PSDEM: A Feasible De-Obfuscation Method for Malicious PowerShell Detection

被引:0
|
作者
Liu, Chao [1 ]
Xia, Bin [1 ,2 ]
Yu, Min [1 ,2 ]
Liu, Yunzheng [1 ,2 ]
机构
[1] Chinese Acad Sci, Inst Informat Engn, Beijing, Peoples R China
[2] Univ Chinese Acad Sci, Sch Cyber Secur, Beijing, Peoples R China
来源
2018 IEEE SYMPOSIUM ON COMPUTERS AND COMMUNICATIONS (ISCC) | 2018年
基金
中国国家自然科学基金;
关键词
malicious PowerShell scripts; de-obfuscate; Microsoft Word documents; macros; PDF;
D O I
暂无
中图分类号
TN [电子技术、通信技术];
学科分类号
0809 ;
摘要
PowerShell is so extremely powerful that we have seen that attackers are increasingly using PowerShell in their attack methods lately. In most cases, PowerShell malware arrives via spam email, using a combination of Microsoft Word documents to infect victims with its deadly payload. Nowadays, the de-obfuscation and analysis of PowerShell are still based on the manual analysis. However, as the number of malicious samples and obfuscation methods growing quickly, it is so slow that can't satisfy the demand. In this paper, we propose a deobfuscation method of PowerShell called PSDEM which has two layers de-obfuscation to get original PowerShell scripts. One is extracting PowerShell scripts from much obfuscated document code. The other is de-obfuscating scripts including encoding, strings manipulation and code logic obfuscation. Meanwhile, we design an automatic de-obfuscation and analysis tool for malicious PowerShell scripts in Word documents based on PSDEM. We test the performance of the tool from the accuracy of de-obfuscation and the efficiency of time, and evaluation results show that it has a satisfactory performance. PSDEM improves the efficiency and accuracy rate for analyzing malicious PowerShell Scripts in Word documents, as well as provides a path in which further analysis for security experts to get more information about attacks.
引用
收藏
页码:830 / 836
页数:7
相关论文
共 50 条
  • [1] The De-Obfuscation Method in the Static Detection of Malicious PDF Documents
    Wang, Yuntao
    Proceedings - 2021 7th Annual International Conference on Network and Information Systems for Computers, ICNISC 2021, 2021, : 44 - 47
  • [2] PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware
    Ugarte, Denis
    Maiorca, Davide
    Cara, Fabrizio
    Giacinto, Giorgio
    DETECTION OF INTRUSIONS AND MALWARE, AND VULNERABILITY ASSESSMENT (DIMVA 2019), 2019, 11543 : 240 - 259
  • [3] De-obfuscation and Detection of Malicious PDF Files with High Accuracy
    Lu, Xun
    Zhuge, Jianwei
    Wang, Ruoyu
    Cao, Yinzhi
    Chen, Yan
    PROCEEDINGS OF THE 46TH ANNUAL HAWAII INTERNATIONAL CONFERENCE ON SYSTEM SCIENCES, 2013, : 4890 - 4899
  • [4] Identifying the Applied Obfuscation Method towards De-obfuscation
    Sagisaka, Hayato
    Tamada, Haruaki
    2016 IEEE/ACIS 15TH INTERNATIONAL CONFERENCE ON COMPUTER AND INFORMATION SCIENCE (ICIS), 2016, : 873 - 878
  • [5] JS']JSDES - An Automated De-Obfuscation System for Malicious Java']JavaScript
    AbdelKhalek, Moataz
    Shosha, Ahmed
    PROCEEDINGS OF THE 12TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY (ARES 2017), 2017,
  • [6] DE-OBFUSCATION OF PIAGET
    KINCADE, BL
    EDUCATION, 1989, 109 (03): : 343 - 345
  • [7] Design and Evaluation of the De-obfuscation Method against the Identifier Renaming Methods
    Yosuke Isobe
    Haruaki Tamada
    International Journal of Networked and Distributed Computing, 2018, 6 (4) : 232 - 238
  • [8] Building the De-obfuscation Platform Based on LLVM
    Kim, Jihun
    Ko, Kwangman
    Youn, Jonghee M.
    ADVANCES IN COMPUTER SCIENCE AND UBIQUITOUS COMPUTING, 2018, 474 : 1269 - 1274
  • [9] Design and Evaluation of the De-obfuscation Method against the Identifier Renaming Methods
    Isobe, Yosuke
    Tamada, Haruaki
    INTERNATIONAL JOURNAL OF NETWORKED AND DISTRIBUTED COMPUTING, 2018, 6 (04) : 232 - 238
  • [10] Malicious Powershell Detection Using Graph Convolution Network
    Choi, Sunoh
    APPLIED SCIENCES-BASEL, 2021, 11 (14):