US 11,954,202 B2
Deep learning based detection of malicious shell scripts
Farshid Marbouti, San Jose, CA (US); Sarvani Kare, Clarksville, MD (US); Boshika Tara, Pleasanton, CA (US); Stephen Fletcher, Arlington, VA (US); and Patrick Sofo, Arlington, VA (US)
Assigned to Capital One Services, LLC, McLean, VA (US)
Filed by Capital One Services, LLC, McLean, VA (US)
Filed on May 14, 2021, as Appl. No. 17/320,616.
Prior Publication US 2022/0366040 A1, Nov. 17, 2022
Int. Cl. G06F 21/12 (2013.01); G06F 21/14 (2013.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01); G06N 3/04 (2023.01); G06N 3/045 (2023.01); G06N 3/0464 (2023.01); G06N 3/08 (2023.01)
CPC G06F 21/562 (2013.01) [G06F 21/554 (2013.01); G06N 3/04 (2013.01); G06N 3/045 (2023.01); G06N 3/0464 (2023.01); G06N 3/08 (2013.01); G06F 2221/033 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system for detecting obfuscated shell scripts, the system comprising:
one or more memories; and
one or more processors, communicatively coupled to the one or more memories, configured to:
receive a shell script associated with a computing device;
generate a character frequency feature vector based on the shell script;
input, into a trained deep learning model that includes a convolutional neural network (CNN) branch and a feedforward neural network branch:
text of the shell script to the CNN branch, and
the character frequency feature vector to the feedforward neural network branch;
determine, using the trained deep learning model, a respective probability score for each of a plurality of obfuscation types for the shell script based on a combined output of the CNN branch and the feedforward neural network branch; and
detect whether the shell script is obfuscated based on the respective probability score for each of the plurality of obfuscation types determined for the shell script.