Generic, efficient, and effective deobfuscation and semantic-aware attack detection for PowerShell scripts
Research Articles
Chunlin XIONG, Zhenyuan LI, Yan CHEN, Tiantian ZHU, Jian WANG, Hai YANG, Wei RUAN,chunlinxiong94@zju.edu.cn,ruanwei@zju.edu.cn
Frontiers of Information Technology & Electronic Engineering
2022,
Volume 23,
Issue 3,
Pages 361-381
doi:
10.1631/FITEE.2000436
Abstract:
In recent years, has increasingly been reported as appearing in a variety of cyber attacks. However, because the language is dynamic by design and can construct script fragments at different levels, state-of-the-art static analysis based attack detection approaches are inherently vulnerable to obfuscations. In this paper, we design the first generic, effective, and lightweight deobfuscation approach for scripts. To precisely identify the obfuscated script fragments, we define obfuscation based on the differences in the impacts on the s of scripts and propose a novel emulation-based recovery technology. Furthermore, we design the first semantic-aware attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures. The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5% to 93.2%. By deploying our deobfuscation method, the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33% and 2.65% to 78.9% and 94.0%, respectively. Moreover, our detection system outperforms both existing tools with a 96.7% true positive rate and a 0% false positive rate on average.
Keywords:
PowerShell
Abstract syntax tree
Obfuscation and deobfuscation
Malicious script detection