Skip to main content
main-content

Tipp

Weitere Kapitel dieses Buchs durch Wischen aufrufen

2020 | OriginalPaper | Buchkapitel

IMShell-Dec: Pay More Attention to External Links in PowerShell

verfasst von: RuiDong Han, Chao Yang, JianFeng Ma, Siqi Ma, YunBo Wang, Feng Li

Erschienen in: ICT Systems Security and Privacy Protection

Verlag: Springer International Publishing

share
TEILEN

Abstract

Windows proposes the PowerShell shell command line to substitute the traditional CMD. However, it is often utilized by the attacker to invade the victim because of its versatile functionality. In this paper, we investigate an attack combined PowerShell and image steganography. Compared with the traditional method, this attack can deceive the defender by hiding its malicious contents in benign images. To effectively detect this attack, we propose a framework IMShell-Dec, whose main target is to check external links before the execution of PowerShell script. IMShell-Dec trains a machine learning classifier with image examples, where the features are generated by merging histograms of three image color channels. Then IMShell-Dec examines the script through tracking and classifying the related images. The detector achieves more than 95% precision in 9,589 high-definition images.
Literatur
1.
Zurück zum Zitat Abadi, M., Xie, Y., Yu, F., John, J.P.: Identifying malicious queries, US Patent 8,495,742, 23 July 2013 Abadi, M., Xie, Y., Yu, F., John, J.P.: Identifying malicious queries, US Patent 8,495,742, 23 July 2013
3.
Zurück zum Zitat Antoniol, G., Ayari, K., Di Penta, M., Khomh, F., Guéhéneuc, Y.G.: Is it a bug or an enhancement?: a text-based approach to classify change requests. In: CASCON, vol. 8, pp. 304–318 (2008) Antoniol, G., Ayari, K., Di Penta, M., Khomh, F., Guéhéneuc, Y.G.: Is it a bug or an enhancement?: a text-based approach to classify change requests. In: CASCON, vol. 8, pp. 304–318 (2008)
4.
Zurück zum Zitat Chen, J., Lu, W., Fang, Y., Liu, X., Yeung, Y., Xue, Y.: Binary image steganalysis based on local texture pattern. J. Vis. Commun. Image Represent. 55, 149–156 (2018) CrossRef Chen, J., Lu, W., Fang, Y., Liu, X., Yeung, Y., Xue, Y.: Binary image steganalysis based on local texture pattern. J. Vis. Commun. Image Represent. 55, 149–156 (2018) CrossRef
5.
Zurück zum Zitat Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, WISCONSIN UNIV-MADISON DEPT OF COMPUTER SCIENCES (2006) Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, WISCONSIN UNIV-MADISON DEPT OF COMPUTER SCIENCES (2006)
7.
Zurück zum Zitat He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)
8.
Zurück zum Zitat Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 187–197. ACM (2018) Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 187–197. ACM (2018)
9.
Zurück zum Zitat Ke, Q., Ming, L.D., Daxing, Z.: Image steganalysis via multi-column convolutional neural network. In: 2018 14th IEEE International Conference on Signal Processing, pp. 550–553 (2018) Ke, Q., Ming, L.D., Daxing, Z.: Image steganalysis via multi-column convolutional neural network. In: 2018 14th IEEE International Conference on Signal Processing, pp. 550–553 (2018)
10.
Zurück zum Zitat Kertesz, V., et al.: Dynamic data exchange server, US Patent 5,764,155 (1998) Kertesz, V., et al.: Dynamic data exchange server, US Patent 5,764,155 (1998)
11.
Zurück zum Zitat Khan, N., Abdullah, J., Khan, A.S.: Defending malicious script attacks using machine learning classifiers. Wirel. Commun. Mob. Comput. 2017, 9 (2017) Khan, N., Abdullah, J., Khan, A.S.: Defending malicious script attacks using machine learning classifiers. Wirel. Commun. Mob. Comput. 2017, 9 (2017)
12.
Zurück zum Zitat Lee, T., Mitschke, K., Schill, M.E., Tanasovski, T.: Windows PowerShell 2.0 Bible, vol. 725. Wiley, Hoboken (2011) Lee, T., Mitschke, K., Schill, M.E., Tanasovski, T.: Windows PowerShell 2.0 Bible, vol. 725. Wiley, Hoboken (2011)
13.
Zurück zum Zitat Lessmann, S., Baesens, B., Mues, C., Pietsch, S.: Benchmarking classification models for software defect prediction: a proposed framework and novel findings. IEEE Trans. Softw. Eng. 34(4), 485–496 (2008) CrossRef Lessmann, S., Baesens, B., Mues, C., Pietsch, S.: Benchmarking classification models for software defect prediction: a proposed framework and novel findings. IEEE Trans. Softw. Eng. 34(4), 485–496 (2008) CrossRef
14.
Zurück zum Zitat Li, B., Wei, W., Ferreira, A., Tan, S.: ReST-Net: diverse activation modules and parallel subnets-based CNN for spatial image steganalysis. IEEE Signal Process. Lett. 25(5), 650–654 (2018) CrossRef Li, B., Wei, W., Ferreira, A., Tan, S.: ReST-Net: diverse activation modules and parallel subnets-based CNN for spatial image steganalysis. IEEE Signal Process. Lett. 25(5), 650–654 (2018) CrossRef
15.
Zurück zum Zitat Li, Z., Chen, Q.A., Xiong, C., Chen, Y., Zhu, T., Yang, H.: Effective and light-weight deobfuscation and semantic-aware attack detection for PowerShell scripts. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1831–1847. ACM (2019) Li, Z., Chen, Q.A., Xiong, C., Chen, Y., Zhu, T., Yang, H.: Effective and light-weight deobfuscation and semantic-aware attack detection for PowerShell scripts. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1831–1847. ACM (2019)
16.
Zurück zum Zitat Milosevic, J., Sklavos, N., Koutsikou, K.: Malware in IoT software and hardware. In: Workshop on Trustworthy Manufacturing and Utilization of Secure Devices, pp. 14–16 (2016) Milosevic, J., Sklavos, N., Koutsikou, K.: Malware in IoT software and hardware. In: Workshop on Trustworthy Manufacturing and Utilization of Secure Devices, pp. 14–16 (2016)
17.
Zurück zum Zitat Moser, R., Pedrycz, W., Succi, G.: A comparative analysis of the efficiency of change metrics and static code attributes for defect prediction. In: Proceedings of the 30th International Conference on Software Engineering, pp. 181–190. ACM (2008) Moser, R., Pedrycz, W., Succi, G.: A comparative analysis of the efficiency of change metrics and static code attributes for defect prediction. In: Proceedings of the 30th International Conference on Software Engineering, pp. 181–190. ACM (2008)
18.
Zurück zum Zitat Shojae Chaeikar, S., Zamani, M., Abdul Manaf, A.B., Zeki, A.M.: PSW statistical LSB image steganalysis. Multimedia Tools Appl. 77(1), 805–835 (2018) CrossRef Shojae Chaeikar, S., Zamani, M., Abdul Manaf, A.B., Zeki, A.M.: PSW statistical LSB image steganalysis. Multimedia Tools Appl. 77(1), 805–835 (2018) CrossRef
20.
Zurück zum Zitat Wilson, E.: Windows PowerShell 3.0 First Steps. Pearson Education (2013) Wilson, E.: Windows PowerShell 3.0 First Steps. Pearson Education (2013)
22.
Zurück zum Zitat Ye, J., Ni, J., Yi, Y.: Deep learning hierarchical representations for image steganalysis. IEEE Trans. Inf. Forensics Secur. 12(11), 2545–2557 (2017) CrossRef Ye, J., Ni, J., Yi, Y.: Deep learning hierarchical representations for image steganalysis. IEEE Trans. Inf. Forensics Secur. 12(11), 2545–2557 (2017) CrossRef
23.
Zurück zum Zitat Zeng, J., Tan, S., Li, B., Huang, J.: Large-scale JPEG image steganalysis using hybrid deep-learning framework. IEEE Trans. Inf. Forensics Secur. 13(5), 1200–1214 (2018) CrossRef Zeng, J., Tan, S., Li, B., Huang, J.: Large-scale JPEG image steganalysis using hybrid deep-learning framework. IEEE Trans. Inf. Forensics Secur. 13(5), 1200–1214 (2018) CrossRef
Metadaten
Titel
IMShell-Dec: Pay More Attention to External Links in PowerShell
verfasst von
RuiDong Han
Chao Yang
JianFeng Ma
Siqi Ma
YunBo Wang
Feng Li
Copyright-Jahr
2020
DOI
https://doi.org/10.1007/978-3-030-58201-2_13

Premium Partner