AST-Based Deep Learning for Detecting Malicious PowerShell
This work addresses cybersecurity threats from malicious PowerShell scripts, but it is incremental as it builds on existing methods by integrating program analysis tools.
The authors tackled the problem of detecting malicious PowerShell programs by proposing a hybrid approach that combines abstract syntax trees (ASTs) with deep learning, focusing on learning embeddings for AST nodes to classify scripts by family type.
With the celebrated success of deep learning, some attempts to develop effective methods for detecting malicious PowerShell programs employ neural nets in a traditional natural language processing setup while others employ convolutional neural nets to detect obfuscated malicious commands at a character level. While these representations may express salient PowerShell properties, our hypothesis is that tools from static program analysis will be more effective. We propose a hybrid approach combining traditional program analysis (in the form of abstract syntax trees) and deep learning. This poster presents preliminary results of a fundamental step in our approach: learning embeddings for nodes of PowerShell ASTs. We classify malicious scripts by family type and explore embedded program vector representations.