Abstract: Disclosed herein are systems and methods for detecting malicious use of a remote administration tool. In one aspect, an exemplary method comprises, gathering, from a flow of events, data that comprises any number of keyboard entry events, wherein each event is related at least to actions indicating a keyboard entry and a context in which the event occurred, comparing the gathered keyboard entry events with signatures from a database, and when a match is found with at least one signature, identifying an activity which is a characteristic that indicates that the remote administration tool is being controlled remotely.

Abstract: An example of a method for detecting hacking activities includes categorizing a plurality of web pages of a web site providing bank services using a trained semantic model. The trained semantic model uses at least one resource identifier of a web page as an input and generates a web page category as an output. One or more attributes of an interaction between a user and bank services are identified. The one or more identified attributes are analyzed by comparing the one or more identified attributes with attributes known to belong to hacking interactions based on a corresponding web page category. Hacking activity is identified based on the results of the analysis.

Abstract: An example of a method for detecting hacking activities includes identifying one or more attributes of each interaction in a sequence of interactions between one or more users and bank services during a predetermined time period. The one or more users are categorized into a plurality of groups based on the identified attributes. Each of the plurality of groups includes users performing the sequence of interactions with the bank services during the predetermined time period. A degree of anomaly is calculated for each of the plurality of groups based on a total number of users associated with a corresponding sequence of interactions and based on a number of users associated with the corresponding sequence of interactions during the predetermined time period. The calculated degree of anomaly is compared with a predetermined threshold. Hacking activity is identified, in response to determining that the calculated degree of anomaly exceeds the predetermined threshold.

Abstract: Disclosed herein are systems and methods for detecting malicious use of a remote administration tool. In one aspect, an exemplary method comprises, gathering, from a flow of events, data that comprises any number of keyboard entry events, wherein each event is related at least to actions indicating a keyboard entry and a context in which the event occurred, comparing the gathered keyboard entry events with signatures from a database, and when a match is found with at least one signature, identifying an activity which is a characteristic that indicates that the remote administration tool is being controlled remotely.

Abstract: An example of a method for detecting hacking activities includes identifying one or more attributes of each interaction in a sequence of interactions between one or more users and bank services during a predetermined time period. The one or more users are categorized into a plurality of groups based on the identified attributes. Each of the plurality of groups includes users performing the sequence of interactions with the bank services during the predetermined time period. A degree of anomaly is calculated for each of the plurality of groups based on a total number of users associated with a corresponding sequence of interactions and based on a number of users associated with the corresponding sequence of interactions during the predetermined time period. The calculated degree of anomaly is compared with a predetermined threshold. Hacking activity is identified, in response to determining that the calculated degree of anomaly exceeds the predetermined threshold.

Abstract: An example of a method for detecting hacking activities includes categorizing a plurality of web pages of a web site providing bank services using a trained semantic model. The trained semantic model uses at least one resource identifier of a web page as an input and generates a web page category as an output. One or more attributes of an interaction between a user and bank services are identified. The one or more identified attributes are analyzed by comparing the one or more identified attributes with attributes known to belong to hacking interactions based on a corresponding web page category. Hacking activity is identified based on the results of the analysis.

Abstract: The present disclosure provides systems and methods of selecting candidates for comparison of fingerprints of devices. An exemplary method comprises calculating a digital fingerprint of a device, determining a group of digital fingerprints where the digital fingerprint occurs, calculating vectors of changed features of each digital fingerprint, calculating a probability that the digital fingerprint and each digital fingerprint within the group belong to the same chain, identifying a set of candidates from the group whose probability of belonging to the same chain of fingerprints crosses a value, comparing the calculated digital fingerprint of the device with the fingerprints in the set of candidates, determine that the device correspond to a device in the set of candidates when the comparison results in a match higher than a specified threshold and permitting the user actions, otherwise tracking the user actions with the online service as fraudulent activity.

Abstract: The present disclosure provides systems and methods of selecting candidates for comparison of fingerprints of devices. An exemplary method comprises calculating a digital fingerprint of a device, determining a group of digital fingerprints where the digital fingerprint occurs, calculating vectors of changed features of each digital fingerprint, calculating a probability that the digital fingerprint and each digital fingerprint within the group belong to the same chain, identifying a set of candidates from the group whose probability of belonging to the same chain of fingerprints crosses a value, comparing the calculated digital fingerprint of the device with the fingerprints in the set of candidates, determine that the device correspond to a device in the set of candidates when the comparison results in a match higher than a specified threshold and permitting the user actions, otherwise tracking the user actions with the online service as fraudulent activity.