yu, F., John, J.P.: Identifying malicious queries, US Patent 8,495,742, 23 July 2013 Abadi, M., Xie, Y., Yu, F., John, J.P.: Identifying malicious queries, US Patent 8,495,742, 23 July 2013
3.
go back to reference Antoniol, G., Ayari, K., Di Penta, M., Khomh, F., Guéhéneuc, Y.G.: Is it a bug or an enhancement?: a text-based approach to classify change requests. In: CASCON, vol. 8, pp. 304–318 (2008) Antoniol, G., Ayari, K., Di Penta, M., Khomh, F., Guéhéneuc, Y.G.: Is it a bug or an enhancement?: a text-based approach to classify change requests. In: CASCON, vol. 8, pp. 304–318 (2008)
4.
go back to reference Chen, J., Lu, W., Fang, Y., Liu, X., Yeung, Y., Xue, Y.: Binary image steganalysis based on local texture pattern. J. Vis. Commun. Image Represent. 55, 149–156 (2018) CrossRef Chen, J., Lu, W., Fang, Y., Liu, X., Yeung, Y., Xue, Y.: Binary image steganalysis based on local texture pattern. J. Vis. Commun. Image Represent. 55, 149–156 (2018) CrossRef
5.
go back to reference Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, WISCONSIN UNIV-MADISON DEPT OF COMPUTER SCIENCES (2006) Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, WISCONSIN UNIV-MADISON DEPT OF COMPUTER SCIENCES (2006)
7.
go back to reference He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)
8.
go back to reference Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 187–197. ACM (2018) Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 187–197. ACM (2018)
9.
go back to reference Ke, Q., Ming, L.D., Daxing, Z.: Image steganalysis via multi-column convolutional neural network. In: 2018 14th IEEE International Conference on Signal Processing, pp. 550–553 (2018) Ke, Q., Ming, L.D., Daxing, Z.: Image steganalysis via multi-column convolutional neural network. In: 2018 14th IEEE International Conference on Signal Processing, pp. 550–553 (2018)
10.
go back to reference Kertesz, V., et al.: Dynamic data exchange server, US Patent 5,764,155 (1998) Kertesz, V., et al.: Dynamic data exchange server, US Patent 5,764,155 (1998)
11.
go back to reference Khan, N., Abdullah, J., Khan, A.S.: Defending malicious script attacks using machine learning classifiers. Wirel. Commun. Mob. Comput. 2017, 9 (2017) Khan, N., Abdullah, J., Khan, A.S.: Defending malicious script attacks using machine learning classifiers. Wirel. Commun. Mob. Comput. 2017, 9 (2017)
12.
go back to reference Lee, T., Mitschke, K., Schill, M.E., Tanasovski, T.: Windows PowerShell 2.0 Bible, vol. 725. Wiley, Hoboken (2011) Lee, T., Mitschke, K., Schill, M.E., Tanasovski, T.: Windows PowerShell 2.0 Bible, vol. 725. Wiley, Hoboken (2011)
13.
go back to reference Lessmann, S., Baesens, B., Mues, C., Pietsch, S.: Benchmarking classification models for software defect prediction: a proposed framework and novel findings. IEEE Trans. Softw. Eng. 34(4), 485–496 (2008) CrossRef Lessmann, S., Baesens, B., Mues, C., Pietsch, S.: Benchmarking classification models for software defect prediction: a proposed framework and novel findings. IEEE Trans. Softw. Eng. 34(4), 485–496 (2008) CrossRef
14.
go back to reference Li, B., Wei, W., Ferreira, A., Tan, S.: ReST-Net: diverse activation modules and parallel subnets-based CNN for spatial image steganalysis. IEEE Signal Process. Lett. 25(5), 650–654 (2018) CrossRef Li, B., Wei, W., Ferreira, A., Tan, S.: ReST-Net: diverse activation modules and parallel subnets-based CNN for spatial image steganalysis. IEEE Signal Process. Lett. 25(5), 650–654 (2018) CrossRef
15.
go back to reference Li, Z., Chen, Q.A., Xiong, C., Chen, Y., Zhu, T., Yang, H.: Effective and light-weight deobfuscation and semantic-aware attack detection for PowerShell scripts. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1831–1847. ACM (2019) Li, Z., Chen, Q.A., Xiong, C., Chen, Y., Zhu, T., Yang, H.: Effective and light-weight deobfuscation and semantic-aware attack detection for PowerShell scripts. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1831–1847. ACM (2019)
16.
go back to reference Milosevic, J., Sklavos, N., Koutsikou, K.: Malware in IoT software and hardware. In: Workshop on Trustworthy Manufacturing and Utilization of Secure Devices, pp. 14–16 (2016) Milosevic, J., Sklavos, N., Koutsikou, K.: Malware in IoT software and hardware. In: Workshop on Trustworthy Manufacturing and Utilization of Secure Devices, pp. 14–16 (2016)
17.
go back to reference Moser, R., Pedrycz, W., Succi, G.: A comparative analysis of the efficiency of change metrics and static code attributes for defect prediction. In: Proceedings of the 30th International Conference on Software Engineering, pp. 181–190. ACM (2008) Moser, R., Pedrycz, W., Succi, G.: A comparative analysis of the efficiency of change metrics and static code attributes for defect prediction. In: Proceedings of the 30th International Conference on Software Engineering, pp. 181–190. ACM (2008)
18.
go back to reference Shojae Chaeikar, S., Zamani, M., Abdul Manaf, A.B., Zeki, A.M.: PSW statistical LSB image steganalysis. Multimedia Tools Appl. 77(1), 805–835 (2018) CrossRef Shojae Chaeikar, S., Zamani, M., Abdul Manaf, A.B., Zeki, A.M.: PSW statistical LSB image steganalysis. Multimedia Tools Appl. 77(1), 805–835 (2018) CrossRef
20.
go back to reference Wilson, E.: Windows PowerShell 3.0 First Steps. Pearson Education (2013) Wilson, E.: Windows PowerShell 3.0 First Steps. Pearson Education (2013)
22.
go back to reference Ye, J., Ni, J., Yi, Y.: Deep learning hierarchical representations for image steganalysis. IEEE Trans. Inf. Forensics Secur. 12(11), 2545–2557 (2017) CrossRef Ye, J., Ni, J., Yi, Y.: Deep learning hierarchical representations for image steganalysis. IEEE Trans. Inf. Forensics Secur. 12(11), 2545–2557 (2017) CrossRef
23.
go back to reference Zeng, J., Tan, S., Li, B., Huang, J.: Large-scale JPEG image steganalysis using hybrid deep-learning framework. IEEE Trans. Inf. Forensics Secur. 13(5), 1200–1214 (2018) CrossRef Zeng, J., Tan, S., Li, B., Huang, J.: Large-scale JPEG image steganalysis using hybrid deep-learning framework. IEEE Trans. Inf. Forensics Secur. 13(5), 1200–1214 (2018) CrossRef
Metadata
Title
IMShell-Dec: Pay More Attention to External Links in PowerShell
Authors
RuiDong Han
Chao Yang
JianFeng Ma
Siqi Ma
YunBo Wang
Feng Li
Copyright Year
2020
DOI
https://doi.org/10.1007/978-3-030-58201-2_13

Premium Partner