{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,21]],"date-time":"2026-02-21T07:12:14Z","timestamp":1771657934876,"version":"3.50.1"},"reference-count":59,"publisher":"Zhejiang University Press","issue":"3","license":[{"start":{"date-parts":[[2022,3,1]],"date-time":"2022-03-01T00:00:00Z","timestamp":1646092800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2022,3,1]],"date-time":"2022-03-01T00:00:00Z","timestamp":1646092800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Front Inform Technol Electron Eng"],"published-print":{"date-parts":[[2022,3]]},"DOI":"10.1631\/fitee.2000436","type":"journal-article","created":{"date-parts":[[2022,3,28]],"date-time":"2022-03-28T13:03:18Z","timestamp":1648472598000},"page":"361-381","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["Generic, efficient, and effective deobfuscation and semantic-aware attack detection for PowerShell scripts","\u901a\u7528\u3001 \u6709\u6548\u4e14\u8f7b\u91cf\u7684PowerShell\u89e3\u6df7\u6dc6\u548c\u8bed\u4e49\u654f\u611f\u7684\u653b\u51fb\u68c0\u6d4b\u65b9\u6cd5"],"prefix":"10.1631","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4426-3585","authenticated-orcid":false,"given":"Chunlin","family":"Xiong","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Zhenyuan","family":"Li","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yan","family":"Chen","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tiantian","family":"Zhu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jian","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hai","family":"Yang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8721-4391","authenticated-orcid":false,"given":"Wei","family":"Ruan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"635","published-online":{"date-parts":[[2022,3,26]]},"reference":[{"key":"ref1","volume-title":"OVER-RULED: Containing a Potentially Destructive Adversary","author":"Ackerman","year":"2018"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3098954.3107009"},{"key":"ref3","year":"2013","journal-title":"Acorn"},{"key":"ref4","first-page":"11","article-title":"Detecting obfuscated JavaScript using machine learning","volume-title":"11th Int Conf on Internet Monitoring and Protection","author":"Aebersold","year":"2016"},{"key":"ref5","author":"Ahl","year":"2017","journal-title":"Threat Research: Privileges and Credentials: Phished at the Request of Counsel"},{"key":"ref6","year":"2015","journal-title":"AST Explorer"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1145\/2160158.2160159"},{"key":"ref8","author":"Bohannon","year":"2016","journal-title":"Invoke-Obfuscation"},{"key":"ref9","article-title":"ObfuscatedEmpire-Use an Obfuscated","author":"Bohannon","year":"2017a","journal-title":"In-memory PowerShell C2 Channel to Evade AV Signatures"},{"key":"ref10","author":"Bohannon","year":"2017b","journal-title":"PowerShellObfuscation Detection Framework"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/1133905.1133907"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/1963405.1963436"},{"key":"ref13","author":"Candid","year":"2016","journal-title":"The Increased Use of PowerShell in Attacks"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/sp.2005.20"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772720"},{"key":"ref16","year":"2014","journal-title":"Free Automated Malware Analysis Service"},{"key":"ref17","year":"2018","journal-title":"Who Needs Malware? How Adversaries Use Fileless Attacks to Evade Your Security"},{"key":"ref18","first-page":"33","article-title":"ZOZZLE: fast and precise in-browser JavaScript malware detection","volume-title":"Proc 20th USENIX Conf on Security","author":"Curtsinger","year":"2011"},{"key":"ref19","author":"Diggs","year":"2017","journal-title":"Pulling Back the Curtains on EncodedCommand PowerShell Attacks"},{"key":"ref20","year":"2015","journal-title":"Empire Is a PowerShell and Python Post-Exploitation Agent"},{"key":"ref21","article-title":"Free On-line Dictionary of Computing: Abstract Syntax Tree","year":"1994","journal-title":"FOLDOC"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/sp.2010.11"},{"key":"ref23","year":"2004","journal-title":"VirusTotal"},{"key":"ref24","year":"2011","journal-title":"Traceur-Compiler"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196511"},{"key":"ref26","author":"Hidayat","year":"2012","journal-title":"ECMAScript Parsing Infrastructure for Multipurpose Analysis"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/aisp.2015.7123508"},{"key":"ref28","author":"Kachalov","year":"2016","journal-title":"JavaScript-Obfuscator"},{"key":"ref29","year":"2018","journal-title":"Difference b\/w a Programming & Scripting Language"},{"key":"ref30","article-title":"NOFUS: Automatically Detecting\u201d String.fromCharCode(32) \u201cObFuSCateD\u201d to LowerCase() \u201cJavaScript Code","volume-title":"Technical Report MSR-TR 2011\u201357","author":"Kaplan","year":"2011"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/wcre.2006.18"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363187"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/iscc.2018.8538691"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/sere.2012.13"},{"key":"ref35","author":"Maniar","year":"2018","journal-title":"PowerShell-RAT"},{"key":"ref36","first-page":"144","article-title":"A box, darkly: obfuscation, weird languages, and code aesthetics","volume-title":"Proc 6th Digital Arts and Culture Conf","author":"Mateas","year":"2005"},{"key":"ref37","year":"2014","journal-title":"Submit a File for Malware Analysis Microsoft Security Intelligence"},{"key":"ref38","year":"2019","journal-title":"Antimalware Scan Interface (AMSI)"},{"key":"ref39","year":"2015","journal-title":"UglifyJS"},{"key":"ref40","year":"2015","journal-title":"MITRE ATT&CK"},{"key":"ref41","year":"2020","journal-title":"Technique: PowerShell-MITRE ATT &CK\u2122"},{"key":"ref42","year":"2012","journal-title":"PowerSploit: a PowerShell PostExploitation Framework-PowerShellMafia\/ PowerSploit"},{"key":"ref43","year":"2018","journal-title":"PowerShell Script for Deobfuscating Encoded PowerShell Scripts: R3mrum\/PSDecode"},{"key":"ref44","year":"2003","journal-title":"Code Virtualization"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920267"},{"key":"ref46","author":"Rubin","year":"2019","journal-title":"AMSI-based detection of malicious PowerShell code using contextual embeddings"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3278496"},{"key":"ref48","year":"2020","journal-title":"What Is PowerShell?"},{"key":"ref49","author":"Scraper","year":"2019","journal-title":"Web Scraper"},{"key":"ref50","article-title":"Shift-parser-js","year":"2015","journal-title":"ShapeSecurity"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/icdm.2002.1183938"},{"key":"ref52","year":"2018","journal-title":"Security Center White Papers | Symantec"},{"key":"ref53","author":"Tobias","year":"2018","journal-title":"New Obfuscation Modes"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-22038-9_12"},{"key":"ref55","author":"Wueest","year":"2017","journal-title":"ISTR Living off the Land and Fileless Attack Techniques"},{"key":"ref56","author":"Wueest","year":"2016","journal-title":"The Increased Use of PowerShell in Attacks"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1109\/tdsc.2020.2971484"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/malware.2012.6461002"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-008-0082-4"}],"container-title":["Frontiers of Information Technology & Electronic Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1631\/FITEE.2000436.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1631\/FITEE.2000436\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1631\/FITEE.2000436.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,21]],"date-time":"2026-02-21T06:43:01Z","timestamp":1771656181000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1631\/FITEE.2000436"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,3]]},"references-count":59,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2022,3]]}},"alternative-id":["1777"],"URL":"https:\/\/doi.org\/10.1631\/fitee.2000436","relation":{},"ISSN":["2095-9184","2095-9230"],"issn-type":[{"value":"2095-9184","type":"print"},{"value":"2095-9230","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,3]]},"assertion":[{"value":"28 August 2020","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"29 December 2020","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 March 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"Chunlin XIONG, Zhenyuan LI, Yan CHEN, Tiantian ZHU, Jian WANG, Hai YANG, and Wei RUAN declare that they have no conflict of interest.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Compliance with ethics guidelines"}}]}}