AST-Based Deep Learning for Detecting Malicious PowerShell

TL;DR

This paper proposes a hybrid method combining static program analysis with deep learning to improve detection of malicious PowerShell scripts, focusing on AST-based embeddings for classification.

Contribution

It introduces a novel approach that integrates abstract syntax trees with deep learning for PowerShell malware detection, emphasizing node embedding techniques.

Findings

Preliminary results show effective node embeddings for PowerShell ASTs.

The approach improves classification of malicious script families.

Embedding-based features outperform traditional methods.

Abstract

With the celebrated success of deep learning, some attempts to develop effective methods for detecting malicious PowerShell programs employ neural nets in a traditional natural language processing setup while others employ convolutional neural nets to detect obfuscated malicious commands at a character level. While these representations may express salient PowerShell properties, our hypothesis is that tools from static program analysis will be more effective. We propose a hybrid approach combining traditional program analysis (in the form of abstract syntax trees) and deep learning. This poster presents preliminary results of a fundamental step in our approach: learning embeddings for nodes of PowerShell ASTs. We classify malicious scripts by family type and explore embedded program vector representations.