{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,10]],"date-time":"2026-03-10T15:25:05Z","timestamp":1773156305435,"version":"3.50.1"},"publisher-location":"Cham","reference-count":40,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783031491863","type":"print"},{"value":"9783031491870","type":"electronic"}],"license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023]]},"DOI":"10.1007\/978-3-031-49187-0_4","type":"book-chapter","created":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T12:02:36Z","timestamp":1701345756000},"page":"59-78","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["SIFAST: An Efficient Unix Shell Embedding Framework for\u00a0Malicious Detection"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-1969-1167","authenticated-orcid":false,"given":"Songyue","family":"Chen","sequence":"first","affiliation":[]},{"given":"Rong","family":"Yang","sequence":"additional","affiliation":[]},{"given":"Hong","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Hongwei","family":"Wu","sequence":"additional","affiliation":[]},{"given":"Yanqin","family":"Zheng","sequence":"additional","affiliation":[]},{"given":"Xingyu","family":"Fu","sequence":"additional","affiliation":[]},{"given":"Qingyun","family":"Liu","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,12,1]]},"reference":[{"key":"4_CR1","unstructured":"Different linux Commands and Utilities Commonly Used by Attackers. https:\/\/www.uptycs.com\/blog\/linux-commands-and-utilities-commonly-used-by-attackers"},{"key":"4_CR2","unstructured":"Evasive techniques used by malicious shell scripts on different unix systems. https:\/\/www.uptycs.com\/blog\/evasive-techniques-used-by-malicious-linux-shell-scripts"},{"key":"4_CR3","unstructured":"LOLBAS. https:\/\/lolbas-project.github.io\/"},{"key":"4_CR4","unstructured":"Tree-sitter Using Parsers. https:\/\/tree-sitter.github.io\/tree-sitter\/using-parsers"},{"key":"4_CR5","unstructured":"What Is a Reverse Shell $$|$$ Examples & Prevention Techniques $$|$$ Imperva"},{"key":"4_CR6","unstructured":"GTFOBins (2022). https:\/\/gtfobins.github.io\/"},{"key":"4_CR7","unstructured":"Living Off the Land: How to Defend Against Malicious Use of Legitimate Utilities (2022). https:\/\/threatpost.com\/living-off-the-land-malicious-use-legitimate-utilities\/177762\/"},{"key":"4_CR8","doi-asserted-by":"publisher","unstructured":"Al-Janabi, M., Altamimi, A.M.: A comparative analysis of machine learning techniques for classification and detection of Malware. In: 2020 21st International Arab Conference on Information Technology (ACIT), pp. 1\u20139 (2020). https:\/\/doi.org\/10.1109\/ACIT50332.2020.9300081","DOI":"10.1109\/ACIT50332.2020.9300081"},{"key":"4_CR9","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102658","volume":"116","author":"A Alahmadi","year":"2022","unstructured":"Alahmadi, A., Alkhraan, N., BinSaeedan, W.: MPSAutodetect: a malicious powershell script detection model based on stacked denoising auto-encoder. Comput. Secur. 116, 102658 (2022). https:\/\/doi.org\/10.1016\/j.cose.2022.102658","journal-title":"Comput. Secur."},{"key":"4_CR10","doi-asserted-by":"publisher","unstructured":"Andrew, Y., Lim, C., Budiarto, E.: Mapping Linux shell commands to MITRE ATT &CK using NLP-based approach. In: 2022 International Conference on Electrical Engineering and Informatics (ICELTICs), pp. 37\u201342 (2022). https:\/\/doi.org\/10.1109\/ICELTICs56128.2022.9932097","DOI":"10.1109\/ICELTICs56128.2022.9932097"},{"key":"4_CR11","doi-asserted-by":"publisher","unstructured":"Boffa, M., Milan, G., Vassio, L., Drago, I., Mellia, M., Ben Houidi, Z.: Towards NLP-based processing of honeypot logs. In: 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 314\u2013321 (2022). https:\/\/doi.org\/10.1109\/EuroSPW55150.2022.00038","DOI":"10.1109\/EuroSPW55150.2022.00038"},{"key":"4_CR12","unstructured":"Bohannon, D., Holmes, L.: Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science (2017)"},{"key":"4_CR13","doi-asserted-by":"crossref","unstructured":"Bojanowski, P., Grave, E., Joulin, A., Mikolov, T.: Enriching Word Vectors with Subword Information (2017)","DOI":"10.1162\/tacl_a_00051"},{"key":"4_CR14","doi-asserted-by":"publisher","unstructured":"Chai, H., Ying, L., Duan, H., Zha, D.: Invoke-Deobfuscation: AST-based and semantics-preserving deobfuscation for powershell scripts. In: 2022 52nd Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 295\u2013306 (2022). https:\/\/doi.org\/10.1109\/DSN53405.2022.00039","DOI":"10.1109\/DSN53405.2022.00039"},{"key":"4_CR15","doi-asserted-by":"publisher","DOI":"10.1155\/2018\/9327215","volume":"2018","author":"W Elmasry","year":"2018","unstructured":"Elmasry, W., Akbulut, A., Zaim, A.H.: Deep learning approaches for predictive masquerade detection. Secur. Commun. Netw. 2018, e9327215 (2018). https:\/\/doi.org\/10.1155\/2018\/9327215","journal-title":"Secur. Commun. Netw."},{"key":"4_CR16","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102715","volume":"118","author":"Y Fang","year":"2022","unstructured":"Fang, Y., Huang, C., Zeng, M., Zhao, Z., Huang, C.: JStrong: malicious JavaScript detection based on code semantic representation and graph neural network. Comput. Secur. 118, 102715 (2022). https:\/\/doi.org\/10.1016\/j.cose.2022.102715","journal-title":"Comput. Secur."},{"key":"4_CR17","doi-asserted-by":"publisher","first-page":"30","DOI":"10.1016\/j.neucom.2021.03.117","volume":"448","author":"Y Fang","year":"2021","unstructured":"Fang, Y., Zhou, X., Huang, C.: Effective method for detecting malicious PowerShell scripts based on hybrid features. Neurocomputing 448, 30\u201339 (2021). https:\/\/doi.org\/10.1016\/j.neucom.2021.03.117","journal-title":"Neurocomputing"},{"key":"4_CR18","doi-asserted-by":"publisher","unstructured":"Feng, Z., et al.: CodeBERT: a pre-trained model for programming and natural languages (2020). https:\/\/doi.org\/10.48550\/arXiv.2002.08155","DOI":"10.48550\/arXiv.2002.08155"},{"key":"4_CR19","doi-asserted-by":"publisher","unstructured":"Gao, T., Yao, X., Chen, D.: SimCSE: simple contrastive learning of sentence embeddings. In: Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing, pp. 6894\u20136910. Association for Computational Linguistics, Online and Punta Cana, Dominican Republic (2021). https:\/\/doi.org\/10.18653\/v1\/2021.emnlp-main.552","DOI":"10.18653\/v1\/2021.emnlp-main.552"},{"key":"4_CR20","unstructured":"Goudie, M.: The Rise of \u201cLiving off the Land\u201d Attacks $$|$$ CrowdStrike (2019). https:\/\/www.crowdstrike.com\/blog\/going-beyond-malware-the-rise-of-living-off-the-land-attacks\/"},{"key":"4_CR21","doi-asserted-by":"publisher","unstructured":"Hendler, D., Kels, S., Rubin, A.: Detecting malicious powershell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 187\u2013197. ASIACCS \u201918, Association for Computing Machinery, New York, NY, USA (2018). https:\/\/doi.org\/10.1145\/3196494.3196511","DOI":"10.1145\/3196494.3196511"},{"key":"4_CR22","doi-asserted-by":"publisher","unstructured":"Hendler, D., Kels, S., Rubin, A.: AMSI-based detection of malicious powershell code using contextual embeddings. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 679\u2013693. ASIA CCS \u201920, Association for Computing Machinery, New York, NY, USA (2020). https:\/\/doi.org\/10.1145\/3320269.3384742","DOI":"10.1145\/3320269.3384742"},{"key":"4_CR23","doi-asserted-by":"publisher","unstructured":"Hussain, Z., Nurminen, J., Mikkonen, T., Kowiel, M.: Command Similarity Measurement Using NLP (2021). https:\/\/doi.org\/10.4230\/OASIcs.SLATE.2021.13","DOI":"10.4230\/OASIcs.SLATE.2021.13"},{"key":"4_CR24","doi-asserted-by":"publisher","first-page":"2612","DOI":"10.1016\/j.matpr.2020.08.508","volume":"37","author":"A Kidwai","year":"2021","unstructured":"Kidwai, A., et al.: A comparative study on shells in Linux: a review. Mater. Today Proc. 37, 2612\u20132616 (2021). https:\/\/doi.org\/10.1016\/j.matpr.2020.08.508","journal-title":"Mater. Today Proc."},{"key":"4_CR25","unstructured":"Le, Q., Mikolov, T.: Distributed representations of sentences and documents. In: Proceedings of the 31st International Conference on International Conference on Machine Learning, vol. 32, pp. II-1188-II-1196. ICML\u201914, JMLR.org, Beijing, China (2014)"},{"key":"4_CR26","unstructured":"Lin, X.V., Wang, C., Zettlemoyer, L., Ernst, M.D.: NL2Bash: a corpus and semantic parser for natural language interface to the Linux operating system (2018). arXiv:1802.08979 [cs]"},{"key":"4_CR27","doi-asserted-by":"publisher","unstructured":"Liu, C., et al.: Code execution with pre-trained language models (2023). https:\/\/doi.org\/10.48550\/arXiv.2305.05383","DOI":"10.48550\/arXiv.2305.05383"},{"issue":"5","key":"4_CR28","doi-asserted-by":"publisher","first-page":"5707","DOI":"10.3233\/JIFS-179659","volume":"38","author":"W Liu","year":"2020","unstructured":"Liu, W., Mao, Y., Ci, L., Zhang, F.: A new approach of user-level intrusion detection with command sequence-to-sequence model. J. Intell. Fuzzy Syst. 38(5), 5707\u20135716 (2020). https:\/\/doi.org\/10.3233\/JIFS-179659","journal-title":"J. Intell. Fuzzy Syst."},{"key":"4_CR29","unstructured":"Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space (2013). arXiv:1301.3781 [cs]"},{"key":"4_CR30","doi-asserted-by":"publisher","DOI":"10.1016\/j.iot.2021.100404","volume":"15","author":"M Mimura","year":"2021","unstructured":"Mimura, M., Tajiri, Y.: Static detection of malicious PowerShell based on word embeddings. Internet Things 15, 100404 (2021). https:\/\/doi.org\/10.1016\/j.iot.2021.100404","journal-title":"Internet Things"},{"key":"4_CR31","doi-asserted-by":"publisher","unstructured":"Ongun, T., et al.: Living-off-the-land command detection using active learning. In: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses, pp. 442\u2013455. RAID \u201921, Association for Computing Machinery, New York, NY, USA (2021). https:\/\/doi.org\/10.1145\/3471621.3471858","DOI":"10.1145\/3471621.3471858"},{"key":"4_CR32","series-title":"Lecture Notes in Computer Science (Lecture Notes in Artificial Intelligence)","doi-asserted-by":"publisher","first-page":"547","DOI":"10.1007\/978-3-319-25159-2_49","volume-title":"Knowledge Science, Engineering and Management","author":"H Peng","year":"2015","unstructured":"Peng, H., Mou, L., Li, G., Liu, Y., Zhang, L., Jin, Z.: Building program vector representations for deep learning. In: Zhang, S., Wirsing, M., Zhang, Z. (eds.) KSEM 2015. LNCS (LNAI), vol. 9403, pp. 547\u2013553. Springer, Cham (2015). https:\/\/doi.org\/10.1007\/978-3-319-25159-2_49"},{"key":"4_CR33","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"402","DOI":"10.1007\/978-3-030-04780-1_28","volume-title":"Big Data Analytics","author":"H Rathore","year":"2018","unstructured":"Rathore, H., Agarwal, S., Sahay, S.K., Sewak, M.: Malware detection using machine learning and deep learning. In: Mondal, A., Gupta, H., Srivastava, J., Reddy, P.K., Somayajulu, D.V.L.N. (eds.) BDA 2018. LNCS, vol. 11297, pp. 402\u2013411. Springer, Cham (2018). https:\/\/doi.org\/10.1007\/978-3-030-04780-1_28"},{"key":"4_CR34","unstructured":"Rebootuser: LinEnum (2023)"},{"key":"4_CR35","doi-asserted-by":"publisher","unstructured":"Rousseau, A.: Hijacking.NET to Defend PowerShell (2017). https:\/\/doi.org\/10.48550\/arXiv.1709.07508","DOI":"10.48550\/arXiv.1709.07508"},{"issue":"3","key":"4_CR36","doi-asserted-by":"publisher","first-page":"549","DOI":"10.4218\/etrij.2020-0215","volume":"43","author":"J Song","year":"2021","unstructured":"Song, J., Kim, J., Choi, S., Kim, J., Kim, I.: Evaluations of AI-based malicious PowerShell detection with feature optimizations. ETRI J. 43(3), 549\u2013560 (2021). https:\/\/doi.org\/10.4218\/etrij.2020-0215","journal-title":"ETRI J."},{"key":"4_CR37","unstructured":"Swissky: Payloads All The Things (2023)"},{"key":"4_CR38","unstructured":"Trizna, D.: Shell language processing: Unix command parsing for machine learning (2021). arXiv:2107.02438 [cs]"},{"key":"4_CR39","doi-asserted-by":"publisher","first-page":"256","DOI":"10.1109\/ACCESS.2022.3232505","volume":"11","author":"MH Tsai","year":"2023","unstructured":"Tsai, M.H., Lin, C.C., He, Z.G., Yang, W.C., Lei, C.L.: PowerDP: de-obfuscating and profiling malicious PowerShell commands with multi-label classifiers. IEEE Access 11, 256\u2013270 (2023). https:\/\/doi.org\/10.1109\/ACCESS.2022.3232505","journal-title":"IEEE Access"},{"key":"4_CR40","doi-asserted-by":"publisher","unstructured":"Zhai, H., et al.: Masquerade detection based on temporal convolutional network. In: 2022 IEEE 25th International Conference on Computer Supported Cooperative Work in Design (CSCWD), pp. 305\u2013310 (2022). https:\/\/doi.org\/10.1109\/CSCWD54268.2022.9776088","DOI":"10.1109\/CSCWD54268.2022.9776088"}],"container-title":["Lecture Notes in Computer Science","Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-49187-0_4","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:35:29Z","timestamp":1744148129000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-49187-0_4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"ISBN":["9783031491863","9783031491870"],"references-count":40,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-49187-0_4","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023]]},"assertion":[{"value":"1 December 2023","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ISC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Information Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Groningen","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"The Netherlands","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2023","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"15 November 2023","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"17 November 2023","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"isw2023","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/isc23.cs.rug.nl\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}