Research Article
Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images
Table 6
Detection results for StegExpose in “fast” mode.
| Invoke-PSImage Mode-1 |
| Scripts | Correct detec. | FN rate | (ms) | (ms) | (%) | Deobfuscated | 3860/4641 (83.17%) | 781/4641 (16.83%) | 1.37 | 1.37 | 59 | Obfuscated | 1017/4018 (25.31%) | 3001/4018 (74.69%) | 0.44 | 0.44 | 93 | Overall | 56.32% | 43.68% | 0.94 | 0.94 | 75 |
| Invoke-PSImage Mode-2 | Scripts | Correct detec. | FN rate | (ms) | (ms) | (%) | Deobfuscated (256 × 256) | 3649/5000 (72.98%) | 1351/5000 (27.02%) | 122 | 122 | 10163 | Deobfuscated (512 × 512) | 2852/5000 (57.04%) | 2148/5000 (42.96%) | 480.27 | 480.27 | 25965 | Deobfuscated (1024 × 1024) | 2902/5000 (58.04%) | 2098/5000 (41.96%) | 1606.09 | 1606.09 | 104000 | Obfuscated (256 × 256) | 3694/5000 (73.88%) | 1306/5000 (26.12%) | 118.33 | 118.33 | 3841 | Obfuscated (512 × 512) | 2859/5000 (57.18%) | 2141/5000 (42.82%) | 364.44 | 364.44 | 9719 | Obfuscated (1024 × 1024) | 2792/5000 (55.84%) | 2208/5000 (44.16%) | 1694.7 | 1694.7 | 39816 | Overall | 62.49% | 37.51% | 730.97 | 730.97 | 32251 |
| Scripts | Correct detec. | FP rate | (ms) | (ms) | (%) | Clean (256 × 256) | 4905/5000 (98.1%) | 95/5000 (1.9%) | 6.32 | N/A | N/A | Clean (512 × 512) | 4966/5000 (99.32%) | 34/5000 (0.68%) | 16.44 | N/A | N/A | Clean (1024 × 1024) | 4912/5000 (98.24%) | 88/5000 (1.76%) | 140.67 | N/A | N/A | Overall | 98.55% | 1.45% | 54.48 | N/A | N/A |
|
|