Research Article
Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images
Table 7
Detection results for McAfee SAT (only files of size 256 × 256 can be tested).
| Invoke-PSImage Mode-1 |
| Scripts | Correct detec. | FN rate | (ms) | Conf. level | Score | Deobfuscated | 3064/4641 (66.02%) | 1577/4641 (33.98%) | 5.59 | Low: 0, medium: 2055, high: 2586 | 544.07 | Obfuscated | 822/4018 (20.46%) | 3196/4018 (79.54%) | 17.35 | Low: 0, medium: 3892, high: 126 | 100.83 | Overall | 44.88% | 55.12% | 11.47 | N/A | 322.45 |
| Invoke-PSImage Mode-2 | Scripts | Correct detec. | FN rate | (ms) | Conf. level | Score | Deobfuscated | 4482/5000 (89.64%) | 518/5000 (10.36%) | 1343.29 | Low: 0, medium: 2476, high: 2524 | 426.87 | Obfuscated | 4365/5000 (87.3%) | 635/5000 (12.7%) | 1337.54 | Low: 0, medium: 2476, high: 2524 | 417.26 | Overall | 88.47% | 11.53% | 1340.41 | N/A | 422.06 |
| Clean | 4927/5000 (98.54%) | 3/5000 (1.46%) | 1097.37 | Low: 0, medium: 4991, high: 9 | 32.03 |
|
|