Living-off-the-Land Abuse Detection Using Natural Language Processing and Supervised Learning

TL;DR

This paper introduces a novel approach for detecting Living-off-the-Land attacks by applying natural language processing and supervised learning to command strings, improving detection over traditional anti-virus methods.

Contribution

The paper presents a new abuse detection algorithm that encodes command strings with NLP techniques and employs supervised learning for improved detection of malicious system binaries.

Findings

The proposed method outperforms Windows Defender in detecting new malicious commands.

Encoding command strings with NLP techniques enhances detection accuracy.

Supervised learning effectively identifies malicious patterns in command data.

Abstract

Living-off-the-Land is an evasion technique used by attackers where native binaries are abused to achieve malicious intent. Since these binaries are often legitimate system files, detecting such abuse is difficult and often missed by modern anti-virus software. This paper proposes a novel abuse detection algorithm using raw command strings. First, natural language processing techniques such as regular expressions and one-hot encoding are utilized for encoding the command strings as numerical token vectors. Next, supervised learning techniques are employed to learn the malicious patterns in the token vectors and ultimately predict the command's label. Finally, the model is evaluated using statistics from the training phase and in a virtual environment to compare its effectiveness at detecting new commands to existing anti-virus products such as Windows Defender.