Research Article
Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images
Table 5
Detection results for StegExpose in “default” mode.
| Invoke-PSImage Mode-1 |
| Scripts | Correct detec. | FN rate | (ms) | (ms) | (%) | Deobfuscated | 4429/4641 (95.43%) | 212/4641 (4.57%) | 1.56 | 1.56 | 56 | Obfuscated | 1649/4018 (41.04%) | 2369/4018 (58.96%) | 3.72 | 3.72 | 91 | Overall | 70.19% | 29.81% | 2.56 | 2.56 | 72 |
| Invoke-PSImage Mode-2 | Scripts | Correct detec. | FN rate | (ms) | (ms) | (%) | Deobfuscated (256 × 256) | 4850/5000 (97%) | 150/5000 (3%) | 164.25 | 164.25 | 11614 | Deobfuscated (512 × 512) | 4579/5000 (91.58%) | 421/5000 (8.42%) | 824.05 | 824.05 | 31470 | Deobfuscated (1024 × 1024) | 4600/5000 (92%) | 400/5000 (8%) | 3308.11 | 3308.11 | 125795 | Obfuscated (256 × 256) | 4816/5000 (96.32%) | 184/5000 (3.68%) | 183.74 | 183.74 | 4380 | Obfuscated (512 × 512) | 4498/5000 (89.96%) | 502/5000 (10.04%) | 831.91 | 831.91 | 11848 | Obfuscated (1024 × 1024) | 4525/5000 (90.05%) | 475/5000 (9.5%) | 3199.81 | 3199.81 | 48231 | Overall | 92.89% | 7.11% | 1418.65 | 1418.65 | 38890 |
| Scripts | Correct detec. | FP rate | (ms) | (ms) | | Clean (256 × 256) | 4885/5000 (97.7%) | 115/5000 (2.3%) | 166.4 | N/A | N/A | Clean (512 × 512) | 4897/5000 (97.94%) | 103/5000 (2.06%) | 831.82 | N/A | N/A | Clean (1024 × 1024) | 4831/5000 (96.62%) | 169/5000 (3.38%) | 3261.14 | N/A | N/A | Overall | 97.42% | 2.58% | 1419.79 | N/A | N/A |
|
|