Detecting Malicious Windows Commands Using Natural Language Processing Techniques

  • Muhammd Mudassar YaminEmail author
  • Basel KattEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11359)


Windows command line arguments are used in administration of operating system through a CLI (command line interface). This command line interface gives access to multiple powerful system administration tools like PowerShell and WMIC. In an ideal scenario, access to CLI is restricted for malicious users, and the command line inputs are logged for forensic investigation. However, cyber criminals are implementing innovative command line obfuscation techniques to bypass those access restrictions and compromise system security. Traditional pattern matching techniques on obfuscated command line arguments are not suitable as detection mechanism due to the large search space presented in obfuscated command. In this work we used artificial intelligence driven natural language processing techniques for the classification of Windows command line as malicious or not. We implemented Multinomial Naive Bayes algorithm with neural network and trained it over a data set of malicious command line arguments. We evaluated the trained classifier in a real environment with both normal and malicious obfuscated command line argument and found our technique very effective in classifying malicious command line arguments with respect to false positives and performance.


Command line obfuscation Machine learning Natural language processing 


  1. 1.
    Balakrishnan, A., Schulze, C.: Code Obfuscation Literature Survey. Accessed 1 Oct 2018
  2. 2.
    Konstantinou, E.: Metamorphic virus: analysis and detection. RHUL-MA-2008-02, Technical report of University of London, January 2008.
  3. 3.
    Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 187–197. ACM (2018)Google Scholar
  4. 4.
    Kim, S., Hong, S., Oh, J., Lee, H.: Obfuscated VBA macro detection using machine learning. In: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 490–501. IEEE (2018)Google Scholar
  5. 5.
    Peng, T., Harris, I., Sawa, Y.: Detecting phishing attacks using natural language processing and machine learning. In: 2018 IEEE 12th International Conference on Semantic Computing (ICSC), pp. 300–301. IEEE (2018)Google Scholar
  6. 6.
    McCallum, A., Nigam, K.: A comparison of event models for naive bayes text classification. In: AAAI-98 Workshop on Learning for Text Categorization, vol. 752, no. 1, pp. 41–48 (1998)Google Scholar
  7. 7.
    FIN7 hacking group is switched to new techniques to evade detection. Accessed 1 Oct 2018
  8. 8.
    Invoke-DOSfuscation. Accessed 1 Oct 2018
  9. 9.
    Invoke-Obfuscation. Accessed 1 Oct 2018
  10. 10.
    DOSfuscation: Exploring the Depths of CMD.exe Obfuscation and Detection Techniques. Accessed 1 Oct 2018
  11. 11.
    Malicious PowerShell Detection via Machine Learning. Accessed 1 Oct 2018
  12. 12.
    Yegnanarayana, B.: Artificial Neural Networks. PHI Learning Pvt. Ltd. (2009)Google Scholar
  13. 13.
    Liu, W., Wang, Z., Liu, X., Zeng, N., Liu, Y., Alsaadi, F.E.: A survey of deep neural network architectures and their applications. Neurocomputing 234, 11–26 (2017)CrossRefGoogle Scholar
  14. 14.
    Lai, S., Xu, L., Liu, K., Zhao, J.: Recurrent convolutional neural networks for text classification. In: AAAI, vol. 333, pp. 2267–2273 (2015)Google Scholar
  15. 15.
    2 Layer neural Network. Accessed 1 Oct 2018
  16. 16.
    Detecting Lateral Movement through Tracking Event Logs (Version 2). Accessed 22 Oct 2018
  17. 17.
    Natural language tool kit. Accessed 1 Oct 2018
  18. 18.
    Powersploit. Accessed 1 Oct 2018
  19. 19.
    Windows Post Exploitation Command Execution. Accessed 1 Oct 2018
  20. 20.
    Nump. Accessed 1 Oct 2018
  21. 21.
    Sigmoid Function. Accessed 1 Oct 2018

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Norwegian University of Science and TechnologyGjvikNorway

Personalised recommendations