METHOD OF DETECTING SUSPICIOUS ACTIVITY ASSOCIATED WITH USING COMMAND LINE INTERPRETER Russian patent published in 2024 - IPC G06F21/00 

FIELD: information technology.

SUBSTANCE: invention is intended to ensure information security. Disclosed is a method for detecting suspicious activity, according to which the command line interpreter execution is detected using the heuristic rules applied to the log generated by the command line interpreter; analysis of logs dynamically generated by the command line interpreter; analysis of network traffic, in which control commands, scripts and other data transmitted to the command line interpreter are searched; collecting information on activity associated with execution of the detected command line interpreter, wherein the information is a set of function calls and parameters describing these functions; data provided to the command line interpreter by: transmission over a network, receiving from a user through an input/output mechanism, simulating user input or executing a script; detecting interactive input, carried out by means of inter-process communication, into a command line interpreter based on analysis of collected information on activity associated with use of the command line interpreter; collecting data on the detected interactive input, wherein the collected data is at least information on actions aimed at replacing one file with another file; making a decision on suspicious activity associated with use of command line interpreter, based on analysis of collected data; actions are taken to limit the operation of the command line interpreter to eliminate possible damage to data.

EFFECT: detecting suspicious activity of using a command line interpreter.

11 cl, 3 dwg