{"id":"https://openalex.org/W2797678261","doi":"https://doi.org/10.1145/3196494.3196511","title":"Detecting Malicious PowerShell Commands using Deep Neural Networks","display_name":"Detecting Malicious PowerShell Commands using Deep Neural Networks","publication_year":2018,"publication_date":"2018-05-29","ids":{"openalex":"https://openalex.org/W2797678261","doi":"https://doi.org/10.1145/3196494.3196511","mag":"2797678261"},"language":"en","primary_location":{"id":"doi:10.1145/3196494.3196511","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3196494.3196511","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2018 on Asia Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Danny Hendler","orcid":null},"institutions":[{"id":"https://openalex.org/I124227911","display_name":"Ben-Gurion University of the Negev","ror":"https://ror.org/05tkyf982","country_code":"IL","type":"education","lineage":["https://openalex.org/I124227911"]}],"countries":["IL"],"is_corresponding":true,"raw_author_name":"Danny Hendler","raw_affiliation_strings":["Ben-Gurion University of the Negev, Beer-Sheva, Israel"],"affiliations":[{"raw_affiliation_string":"Ben-Gurion University of the Negev, Beer-Sheva, Israel","institution_ids":["https://openalex.org/I124227911"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Shay Kels","orcid":null},"institutions":[{"id":"https://openalex.org/I4210125051","display_name":"Microsoft (Israel)","ror":"https://ror.org/03819cc96","country_code":"IL","type":"company","lineage":["https://openalex.org/I1290206253","https://openalex.org/I4210125051"]}],"countries":["IL"],"is_corresponding":false,"raw_author_name":"Shay Kels","raw_affiliation_strings":["Microsoft, Hertzlia, Israel"],"affiliations":[{"raw_affiliation_string":"Microsoft, Hertzlia, Israel","institution_ids":["https://openalex.org/I4210125051"]}]},{"author_position":"last","author":{"id":null,"display_name":"Amir Rubin","orcid":null},"institutions":[{"id":"https://openalex.org/I124227911","display_name":"Ben-Gurion University of the Negev","ror":"https://ror.org/05tkyf982","country_code":"IL","type":"education","lineage":["https://openalex.org/I124227911"]}],"countries":["IL"],"is_corresponding":false,"raw_author_name":"Amir Rubin","raw_affiliation_strings":["Ben-Gurion University of the Negev, Beer-Sheva, Israel"],"affiliations":[{"raw_affiliation_string":"Ben-Gurion University of the Negev, Beer-Sheva, Israel","institution_ids":["https://openalex.org/I124227911"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I124227911"],"apc_list":null,"apc_paid":null,"fwci":4.8089,"has_fulltext":false,"cited_by_count":75,"citation_normalized_percentile":{"value":0.95864491,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"187","last_page":"197"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9970999956130981,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9952999949455261,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.6247000098228455},{"id":"https://openalex.org/keywords/detector","display_name":"Detector","score":0.4255000054836273},{"id":"https://openalex.org/keywords/classifier","display_name":"Classifier (UML)","score":0.40059998631477356},{"id":"https://openalex.org/keywords/upload","display_name":"Upload","score":0.376800000667572},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.35910001397132874},{"id":"https://openalex.org/keywords/firewall","display_name":"Firewall (physics)","score":0.3407999873161316},{"id":"https://openalex.org/keywords/convolutional-neural-network","display_name":"Convolutional neural network","score":0.33379998803138733}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8026999831199646},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.6247000098228455},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.5130000114440918},{"id":"https://openalex.org/C94915269","wikidata":"https://www.wikidata.org/wiki/Q1834857","display_name":"Detector","level":2,"score":0.4255000054836273},{"id":"https://openalex.org/C95623464","wikidata":"https://www.wikidata.org/wiki/Q1096149","display_name":"Classifier (UML)","level":2,"score":0.40059998631477356},{"id":"https://openalex.org/C71901391","wikidata":"https://www.wikidata.org/wiki/Q7126699","display_name":"Upload","level":2,"score":0.376800000667572},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.35910001397132874},{"id":"https://openalex.org/C77714075","wikidata":"https://www.wikidata.org/wiki/Q5452017","display_name":"Firewall (physics)","level":5,"score":0.3407999873161316},{"id":"https://openalex.org/C81363708","wikidata":"https://www.wikidata.org/wiki/Q17084460","display_name":"Convolutional neural network","level":2,"score":0.33379998803138733},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.3336000144481659},{"id":"https://openalex.org/C115901376","wikidata":"https://www.wikidata.org/wiki/Q184199","display_name":"Automation","level":2,"score":0.33309999108314514},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.33250001072883606},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.30149999260902405},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.29339998960494995},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.28870001435279846},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.2685999870300293},{"id":"https://openalex.org/C113843644","wikidata":"https://www.wikidata.org/wiki/Q901882","display_name":"Interface (matter)","level":4,"score":0.2531999945640564}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3196494.3196511","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3196494.3196511","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2018 on Asia Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":18,"referenced_works":["https://openalex.org/W114517082","https://openalex.org/W1545528966","https://openalex.org/W1893133781","https://openalex.org/W1970867218","https://openalex.org/W2016053056","https://openalex.org/W2044675702","https://openalex.org/W2064675550","https://openalex.org/W2100307718","https://openalex.org/W2112796928","https://openalex.org/W2131774270","https://openalex.org/W2134299061","https://openalex.org/W2136016850","https://openalex.org/W2147800946","https://openalex.org/W2213612645","https://openalex.org/W2290933337","https://openalex.org/W2536018345","https://openalex.org/W2632775315","https://openalex.org/W2736287575"],"related_works":[],"abstract_inverted_index":{"Microsoft's":[0,19],"PowerShell":[1,35,53,77,83,130,158,174],"is":[2,10,84,246],"a":[3,106,122,204,235,294],"command-line":[4],"shell":[5],"and":[6,44,64,70,101,134,141,176,190],"scripting":[7],"language":[8,185],"that":[9,26,143,229,252,265,304],"installed":[11],"by":[12,39,76,87,111,117,167,271],"default":[13],"on":[14,18,121,193],"Windows":[15],"machines.":[16],"Based":[17],".NET":[20],"framework,":[21],"it":[22],"includes":[23],"an":[24,226,231],"interface":[25],"allows":[27],"programmers":[28],"to":[29,114,248,278],"access":[30,43],"operating":[31],"system":[32],"services.":[33],"While":[34],"can":[36,49,55,306],"be":[37,50,56,307],"configured":[38],"administrators":[40],"for":[41,97,102,155],"restricting":[42],"reducing":[45],"vulnerabilities,":[46],"these":[47,81,261],"restrictions":[48],"bypassed.":[51],"Moreover,":[52],"commands":[54,175,251,263],"easily":[57],"generated":[58],"dynamically,":[59],"executed":[60,75],"from":[61],"memory,":[62],"encoded":[63],"obfuscated,":[65],"thus":[66],"making":[67,300],"the":[68,126,136,148,218,239,243,256,272,281],"logging":[69],"forensic":[71],"analysis":[72,259],"of":[73,91,128,138,151,172,260,308],"code":[74],"challenging.":[78],"For":[79],"all":[80],"reasons,":[82],"increasingly":[85],"used":[86],"cybercriminals":[88],"as":[89],"part":[90],"their":[92,178],"attacks'":[93],"tool":[94],"chain,":[95],"mainly":[96],"downloading":[98],"malicious":[99,129,157,173,250],"contents":[100],"lateral":[103],"movement.":[104],"Indeed,":[105],"recent":[107],"comprehensive":[108],"technical":[109],"report":[110],"Symantec":[112],"dedicated":[113],"PowerShell's":[115],"abuse":[116],"cybercrimials":[118],"[52]":[119],"reported":[120],"sharp":[123],"increase":[124],"in":[125,135,254],"number":[127,137],"samples":[131],"they":[132,305],"received":[133],"penetration":[139],"tools":[140],"frameworks":[142],"use":[144],"PowerShell.":[145],"This":[146],"highlights":[147],"urgent":[149],"need":[150],"developing":[152],"effective":[153],"methods":[154],"detecting":[156],"commands.":[159],"In":[160],"this":[161,165],"work,":[162],"we":[163,284],"address":[164],"challenge":[166],"implementing":[168],"several":[169],"novel":[170],"detectors":[171,189,191,215,287],"evaluating":[177],"performance.":[179],"We":[180],"implemented":[181],"both":[182],"\"traditional\"":[183],"natural":[184],"processing":[186],"(NLP)":[187],"based":[188,192],"character-level":[194],"convolutional":[195],"neural":[196],"networks":[197],"(CNNs).":[198],"Detectors'":[199],"performance":[200],"was":[201],"evaluated":[202],"using":[203,280],"large":[205],"real-world":[206],"dataset.":[207],"Our":[208,258,286],"evaluation":[209],"results":[210],"show":[211],"that,":[212],"although":[213],"our":[214],"(and":[216],"especially":[217],"traditional":[219],"NLP-based":[220,232],"ones)":[221],"individually":[222],"yield":[223],"high":[224,289],"performance,":[225,241],"ensemble":[227],"detector":[228],"combines":[230],"classifier":[233,237,245,274],"with":[234],"CNN-based":[236],"provides":[238],"best":[240],"since":[242],"latter":[244],"able":[247],"detect":[249,279],"succeed":[253],"evading":[255],"former.":[257],"evasive":[262],"reveals":[264],"some":[266],"obfuscation":[267],"patterns":[268],"automatically":[269],"detected":[270],"CNN":[273],"are":[275],"intrinsically":[276],"difficult":[277],"NLP":[282],"techniques":[283],"applied.":[285],"provide":[288],"recall":[290],"values":[291],"while":[292],"maintaining":[293],"very":[295],"low":[296],"false":[297],"positive":[298],"rate,":[299],"us":[301],"cautiously":[302],"optimistic":[303],"practical":[309],"value.":[310]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":7},{"year":2024,"cited_by_count":12},{"year":2023,"cited_by_count":10},{"year":2022,"cited_by_count":15},{"year":2021,"cited_by_count":9},{"year":2020,"cited_by_count":9},{"year":2019,"cited_by_count":10},{"year":2018,"cited_by_count":1}],"updated_date":"2026-04-22T08:38:42.863108","created_date":"2018-04-24T00:00:00"}