{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,4]],"date-time":"2026-01-04T09:20:14Z","timestamp":1767518414424,"version":"3.48.0"},"reference-count":43,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,1,4]],"date-time":"2026-01-04T00:00:00Z","timestamp":1767484800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,1,4]],"date-time":"2026-01-04T00:00:00Z","timestamp":1767484800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Wenzhou Basic Scientific Research Projects","award":["G20240033"],"award-info":[{"award-number":["G20240033"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62002324"],"award-info":[{"award-number":["62002324"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"The Fundamental Research Funds for the Provincial Universities of Zhejiang","award":["RF-A2023009"],"award-info":[{"award-number":["RF-A2023009"]}]},{"name":"Zhejiang Provincial Natural Science Foundation of China","award":["LQ21F020016"],"award-info":[{"award-number":["LQ21F020016"]}]},{"name":"Wenzhou Key Scientific and Technological Projects","award":["ZG2024007"],"award-info":[{"award-number":["ZG2024007"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>\n                    In recent years, Living off the Land (LotL) attacks have been drawing attention due to their flexibility and difficulty in detection. These attacks exploit legitimate tools already in the system to conduct malicious activities, hiding their malicious intent behind normal benign programs. However, detection methods for such attacks largely rely on expert rules. While rule tags can effectively detect known attacks, this also leads to a high false positive rate, resulting in low detection accuracy for the models. To address these issues, we propose a detection system called LOTLDetector, which combines deep learning methods with expert rules to detect malicious command lines in LotL attacks from both data and knowledge perspectives. LOTLDetector learns the semantics of command line text through neural networks and combines rule tags from expert knowledge, enabling a more comprehensive detection of LotL attacks. We extensively evaluated our method, validated it on a Windows dataset containing 27,448 command lines and a Linux dataset containing 27,093 command lines, and compared it with existing methods. The results show that our method significantly outperforms existing methods in detecting malicious command lines. For the Linux dataset, the detection system achieved a detection performance with an accuracy of 0.9728; for the Windows dataset, the system\u2019s detection accuracy also reached 0.9598, which is about 8% higher than the best existing method. In addition, our project has been open-sourced at\n                    <jats:ext-link xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\" xlink:href=\"https:\/\/github.com\/csedikaf\/LOTLDetector\" ext-link-type=\"uri\">https:\/\/github.com\/csedikaf\/LOTLDetector<\/jats:ext-link>\n                    .\n                  <\/jats:p>","DOI":"10.1186\/s42400-025-00531-w","type":"journal-article","created":{"date-parts":[[2026,1,4]],"date-time":"2026-01-04T09:17:32Z","timestamp":1767518252000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Lotldetector: living off the land attacks detection system based on feature fusion"],"prefix":"10.1186","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8657-662X","authenticated-orcid":false,"given":"Tiantian","family":"Zhu","sequence":"first","affiliation":[]},{"given":"Jie","family":"Zheng","sequence":"additional","affiliation":[]},{"given":"Tieming","family":"Chen","sequence":"additional","affiliation":[]},{"given":"Mingqi","family":"Lv","sequence":"additional","affiliation":[]},{"given":"Chunlin","family":"Xiong","sequence":"additional","affiliation":[]},{"given":"Zhengqiu","family":"Weng","sequence":"additional","affiliation":[]},{"given":"Xiangyang","family":"Zheng","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,1,4]]},"reference":[{"key":"531_CR1","doi-asserted-by":"crossref","unstructured":"Alsulami B, SrinivasanA, Dong H, Mancoridis S (2017) Lightweight behavioral malware detection for windows platforms. In: 2017 12th international conference on malicious and unwanted software (MALWARE), pp 75\u201381","DOI":"10.1109\/MALWARE.2017.8323959"},{"issue":"10","key":"531_CR2","doi-asserted-by":"publisher","first-page":"4170","DOI":"10.3390\/app14104170","volume":"14","author":"O Arreche","year":"2024","unstructured":"Arreche O, Guntur T, Abdallah M (2024) Xai-ids: toward proposing an explainable artificial intelligence framework for enhancing network intrusion detection systems. Appl Sci 14(10):4170","journal-title":"Appl Sci"},{"key":"531_CR3","doi-asserted-by":"crossref","unstructured":"Barr-Smith F, Ugarte-Pedrero X, Graziano M, Spolaor R, Martinovic I(2021) Survivalism: systematic analysis of windows malware living-off-the-land. In: 2021 IEEE symposium on security and privacy (SP), pp 1557\u20131574. IEEE","DOI":"10.1109\/SP40001.2021.00047"},{"key":"531_CR4","unstructured":"Bohannon D. cmd.exe command obfuscation generator & detection test harness. https:\/\/github.com\/danielbohannon\/invoke-dosfuscation"},{"key":"531_CR5","unstructured":"Bohannon D. Revoke-obfuscation. https:\/\/github.com\/d anielbohannon\/revoke-obfuscation"},{"key":"531_CR6","doi-asserted-by":"crossref","unstructured":"Boros T, Cotaie A, Stan A, Vikramjeet K, Malik V, Davidson J (2022) Machine learning and feature engineering for detecting living off the land attacks. In: IoTBDS, pp 133\u2013140","DOI":"10.5220\/0011004500003194"},{"key":"531_CR7","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103518","volume":"136","author":"T Chen","year":"2024","unstructured":"Chen T, Zeng H, Lv M, Zhu T (2024) Ctimd: cyber threat intelligence enhanced malware detection using API call sequences with parameters. Comput. Secur. 136:103518","journal-title":"Comput. Secur."},{"key":"531_CR8","unstructured":"Crowdstrike 2024 global threat report. https:\/\/www.crowdstrike.com\/global-threat-report\/"},{"key":"531_CR9","doi-asserted-by":"crossref","unstructured":"Ding K, Zhang S, Yu F, Liu G (2023) Lolwtc: A deep learning approach for detecting living off the land attacks. In: 2023 IEEE 9th international conference on cloud computing and intelligent systems (CCIS), pp 176\u2013181. IEEE","DOI":"10.1109\/CCIS59572.2023.10262997"},{"key":"531_CR10","unstructured":"Downing E, Mirsky Y, Park K, Lee W (2021) $$\\{$$DeepReflect$$\\}$$: Discovering malicious functionality through binary reconstruction. In: 30th USENIX security symposium (USENIX Security 21), pp 3469\u20133486"},{"key":"531_CR11","unstructured":"Exploring the depths of cmd.exe obfuscation and detection techniques. https:\/\/i.blackhat.com\/briefings\/asia\/2018\/asia-18-bohannon-invoke_dosfuscation_techniques_for_fin_style_dos_level _cmd_obfuscation-wp.pdf"},{"key":"531_CR12","unstructured":"Fang V (2018) Malicious powershell detection via machine learning"},{"key":"531_CR13","doi-asserted-by":"publisher","first-page":"30","DOI":"10.1016\/j.neucom.2021.03.117","volume":"448","author":"Y Fang","year":"2021","unstructured":"Fang Y, Zhou X, Huang C (2021) Effective method for detecting malicious powershell scripts based on hybrid features $$\\star$$. Neurocomputing 448:30\u201339","journal-title":"Neurocomputing"},{"issue":"2","key":"531_CR14","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1007\/s11416-022-00441-2","volume":"19","author":"SRR Hariharan","year":"2023","unstructured":"Hariharan SRR, Rejimol R, Rendhir PR, Ciza T, Balakrishnan N (2023) Xai for intrusion detection system: comparing explanations based on global and local scope. J Compu Virol Hack Tech 19(2):217\u2013239","journal-title":"J Compu Virol Hack Tech"},{"key":"531_CR15","unstructured":"Helpsystems. Cobalt strike\u2014adversary simulation and red team operations. https:\/\/www.cobaltstrike.com"},{"key":"531_CR16","doi-asserted-by":"crossref","unstructured":"Hendler D, Kels S, Rubin A (2018) Detecting malicious powershell commands using deep neural networks. In: Proceedings of the 2018 on Asia conference on computer and communications security, pp 187\u2013197","DOI":"10.1145\/3196494.3196511"},{"key":"531_CR17","doi-asserted-by":"crossref","unstructured":"Hendler D, Kels S, Rubin A (2020) Amsi-based detection of malicious powershell code using contextual embeddings. In: Proceedings of the 15th ACM Asia conference on computer and communications security, pp 679\u2013693","DOI":"10.1145\/3320269.3384742"},{"key":"531_CR18","doi-asserted-by":"crossref","unstructured":"Joulin A, Grave E, Bojanowski P, Mikolov T (2016) Bag of tricks for efficient text classification. arXiv preprint arXiv:1607.01759","DOI":"10.18653\/v1\/E17-2068"},{"key":"531_CR19","unstructured":"LeeJDMCK, Toutanova K (2018) Pre-training of deep bidirectional transformers for language understanding. arXiv preprint. arXiv:1810.04805"},{"key":"531_CR20","doi-asserted-by":"crossref","unstructured":"Li Z, Chen QA, Xiong C, Chen Y, Zhu T, Yang H (2019) Effective and light-weight deobfuscation and semantic-aware attack detection for powershell scripts. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp 1831\u20131847","DOI":"10.1145\/3319535.3363187"},{"key":"531_CR21","doi-asserted-by":"crossref","unstructured":"Liu S, Peng G, Zeng H, Fu J (2023) A survey on the evolution of fileless attacks and detection techniques. Comput Secur. pp 103653","DOI":"10.1016\/j.cose.2023.103653"},{"key":"531_CR22","doi-asserted-by":"crossref","unstructured":"Liu C, Xia B, Yu M, Liu Y (2018) Psdem: a feasible de-obfuscation method for malicious powershell detection. In: 2018 IEEE symposium on computers and communications (ISCC), pp 825\u2013831. IEEE","DOI":"10.1109\/ISCC.2018.8538691"},{"key":"531_CR23","unstructured":"Living off the land binaries and scripts,https:\/\/informationsecurityasia.com\/zh-cn\/what-is-lolbas\/#real-world_instances_of_lolbas_attacks_and_their_consequences"},{"key":"531_CR24","unstructured":"Living off the land: how to defend against malicious use of legitimate utilities (2022). https:\/\/threatpost.com\/living-off-the-land-malicious-use-legitimate-utilities\/177762\/"},{"key":"531_CR25","unstructured":"Loflcab. https:\/\/lofl-project.github.io\/"},{"key":"531_CR26","unstructured":"Lolbas, living off the land binaries, scripts and libraries. https:\/\/lolbas-project.github.io\/"},{"key":"531_CR27","unstructured":"Malandrone GM, Virdis G, Giacinto G, Maiorca D, et\u00a0al (2021) Powerdecode: a powershell script decoder dedicated to malware analysis. In: Proceedings of the Italian conference on cybersecurity, ITASEC 2021, vol 2940, pp 219\u2013232"},{"key":"531_CR28","unstructured":"Metasploit. https:\/\/www.metasploit.com\/"},{"key":"531_CR29","unstructured":"Microsoft. What is powershell?-powershell\u2014microsoft docs. https:\/\/docs.microsoft.com\/en-us\/powershell\/scripting\/overview"},{"key":"531_CR30","unstructured":"Mikolov T (2013) Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781"},{"key":"531_CR31","unstructured":"Mitre. mitre att&ck framework. https:\/\/attack.mitre.org\/"},{"key":"531_CR32","doi-asserted-by":"crossref","unstructured":"Ning R, Bu W, Yang J, Duan S (2023) A survey of detection methods research on living-off-the-land techniques. In: 2023 IEEE international conference on sensors, electronics and computer engineering (ICSECE), pp 159\u2013164. IEEE","DOI":"10.1109\/ICSECE58870.2023.10263445"},{"key":"531_CR33","doi-asserted-by":"crossref","unstructured":"Ongun T, Stokes JW, Or JB, Tian K, Tajaddodianfar F, Neil J, Seifert C, Oprea A, Platt JC (2021) Living-off-the-land command detection using active learning. In: Proceedings of the 24th international symposium on research in attacks, intrusions and defenses, pp 442\u2013455","DOI":"10.1145\/3471621.3471858"},{"key":"531_CR34","unstructured":"Powersploit\u2014a powershell post-exploitation framework.https:\/\/github.com\/powershellmafia\/powersploit"},{"key":"531_CR35","first-page":"25","volume":"6","author":"A Rakhlin","year":"2016","unstructured":"Rakhlin A (2016) Convolutional neural networks for sentence classification. GitHub 6:25","journal-title":"GitHub"},{"key":"531_CR36","doi-asserted-by":"crossref","unstructured":"Rusak G, Al-Dujaili A, O\u2019Reilly U-M (2018) Ast-based deep learning for detecting malicious powershell. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp 2276\u20132278","DOI":"10.1145\/3243734.3278496"},{"key":"531_CR37","doi-asserted-by":"publisher","first-page":"256","DOI":"10.1109\/ACCESS.2022.3232505","volume":"11","author":"MH Tsai","year":"2022","unstructured":"Tsai MH, Lin CC, He ZG, Yang WC, Lei CL (2022) Powerdp: de-obfuscating and profiling malicious powershell commands with multi-label classifiers. IEEE Access 11:256\u2013270","journal-title":"IEEE Access"},{"key":"531_CR38","doi-asserted-by":"crossref","unstructured":"Ugarte D, Maiorca D, Cara F, Giacinto G (2019) Powerdrive: accurate de-obfuscation and analysis of powershell malware. In: Detection of intrusions and malware, and vulnerability assessment: 16th international conference, DIMVA 2019, Gothenburg, Sweden, 2019, Proceedings 16, pp 240\u2013259. Springer","DOI":"10.1007\/978-3-030-22038-9_12"},{"key":"531_CR39","unstructured":"Vaswani A (2017) Attention is all you need. Adv Neural Inf Process Syst"},{"key":"531_CR40","unstructured":"Wadcoms. https:\/\/wadcoms.github.io\/"},{"key":"531_CR41","unstructured":"Wueest C, Anand H (2017) Internet security threat report-living off the land and fileless attack techniques"},{"key":"531_CR42","doi-asserted-by":"crossref","unstructured":"Yamin MM, Katt B (2019) Detecting malicious windows commands using natural language processing techniques. In: Innovative security solutions for information technology and communications: 11th international conference, SecITC 2018, Bucharest, Romania, Revised Selected Papers 11, pp 157\u2013169. Springer","DOI":"10.1007\/978-3-030-12942-2_13"},{"issue":"11","key":"531_CR43","doi-asserted-by":"publisher","first-page":"202","DOI":"10.23919\/JCC.fa.2022-0509.202311","volume":"20","author":"X Yang","year":"2023","unstructured":"Yang X, Peng G, Zhang D, Gao Y, Li C (2023) Powerdetector: malicious powershell script family classification based on multi-modal semantic fusion and deep learning. China Commun 20(11):202\u2013224","journal-title":"China Commun"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00531-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-025-00531-w","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00531-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,4]],"date-time":"2026-01-04T09:17:35Z","timestamp":1767518255000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1186\/s42400-025-00531-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,4]]},"references-count":43,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,12]]}},"alternative-id":["531"],"URL":"https:\/\/doi.org\/10.1186\/s42400-025-00531-w","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,4]]},"assertion":[{"value":"7 November 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 November 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"4 January 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"4"}}