{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:13:06Z","timestamp":1772039586564,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":56,"publisher":"ACM","license":[{"start":{"date-parts":[[2019,11,6]],"date-time":"2019-11-06T00:00:00Z","timestamp":1572998400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Key Research and Development Program of Zhejiang Province","award":["2018C01088"],"award-info":[{"award-number":["2018C01088"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2019,11,6]]},"DOI":"10.1145\/3319535.3363187","type":"proceedings-article","created":{"date-parts":[[2019,11,7]],"date-time":"2019-11-07T13:08:32Z","timestamp":1573132112000},"page":"1831-1847","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":27,"title":["Effective and Light-Weight Deobfuscation and Semantic-Aware Attack Detection for PowerShell Scripts"],"prefix":"10.1145","author":[{"given":"Zhenyuan","family":"Li","sequence":"first","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}]},{"given":"Qi Alfred","family":"Chen","sequence":"additional","affiliation":[{"name":"University of California, Irvine, Irvine, CA, USA"}]},{"given":"Chunlin","family":"Xiong","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}]},{"given":"Yan","family":"Chen","sequence":"additional","affiliation":[{"name":"Northwestern University, Evanston, IL, USA"}]},{"given":"Tiantian","family":"Zhu","sequence":"additional","affiliation":[{"name":"Zhejiang University of Technology, Hangzhou, China"}]},{"given":"Hai","family":"Yang","sequence":"additional","affiliation":[{"name":"MagicShield Inc, Hangzhou, China"}]}],"member":"320","published-online":{"date-parts":[[2019,11,6]]},"reference":[{"key":"e_1_3_2_2_1_1","volume-title":"Proceedings of the 12th International Conference on Availability, Reliability and Security - ARES '17. ACM Press","author":"Khalek Moataz Abdel","year":"2017"},{"key":"e_1_3_2_2_2_1","volume-title":"ICIMP 2016 the Eleventh International Conference on Internet Monitoring and Protection, Valencia, May 22--26","volume":"1","author":"Aebersold Simon","year":"2016"},{"key":"e_1_3_2_2_3_1","volume-title":"AbstractSyntaxTree-Based PowerShell Obfuscation - cobbr.io. https:\/\/cobbr.io\/AbstractSyntaxTree-Based-PowerShell-Obfuscation.html Retrieved","author":"Bohannon Daniel","year":"2019"},{"key":"e_1_3_2_2_4_1","volume-title":"ObfuscatedEmpire - Use an obfuscated, in-memory PowerShell C2 channel to evade AV signatures - cobbr.io. https:\/\/cobbr.io\/ObfuscatedEmpire.html Retrieved","author":"Bohannon Daniel","year":"2019"},{"key":"e_1_3_2_2_5_1","unstructured":"Daniel Bohannon. 2019. PowerShell Obfuscation Detection Framework. Contribute to danielbohannon\/Revoke-Obfuscation development by creating an account on GitHub. https:\/\/github.com\/danielbohannon\/Revoke-Obfuscation original-date: 2017-07--11T01:20:48Z.  Daniel Bohannon. 2019. PowerShell Obfuscation Detection Framework. Contribute to danielbohannon\/Revoke-Obfuscation development by creating an account on GitHub. https:\/\/github.com\/danielbohannon\/Revoke-Obfuscation original-date: 2017-07--11T01:20:48Z."},{"key":"e_1_3_2_2_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1133905.1133907"},{"key":"e_1_3_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/1963405.1963436"},{"key":"e_1_3_2_2_9_1","volume-title":"The Increased Use of PowerShell in Attacks. https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/security-center\/white-papers\/increased-use-of-powershell-in-attacks-16-en.pdf Retrieved","author":"Candid Wueest","year":"2019"},{"key":"e_1_3_2_2_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2005.20"},{"key":"e_1_3_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/WCRE.2009.24"},{"key":"e_1_3_2_2_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046739"},{"key":"e_1_3_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772720"},{"key":"e_1_3_2_2_14_1","volume-title":"USENIX Security Symposium","author":"Curtsinger Charlie","year":"2011"},{"key":"e_1_3_2_2_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455779"},{"key":"e_1_3_2_2_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.11"},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.4236\/jis.2014.52006"},{"key":"e_1_3_2_2_18_1","volume-title":"OVERRULED: Containing a Potentially Destructive Adversary. https:\/\/www.fireeye.com\/blog\/threat-research\/2018\/12\/overruled-containing-a-potentially-destructive-adversary.html Retrieved","author":"Geoff Ackerman Rick Cole","year":"2018"},{"key":"e_1_3_2_2_19_1","volume-title":"Script Tracing and Logging. https:\/\/docs.microsoft.com\/en-us\/powershell\/wmf\/5.0\/audit_script Retrieved","year":"2019"},{"key":"e_1_3_2_2_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196511"},{"key":"e_1_3_2_2_21_1","unstructured":"Ahl Ian. 2017. Privileges and Credentials: Phished at the Request of Counsel \u00ab Privileges and Credentials: Phished at the Request of Counsel. https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/06\/phished-at-the-request-of-counsel.html Retrieved May 10 2019 from  Ahl Ian. 2017. Privileges and Credentials: Phished at the Request of Counsel \u00ab Privileges and Credentials: Phished at the Request of Counsel. https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/06\/phished-at-the-request-of-counsel.html Retrieved May 10 2019 from"},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2010.5665789"},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/AISP.2015.7123508"},{"key":"e_1_3_2_2_24_1","volume-title":"https:\/\/docs.microsoft.com\/en-us\/powershell\/scripting\/overview Retrieved","author":"Scripting PowerShell","year":"2019"},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1314389.1314399"},{"key":"e_1_3_2_2_27_1","volume-title":"Clone Detection Using Abstract Syntax Suffix Trees. In 2006 13th Working Conference on Reverse Engineering. IEEE","author":"Koschke Rainer","year":"2006"},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/WCRE.2006.18"},{"key":"e_1_3_2_2_29_1","volume-title":"PSDEM: A Feasible De-Obfuscation Method for Malicious PowerShell Detection. In 2018 IEEE Symposium on Computers and Communications (ISCC). IEEE, Natal, 00825--00831","author":"Liu Chao","year":"2018"},{"key":"e_1_3_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/SERE.2012.13"},{"key":"e_1_3_2_2_31_1","unstructured":"Viral Maniar. 2019. Python based backdoor that uses Gmail to exfiltrate data through attachment. This RAT will help during red team engagements to backdoor any Windows machines. It tracks the user activity using scree.. https:\/\/github.com\/Viralmaniar\/Powershell-RAT original-date: 2018-03--15T01:51:08Z.  Viral Maniar. 2019. Python based backdoor that uses Gmail to exfiltrate data through attachment. This RAT will help during red team engagements to backdoor any Windows machines. It tracks the user activity using scree.. https:\/\/github.com\/Viralmaniar\/Powershell-RAT original-date: 2018-03--15T01:51:08Z."},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2007.15"},{"key":"e_1_3_2_2_33_1","volume-title":"Emotet droppers. https:\/\/maxkersten.nl\/binary-analysis-course\/malware-analysis\/emotet-droppers\/ Retrieved","author":"Max Kersten","year":"2019"},{"key":"e_1_3_2_2_34_1","volume-title":"Malwise System for Packed and Polymorphic Malware. vol","author":"Rehaman Pasha Mr Md","year":"2014"},{"key":"e_1_3_2_2_35_1","volume-title":"Classification of packed executables for accurate computer virus detection. Pattern recognition letters","author":"Perdisci Roberto","year":"2008"},{"key":"e_1_3_2_2_36_1","unstructured":"R3MRUM. 2019. PowerShell script for deobfuscating encoded PowerShell scripts: R3MRUM\/PSDecode. https:\/\/github.com\/R3MRUM\/PSDecode original-date: 2017--12--11T02:27:42Z.  R3MRUM. 2019. PowerShell script for deobfuscating encoded PowerShell scripts: R3MRUM\/PSDecode. https:\/\/github.com\/R3MRUM\/PSDecode original-date: 2017--12--11T02:27:42Z."},{"key":"e_1_3_2_2_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/2799979.2800015"},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2013.01.008"},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920267"},{"key":"e_1_3_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.38"},{"key":"e_1_3_2_2_41_1","volume-title":"AST-Based Deep Learning for Detecting Malicious PowerShell. arXiv:1810.09230 [cs, stat] (Oct","author":"Rusak Gili","year":"2018"},{"key":"e_1_3_2_2_42_1","volume-title":"samratashok\/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security. https:\/\/github.com\/samratashok\/nishang Retrieved","year":"2019"},{"key":"e_1_3_2_2_43_1","volume-title":"Pulling Back the Curtains on EncodedCommand PowerShell Attacks. https:\/\/unit42.paloaltonetworks.com\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/ Retrieved","author":"Robert Diggs","year":"2019"},{"key":"e_1_3_2_2_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.27"},{"key":"e_1_3_2_2_45_1","unstructured":"Monirul I Sharif Andrea Lanzi Jonathon T Giffin and Wenke Lee. 2008. Impeding Malware Analysis Using Conditional Code Obfuscation.. In NDSS .  Monirul I Sharif Andrea Lanzi Jonathon T Giffin and Wenke Lee. 2008. Impeding Malware Analysis Using Conditional Code Obfuscation.. In NDSS ."},{"key":"e_1_3_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14081-5_23"},{"key":"e_1_3_2_2_47_1","unstructured":"Symantec. 2018. Security Center White Papers textbar Symantec. https:\/\/www.symantec.com\/security-center\/white-papers  Symantec. 2018. Security Center White Papers textbar Symantec. https:\/\/www.symantec.com\/security-center\/white-papers"},{"key":"e_1_3_2_2_48_1","unstructured":"Weltner Tobias. 2018. New Obfuscation Modes. http:\/\/www.powertheshell.com\/obfuscationmode\/ Retrieved May 10 2019 from  Weltner Tobias. 2018. New Obfuscation Modes. http:\/\/www.powertheshell.com\/obfuscationmode\/ Retrieved May 10 2019 from"},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.46"},{"key":"e_1_3_2_2_50_1","volume-title":"Computational intelligence in security for information systems","author":"Ugarte-Pedrero Xabier"},{"key":"e_1_3_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.03.012"},{"key":"e_1_3_2_2_52_1","unstructured":"Candid Wueest and Himanshu Anand. 2017. ISTR Living off the land and fileless attack techniques. https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/security-center\/white-papers\/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf Retrieved May 10 2019 from  Candid Wueest and Himanshu Anand. 2017. ISTR Living off the land and fileless attack techniques. https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/security-center\/white-papers\/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf Retrieved May 10 2019 from"},{"key":"e_1_3_2_2_53_1","unstructured":"Candid Wueest and Doherty Stephen. 2016. The Increased Use of PowerShell in Attacks. https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/security-center\/white-papers\/increased-use-of-powershell-in-attacks-16-en.pdf  Candid Wueest and Doherty Stephen. 2016. The Increased Use of PowerShell in Attacks. https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/security-center\/white-papers\/increased-use-of-powershell-in-attacks-16-en.pdf"},{"key":"e_1_3_2_2_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2012.6461002"},{"key":"e_1_3_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.47"},{"key":"e_1_3_2_2_56_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-008-0082-4"},{"key":"e_1_3_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/3168820"},{"key":"e_1_3_2_2_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/1015330.1015332"}],"event":{"name":"CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security","location":"London United Kingdom","acronym":"CCS '19","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3319535.3363187","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3319535.3363187","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:44:32Z","timestamp":1750203872000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3319535.3363187"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,11,6]]},"references-count":56,"alternative-id":["10.1145\/3319535.3363187","10.1145\/3319535"],"URL":"https:\/\/doi.org\/10.1145\/3319535.3363187","relation":{},"subject":[],"published":{"date-parts":[[2019,11,6]]},"assertion":[{"value":"2019-11-06","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}