基于特征组合的Powershell恶意代码检测方法

刘岳; 刘宝旭; 赵子豪; 刘潮歌; 王晓茜; 吴贤达

引用本文：

刘岳,刘宝旭,赵子豪,刘潮歌,王晓茜,吴贤达.基于特征组合的Powershell恶意代码检测方法[J].信息安全学报,2021,6(1):40-53 [点击复制]
LIU Yue,LIU Baoxu,ZHAO Zihao,LIU Chaoge,WANG Xiaoxi,WU Xianda.Powershell malware detection method based on features combination[J].Journal of Cyber Security,2021,6(1):40-53 [点击复制]

本文已被：浏览 5866次下载 5245次	码上扫一扫！
基于特征组合的Powershell恶意代码检测方法
刘岳^1,2, 刘宝旭^1,2, 赵子豪^1,2, 刘潮歌^1,2, 王晓茜^1,2, 吴贤达^1,2
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所北京中国 100093;2.中国科学院大学网络空间安全学院北京中国 100049)

摘要:

近年来，Powershell由于其易用性强、隐蔽性高的特点被广泛应用于APT攻击中，传统的基于人工特征提取和机器学习方法的恶意代码检测技术在Powershell恶意代码检测中越来越难以有效。本文提出了一种基于随机森林特征组合和深度学习的Powershell恶意代码检测方法。该方法使用随机森林生成更好表征原始数据的新特征组合，随后使用深度学习神经网络训练并进行分类识别。该方法可以弥补人工特征工程经验不足的问题，更好表征原始数据从而提高检测效果。本文实验结果显示，利用本文提出方法构建的Powershell恶意代码检测系统性能良好，在真实数据集中的召回率、准确率均在99%以上，可以对Powershell恶意代码进行有效的检测识别。

关键词: Powershell 恶意代码 APT 深度学习随机森林

DOI：10.19363/J.cnki.cn10-1380/tn.2021.01.04

投稿时间：2020-09-29修订日期：2020-11-16

基金项目:国家自然科学基金项目（No.61902396），中国科学院战略性先导科技专项项目（No.XDC02040100），中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助。

Powershell malware detection method based on features combination

LIU Yue^1,2, LIU Baoxu^1,2, ZHAO Zihao^1,2, LIU Chaoge^1,2, WANG Xiaoxi^1,2, WU Xianda^1,2

(1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China)

Abstract:

In recent years, powershell is widely used in APT attack due to its ease of use and high concealment. Traditional malicious code detection technology based on artificial feature extraction and machine learning method is more and more difficult to be effective in the detection of malicious code in PowerShell. For this reason, this paper proposes a malicious Powershell code detection method based on random forest features combination and deep learning. This method uses random forest to generate new features which better characterize the original data, and uses deep neural network to build classifiers for classification and recognition. This method can make up for the lack of experience in artificial feature engineering, and characterize the original data better, so as to improve the detection effect. The experimental results in this article show that this method has a good performance, high recall rate and accuracy rate, which can effectively detect and identify malicious Powershell code.

Key words: Powershell malicious code APT deep learning random forest