nach oben

Erschienen in:

2020 | OriginalPaper | Buchkapitel

IMShell-Dec: Pay More Attention to External Links in PowerShell

verfasst von : RuiDong Han, Chao Yang, JianFeng Ma, Siqi Ma, YunBo Wang, Feng Li

Erschienen in: ICT Systems Security and Privacy Protection

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Windows proposes the PowerShell shell command line to substitute the traditional CMD. However, it is often utilized by the attacker to invade the victim because of its versatile functionality. In this paper, we investigate an attack combined PowerShell and image steganography. Compared with the traditional method, this attack can deceive the defender by hiding its malicious contents in benign images. To effectively detect this attack, we propose a framework IMShell-Dec, whose main target is to check external links before the execution of PowerShell script. IMShell-Dec trains a machine learning classifier with image examples, where the features are generated by merging histograms of three image color channels. Then IMShell-Dec examines the script through tracking and classifying the related images. The detector achieves more than 95% precision in 9,589 high-definition images.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Code Between the Lines: Semantic Analysis of Android Applications

Nächstes Kapitel Secure Attestation of Virtualized Environments

https://github.com/EmpireProject/Empire.

https://github.com/samratashok/nishang.

https://github.com/PowerShellMafia/PowerSploit.

https://github.com/peewpw/Invoke-PSImage.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170021.

https://github.com/outflanknl/Excel4-DCOM.

https://github.com/pan-unit42/iocs/tree/master/psencmds.

https://www.7-zip.org/.

Abadi, M., Xie, Y., Yu, F., John, J.P.: Identifying malicious queries, US Patent 8,495,742, 23 July 2013

Adeli, A., Broumandnia, A.: Image steganalysis using improved particle swarm optimization based feature selection. Appl. Intell. 48(6), 1609–1622 (2017). https://doi.org/10.1007/s10489-017-0989-xCrossRef

Antoniol, G., Ayari, K., Di Penta, M., Khomh, F., Guéhéneuc, Y.G.: Is it a bug or an enhancement?: a text-based approach to classify change requests. In: CASCON, vol. 8, pp. 304–318 (2008)

Chen, J., Lu, W., Fang, Y., Liu, X., Yeung, Y., Xue, Y.: Binary image steganalysis based on local texture pattern. J. Vis. Commun. Image Represent. 55, 149–156 (2018)CrossRef

Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, WISCONSIN UNIV-MADISON DEPT OF COMPUTER SCIENCES (2006)

Fass, A., Krawczyk, R.P., Backes, M., Stock, B.: JaSt: fully syntactic detection of malicious (Obfuscated) JavaScript. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 303–325. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_14CrossRef

He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)

Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 187–197. ACM (2018)

Ke, Q., Ming, L.D., Daxing, Z.: Image steganalysis via multi-column convolutional neural network. In: 2018 14th IEEE International Conference on Signal Processing, pp. 550–553 (2018)

10.

Kertesz, V., et al.: Dynamic data exchange server, US Patent 5,764,155 (1998)

11.

Khan, N., Abdullah, J., Khan, A.S.: Defending malicious script attacks using machine learning classifiers. Wirel. Commun. Mob. Comput. 2017, 9 (2017)

12.

Lee, T., Mitschke, K., Schill, M.E., Tanasovski, T.: Windows PowerShell 2.0 Bible, vol. 725. Wiley, Hoboken (2011)

13.

Lessmann, S., Baesens, B., Mues, C., Pietsch, S.: Benchmarking classification models for software defect prediction: a proposed framework and novel findings. IEEE Trans. Softw. Eng. 34(4), 485–496 (2008)CrossRef

14.

Li, B., Wei, W., Ferreira, A., Tan, S.: ReST-Net: diverse activation modules and parallel subnets-based CNN for spatial image steganalysis. IEEE Signal Process. Lett. 25(5), 650–654 (2018)CrossRef

15.

Li, Z., Chen, Q.A., Xiong, C., Chen, Y., Zhu, T., Yang, H.: Effective and light-weight deobfuscation and semantic-aware attack detection for PowerShell scripts. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1831–1847. ACM (2019)

16.

Milosevic, J., Sklavos, N., Koutsikou, K.: Malware in IoT software and hardware. In: Workshop on Trustworthy Manufacturing and Utilization of Secure Devices, pp. 14–16 (2016)

17.

Moser, R., Pedrycz, W., Succi, G.: A comparative analysis of the efficiency of change metrics and static code attributes for defect prediction. In: Proceedings of the 30th International Conference on Software Engineering, pp. 181–190. ACM (2008)

18.

Shojae Chaeikar, S., Zamani, M., Abdul Manaf, A.B., Zeki, A.M.: PSW statistical LSB image steganalysis. Multimedia Tools Appl. 77(1), 805–835 (2018)CrossRef

19.

Ugarte, D., Maiorca, D., Cara, F., Giacinto, G.: PowerDrive: accurate de-obfuscation and analysis of PowerShell malware. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 240–259. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_12CrossRef

20.

Wilson, E.: Windows PowerShell 3.0 First Steps. Pearson Education (2013)

21.

Wu, S., Zhong, S., Liu, Y.: Deep residual learning for image steganalysis. Multimedia Tools Appl. 77(9), 10437–10453 (2017). https://doi.org/10.1007/s11042-017-4440-4CrossRef

22.

Ye, J., Ni, J., Yi, Y.: Deep learning hierarchical representations for image steganalysis. IEEE Trans. Inf. Forensics Secur. 12(11), 2545–2557 (2017)CrossRef

23.

Zeng, J., Tan, S., Li, B., Huang, J.: Large-scale JPEG image steganalysis using hybrid deep-learning framework. IEEE Trans. Inf. Forensics Secur. 13(5), 1200–1214 (2018)CrossRef

Titel: IMShell-Dec: Pay More Attention to External Links in PowerShell
verfasst von: RuiDong Han
Chao Yang
JianFeng Ma
Siqi Ma
YunBo Wang
Feng Li
Verlag: Springer International Publishing
Buch: ICT Systems Security and Privacy Protection
Print ISBN: 978-3-030-58200-5

Electronic ISBN: 978-3-030-58201-2

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-58201-2_13

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"