{"id":"https://openalex.org/W4405182026","doi":"https://doi.org/10.1145/3658644.3670310","title":"PowerPeeler: A Precise and General Dynamic Deobfuscation Method for PowerShell Scripts","display_name":"PowerPeeler: A Precise and General Dynamic Deobfuscation Method for PowerShell Scripts","publication_year":2024,"publication_date":"2024-12-02","ids":{"openalex":"https://openalex.org/W4405182026","doi":"https://doi.org/10.1145/3658644.3670310"},"language":"en","primary_location":{"id":"doi:10.1145/3658644.3670310","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3670310","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3670310","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3670310","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5104335285","display_name":"Ruijie Li","orcid":null},"institutions":[{"id":"https://openalex.org/I76569877","display_name":"Southeast University","ror":"https://ror.org/04ct4d772","country_code":"CN","type":"education","lineage":["https://openalex.org/I76569877"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Ruijie Li","raw_affiliation_strings":["Southeast University &amp; QI-ANXIN Technology Research Institute, Nanjing, China"],"raw_orcid":"https://orcid.org/0009-0009-4456-3271","affiliations":[{"raw_affiliation_string":"Southeast University &amp; QI-ANXIN Technology Research Institute, Nanjing, China","institution_ids":["https://openalex.org/I76569877"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Chenyang Zhang","orcid":"https://orcid.org/0009-0001-0076-863X"},"institutions":[{"id":"https://openalex.org/I24943067","display_name":"Fudan University","ror":"https://ror.org/013q1eq08","country_code":"CN","type":"education","lineage":["https://openalex.org/I24943067"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chenyang Zhang","raw_affiliation_strings":["Fudan University, Shanghai, China"],"raw_orcid":"https://orcid.org/0009-0001-0076-863X","affiliations":[{"raw_affiliation_string":"Fudan University, Shanghai, China","institution_ids":["https://openalex.org/I24943067"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Huajun Chai","orcid":"https://orcid.org/0009-0000-0369-3728"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Huajun Chai","raw_affiliation_strings":["QI-ANXIN Technology Research Institute, Beijing, China"],"raw_orcid":"https://orcid.org/0009-0000-0369-3728","affiliations":[{"raw_affiliation_string":"QI-ANXIN Technology Research Institute, Beijing, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100414046","display_name":"Lingyun Ying","orcid":"https://orcid.org/0000-0001-7445-9103"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Lingyun Ying","raw_affiliation_strings":["QI-ANXIN Technology Research Institute &amp; Tsinghua University-QI-ANXIN Group JCNS, Beijing, China"],"raw_orcid":"https://orcid.org/0000-0001-7445-9103","affiliations":[{"raw_affiliation_string":"QI-ANXIN Technology Research Institute &amp; Tsinghua University-QI-ANXIN Group JCNS, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5067799841","display_name":"Haixin Duan","orcid":"https://orcid.org/0000-0003-0083-733X"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Haixin Duan","raw_affiliation_strings":["Tsinghua University &amp; Tsinghua University-QI-ANXIN Group JCNS, Beijing, China"],"raw_orcid":"https://orcid.org/0000-0003-0083-733X","affiliations":[{"raw_affiliation_string":"Tsinghua University &amp; Tsinghua University-QI-ANXIN Group JCNS, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5101540498","display_name":"Jun Tao","orcid":"https://orcid.org/0000-0002-3052-3828"},"institutions":[{"id":"https://openalex.org/I76569877","display_name":"Southeast University","ror":"https://ror.org/04ct4d772","country_code":"CN","type":"education","lineage":["https://openalex.org/I76569877"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jun Tao","raw_affiliation_strings":["Southeast University, Nanjing, China"],"raw_orcid":"https://orcid.org/0000-0002-3052-3828","affiliations":[{"raw_affiliation_string":"Southeast University, Nanjing, China","institution_ids":["https://openalex.org/I76569877"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5104335285"],"corresponding_institution_ids":["https://openalex.org/I76569877"],"apc_list":null,"apc_paid":null,"fwci":1.2861,"has_fulltext":true,"cited_by_count":4,"citation_normalized_percentile":{"value":0.81397324,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":96,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"4539","last_page":"4553"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9990000128746033,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9972000122070312,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.8476238250732422},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8009828329086304},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.6781389713287354},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.6447715759277344},{"id":"https://openalex.org/keywords/automation","display_name":"Automation","score":0.644290030002594},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.6254532933235168},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4026302099227905},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.39745229482650757},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.26505815982818604},{"id":"https://openalex.org/keywords/systems-engineering","display_name":"Systems engineering","score":0.12350553274154663},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.11375674605369568}],"concepts":[{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.8476238250732422},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8009828329086304},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.6781389713287354},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.6447715759277344},{"id":"https://openalex.org/C115901376","wikidata":"https://www.wikidata.org/wiki/Q184199","display_name":"Automation","level":2,"score":0.644290030002594},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.6254532933235168},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4026302099227905},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.39745229482650757},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.26505815982818604},{"id":"https://openalex.org/C201995342","wikidata":"https://www.wikidata.org/wiki/Q682496","display_name":"Systems engineering","level":1,"score":0.12350553274154663},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.11375674605369568},{"id":"https://openalex.org/C78519656","wikidata":"https://www.wikidata.org/wiki/Q101333","display_name":"Mechanical engineering","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3658644.3670310","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3670310","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3670310","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3658644.3670310","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3670310","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3670310","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4405182026.pdf","grobid_xml":"https://content.openalex.org/works/W4405182026.grobid-xml"},"referenced_works_count":21,"referenced_works":["https://openalex.org/W179128985","https://openalex.org/W2026054276","https://openalex.org/W2743459917","https://openalex.org/W2797678261","https://openalex.org/W2896805421","https://openalex.org/W2968580482","https://openalex.org/W2985244210","https://openalex.org/W3091934055","https://openalex.org/W3097730806","https://openalex.org/W3100399179","https://openalex.org/W3138173041","https://openalex.org/W3163821226","https://openalex.org/W4220804820","https://openalex.org/W4280612849","https://openalex.org/W4287848938","https://openalex.org/W4288365419","https://openalex.org/W4313121063","https://openalex.org/W4384129390","https://openalex.org/W4385270173","https://openalex.org/W4385688802","https://openalex.org/W4388829448"],"related_works":["https://openalex.org/W2097492617","https://openalex.org/W2753240997","https://openalex.org/W1764168690","https://openalex.org/W2537959205","https://openalex.org/W2740895074","https://openalex.org/W2772446090","https://openalex.org/W4284893819","https://openalex.org/W3152891574","https://openalex.org/W4316881845","https://openalex.org/W2975527072"],"abstract_inverted_index":{"PowerShell":[0,34,59],"is":[1,11,62],"a":[2,64],"powerful":[3],"and":[4,22,57],"versatile":[5],"task":[6],"automation":[7],"tool.":[8],"Unfortunately,":[9],"it":[10],"also":[12],"widely":[13],"abused":[14],"by":[15],"cyber":[16],"attackers.":[17],"To":[18],"bypass":[19],"malware":[20],"detection":[21],"hinder":[23],"threat":[24],"analysis,":[25,45],"attackers":[26],"often":[27],"employ":[28],"diverse":[29],"techniques":[30],"to":[31,48],"obfuscate":[32],"malicious":[33],"scripts.":[35],"Existing":[36],"deobfuscation":[37,52,61],"tools":[38],"suffer":[39],"from":[40],"the":[41,50],"limitation":[42],"of":[43],"static":[44],"which":[46],"fails":[47],"simulate":[49],"real":[51],"process":[53],"accurately.":[54],"Accurate,":[55],"complete,":[56],"robust":[58],"script":[60],"still":[63],"challenging":[65],"problem.":[66]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":3}],"updated_date":"2026-05-08T15:41:06.802602","created_date":"2025-10-10T00:00:00"}