Research Article
Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images
Table 3
Detection and performance results for Mavis.
| | Invoke-PSImage Mode-1 |
| | Scripts | Correct detec. | FN rate | (ms) | (ms) | (%) | | Deobfuscated | 4641/4641 (100%) | 0/4641 (0%) | 7.75 | 1.65 | 10.03 | | Obfuscated | 4018/4018 (100%) | 0/4018 (0%) | 19.18 | 5.23 | 0.12 | | Overall | 100% | 0% | 13.05 | 3.31 | 5.43 |
| | Invoke-PSImage Mode-2 | | Scripts | Correct detec. | FN rate | (ms) | (ms) | (%) | | Deobfuscated (256 × 256) | 5000/5000 (100%) | 0/5000 (0%) | 1.1 | 3.94 | 0.0009 | | Deobfuscated (512 × 512) | 5000/5000 (100%) | 0/5000 (0%) | 4.11 | 3.83 | 0.0017 | | Deobfuscated (1024 × 1024) | 5000/5000 (100%) | 0/5000 (0%) | 16.89 | 4.03 | 0.0022 | | Obfuscated (256 × 256) | 5000/5000 (100%) | 0/5000 (0%) | 0.99 | 9.24 | 0.0006 | | Obfuscated (512 × 512) | 5000/5000 (100%) | 0/5000 (0%) | 4.06 | 9.71 | 0.0005 | | Obfuscated (1024 × 1024) | 5000/5000 (100%) | 0/5000 (0%) | 16.29 | 9.57 | 0.0006 | | Overall | 100% | 0% | 7.24 | 6.72 | 0.0011 |
| | Scripts | Correct detec. | FP rate | (ms) | (ms) | (%) | | Clean (256 × 256) | 5000/5000 (100%) | 0/5000 (0%) | 1.15 | N/A | N/A | | Clean (512 × 512) | 4999/5000 (99.98%) | 1/5000 (0.02%) | 4.44 | N/A | N/A | | Clean (1024 × 1024) | 5000/5000 (100%) | 0/5000 (0%) | 16.21 | N/A | N/A | | Overall | 99.99% | 0.01% | 7.27 | N/A | N/A |
|
|
