Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images
Table 2
Defined performance metrics.
Performance metric
Description
Correct detection rate
The number of correctly identified cases for a given detection scenario.
False positives (FP) and False negatives (FN)
FP occurs when a clean image is identified as steganographically modified, while FN is when an image with an embedded malicious PowerShell script is classified as benign.
The average time needed to perform the detection process, which is measured from the moment when the red channel is ready to be investigated, until the specific pattern indicating steganography usage is (or is not) identified.
The average time needed to perform the size estimation of the embedded malicious script in the digital image. It is measured from the moment when the green and blue channels are prepared to be investigated until a prediction of the size is completed.
(mean absolute percentage error)
Specifies, on average, to what extent the estimated size of the injected script is correct. It is calculated as follows: , where denotes the number of steganographically modified files used for size estimation, is the actual size of the script, and is its estimated size.
