MPSAutodetect: A Malicious Powershell Script Detection Model Based on Stacked Denoising Auto-Encoder

Abstract

PowerShell is an important tool used to automate administrative tasks. It is an open-source tool that is pre-installed on Windows machines and is accessible on many other operating systems. Administrators generally utilize PowerShell to carry out a range of typical management tasks, such as adding and deleting accounts, editing groups, and accessing hard-to-find user information. However, researchers recently found that PowerShell was used to execute various attacks. These attacks leveraged PowerShell’s vast number of properties to access privileged information, gain control of entire machines or spread over an organization. Because of the obfuscation and complex natures of these malicious scripts, detection is costly and difficult. Here, we present Malicious PowerShell Script Autodetect (MPSAutodetect), a detection model that relies on machine learning techniques to detect malicious PowerShell scripts. Our model was built with the use of stacked denoising auto-encoders (SdAs) to extract meaningful features. These valuable, easily attained features were fed to the eXtreme gradient boosting (XGBoost) classifier. Two substantial datasets (labelled and unlabelled) were collected to train and test MPSAutodetect in supervised and semi-supervised manners. The dataset contained malicious and benign obfuscated scripts. The results showed that regardless of the features extracted from the SdA, the supervised approach resulted in better detection, with a significant 98% true-positive rate and a low 0.6% false-positive rate. Thus, the analysis of MPSAutodetect showed that the model achieves respectable performance without the hassling process of manual feature engineering.