| dc.contributor.advisor | Una-May O'Reilly and Erik Hemberg. | en_US |
| dc.contributor.author | Holz, Carolyn J. | en_US |
| dc.contributor.other | Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science. | en_US |
| dc.date.accessioned | 2019-11-22T00:03:06Z | |
| dc.date.available | 2019-11-22T00:03:06Z | |
| dc.date.copyright | 2019 | en_US |
| dc.date.issued | 2019 | en_US |
| dc.identifier.uri | https://hdl.handle.net/1721.1/123027 | |
| dc.description | This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections. | en_US |
| dc.description | Thesis: M. Eng., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2019 | en_US |
| dc.description | Cataloged from student-submitted PDF version of thesis. | en_US |
| dc.description | Includes bibliographical references (page 54). | en_US |
| dc.description.abstract | PowerShell is a popular scripting language due to its widespread use and access to critical system functions. However, these factors also contribute to its popularity amongst malware creators. In addition to the extensive access they can achieve with PowerShell, attackers can also obfuscate their PowerShell to make it more difficult to detect. Current detection methods rely on detecting signatures of known malicious scripts which can be easily broken with simple obfuscations. This work seeks to find a more abstract representation of script functionality using Abstract Syntax Trees so that an unseen obfuscated script can be detected if a related script is already known malware. We determine that simple AST based features such as node count and depth along with distance measures calculated from the node types and node orders within the AST are fairly sufficient to attribute obfuscated scripts to their originating script. | en_US |
| dc.description.statementofresponsibility | by Carolyn J. Holz. | en_US |
| dc.format.extent | 54 pages | en_US |
| dc.language.iso | eng | en_US |
| dc.publisher | Massachusetts Institute of Technology | en_US |
| dc.rights | MIT theses are protected by copyright. They may be viewed, downloaded, or printed from this source but further reproduction or distribution in any format is prohibited without written permission. | en_US |
| dc.rights.uri | http://dspace.mit.edu/handle/1721.1/7582 | en_US |
| dc.subject | Electrical Engineering and Computer Science. | en_US |
| dc.title | Investigating representations of obfuscated malicious PowerShell | en_US |
| dc.type | Thesis | en_US |
| dc.description.degree | M. Eng. | en_US |
| dc.contributor.department | Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science | en_US |
| dc.identifier.oclc | 1127649508 | en_US |
| dc.description.collection | M.Eng. Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science | en_US |
| dspace.imported | 2019-11-22T00:03:05Z | en_US |
| mit.thesis.degree | Master | en_US |
| mit.thesis.department | EECS | en_US |
