Evaluations of AI‐based malicious PowerShell detection with feature optimizations

Jihyeon Song; Jungtae Kim; Sunoh Choi; Jonghyun Kim; Ikkyun Kim

doi:10.4218/etrij.2020-0215

ETRI Journal (Apr 2021)

Evaluations of AI‐based malicious PowerShell detection with feature optimizations

Jihyeon Song,
Jungtae Kim,
Sunoh Choi,
Jonghyun Kim,
Ikkyun Kim

Affiliations

Jihyeon Song
Jungtae Kim
Sunoh Choi
Jonghyun Kim
Ikkyun Kim

DOI: https://doi.org/10.4218/etrij.2020-0215
Journal volume & issue: Vol. 43, no. 3
pp. 549 – 560

Abstract

Read online

Cyberattacks are often difficult to identify with traditional signature‐based detection, because attackers continually find ways to bypass the detection methods. Therefore, researchers have introduced artificial intelligence (AI) technology for cybersecurity analysis to detect malicious PowerShell scripts. In this paper, we propose a feature optimization technique for AI‐based approaches to enhance the accuracy of malicious PowerShell script detection. We statically analyze the PowerShell script and preprocess it with a method based on the tokens and abstract syntax tree (AST) for feature selection. Here, tokens and AST represent the vocabulary and structure of the PowerShell script, respectively. Performance evaluations with optimized features yield detection rates of 98% in both machine learning (ML) and deep learning (DL) experiments. Among them, the ML model with the 3‐gram of selected five tokens and the DL model with experiments based on the AST 3‐gram deliver the best performance.

Published in ETRI Journal

ISSN: 1225-6463 (Print); 2233-7326 (Online)
Publisher: Electronics and Telecommunications Research Institute (ETRI)
Country of publisher: Korea, Republic of
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering: Telecommunication; Technology: Electrical engineering. Electronics. Nuclear engineering: Electronics
Website: https://onlinelibrary.wiley.com/journal/22337326

About the journal

Abstract

Keywords