Detecting malicious windows commands using natural language processing techniques

Abstract

Windows command line arguments are used in administration of operating system through a CLI (command line interface). This command line interface gives access to multiple powerful system administration tools like PowerShell and WMIC. In an ideal scenario, access to CLI is restricted for malicious users, and the command line inputs are logged for forensic investigation. However, cyber criminals are implementing innovative command line obfuscation techniques to bypass those access restrictions and compromise system security. Traditional pattern matching techniques on obfuscated command line arguments are not suitable as detection mechanism due to the large search space presented in obfuscated command. In this work we used artificial intelligence driven natural language processing techniques for the classification of Windows command line as malicious or not. We implemented Multinomial Naive Bayes algorithm with neural network and trained it over a data set of malicious command line arguments. We evaluated the trained classifier in a real environment with both normal and malicious obfuscated command line argument and found our technique very effective in classifying malicious command line arguments with respect to false positives and performance.