Hao Pan,Feitong Tan,Wenhao Li,Yi-Chao Chen,Lanqing Yang,Guangtao Xue,Xiaoyu Ji

DOI: https://doi.org/10.1109/secon55815.2022.9918604

2022-01-01

Abstract:This study reveals that on-board hardware modules leak electromagnetic (EM) emissions whenever audio or camera data is accessed, and proposes Magdefender scheme that explores the possibility of using the magnetometer built into mobile devices to detect eavesdropping instances by malicious apps and even the unscrupulous phone vendors. However, the target EM signals generated by accessing multimedia data is weak and tends to be buried beneath other noisy EM signals from apps running in the foreground. It is also subject to the external interference from geomagnetic signals generated by the device movement. To cope with the challenges, we adopt a generative adversarial networks (GAN) based model to facilitate the extraction of target EM signals indicating the occurrence of eavesdropping from the overall magnetometer readings. We also develop a neural network-based classifier with triplet loss embedding to identify the EM signals from the camera and/or microphones. Empirical results demonstrate the efficacy of MagDefenderin recognizing instances of eavesdropping on cameras/microphones data, with average accuracy of 97.3% when applied to the trained devices, and average 91.5% on unseen mobile devices.

Rui Ning,Cong Wang,ChunSheng Xin,Jiang Li,Liuwan Zhu,Hongyi Wu

DOI: https://doi.org/10.1109/infocom.2019.8737381

2019-01-01

Abstract:This work proposes an innovative approach, named CapJack, to detect in-browser malicious cryptocurrency mining activities by using the latest CapsNet technology. To the best of our knowledge, this is the first work to introduce CapsNet to the field of malware detection through system behavioral analysis. It is particularly effective to detect malicious miners under multitasking environments where multiple applications run simultaneously. Experimental data show appealing performance of CapJack, with a detection rate of as high as 87% instantly and 99% within a window of 11 seconds.

Dmitry Tanana

2024-08-27

Abstract:With the surge in blockchain-based cryptocurrencies, illegal mining for cryptocurrency has become a popular cyberthreat. Host-based cryptojacking, where malicious actors exploit victims systems to mine cryptocurrency without their knowledge, is on the rise. Regular cryptojacking is relatively well-known and well-studied threat, however, recently attackers started switching to GPU cryptojacking, which promises greater profits due to high GPU hash rates and lower detection chance. Additionally, GPU cryptojackers can easily propagate using, for example, modified graphic card drivers. This article considers question of GPU cryptojacking detection. First, we discuss brief history and definition of GPU cryptojacking as well as previous attempts to design a detection technique for such threats. We also propose complex exposure mechanism based on GPU load by an application and graphic card RAM consumption, which can be used to detect both browser-based and host-based cryptojacking samples. Then we design a prototype decision tree detection program based on our technique. It was tested in a controlled virtual machine environment with 80% successful detection rate against selected set of GPU cryptojacking samples and 20% false positive rate against selected number of legitimate GPU-heavy applications.

Cryptography and Security

Rui Ning,Cong Wang,ChunSheng Xin,Jiang Li,Hongyi Wu

DOI: https://doi.org/10.1016/j.pmcj.2019.101106

IF: 3.848

2020-01-01

Pervasive and Mobile Computing

Abstract:In this paper, we report a newfound vulnerability on smartphones due to the malicious use of unsupervised sensor data. We demonstrate that an attacker can train deep Convolutional Neural Networks (CNN) by using magnetometer or orientation data to effectively infer the Apps and their usage information on a smartphone with an accuracy of over 80%. Furthermore, we show that such attacks can become even worse if sophisticated attackers exploit motion sensors to cluster the magnetometer or orientation data, improving the accuracy to as high as 98%. To mitigate such attacks, we propose a noise injection scheme that can effectively reduce the App sniffing accuracy to only 15% and at the same time has negligible effect on benign Apps.

Hao Pan,Lanqing Yang,Honglu Li,Chuang-Wen You,Xiaoyu Ji,Yi-Chao Chen,Zhenxian Hu,Guangtao Xue

DOI: https://doi.org/10.1109/secon52354.2021.9491601

2021-01-01

Abstract:Various characteristics of mobile applications (apps) and associated in-app services have been used reveal potentially-sensitive user information; however, privacy concerns have prompted third-party apps to rigorously restrict access to data related to mobile app usage. This paper outlines a novel approach to the extraction of detailed app usage information based on analysis of the electromagnetic (EM) signals emitted from mobile devices when executing app-related tasks. Note that this type of EM leakage becomes high-complex when multiple apps are used simultaneously and is subject to interference from geomagnetic signals generated by device movement. This paper proposes a deep learning-based multi-label classification system to identify apps and in-app services based on magnetometer readings. The proposed MAGTHIEF system uses accelerometer and gyroscope data to cancel out the offset in geomagnetic signals followed by an elaborate deep region convolution neural network (DRCNN) to differentiate among multiple apps and the corresponding inapp services. Experiments on 50 apps demonstrated the efficacy of MAGTHIEF in identifying multiple apps and in-app services, achieving high average macro F1 scores of 0.87 and 0.95, respectively. MAGTHIEF also achieved time duration accuracy of 89.5% in recognizing app trajectory in the real-world scene.

Atefeh Zareh Chahoki,Hamid Reza Shahriari,Marco Roveri

DOI: https://doi.org/10.1109/tifs.2024.3353072

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The high profitability of mining cryptocurrencies mining, a computationally intensive activity, forms a fertile ecosystem that is enticing not only legitimate investors but also cyber attackers who invest their illicit computational resources in this area. Cryptojacking refers to the surreptitious exploitation of a victim’s computing resources to mine cryptocurrencies on behalf of the cyber-criminal. This malicious behavior is observed in executable files and browser executable codes, including JavaScript and Assembly modules, downloaded from websites to victims’ machines and executed. Although there are numerous botnet detection techniques to stop this malicious activity, attackers can circumvent these protections using a variety of techniques. In this paper, CryptojackingTrap is presented as a novel cryptojacking detection solution designed to resist most malware defense methods. The CryptojackingTrap is armed with a debugger and extensible cryptocurrency listeners and its algorithm is based on the execution of cryptocurrency hash functions: an indispensable behavior of all cryptojacking executors. This algorithm becomes aware of this specific hash execution by correlating the memory access traces of suspicious executables with publicly available cryptocurrency P2P network data. With the advantage of this assembly-level investigation and a natureinspired approach to triggering the detection alarm, CryptojackingTrap provides an accurate, evasion-proof technique for detecting cryptojacking. After experimental evaluation, the false negative and false positive rates are zero, and in addition, the false positive rate is mathematically calculated as 10−20. CryptojackingTrap has an open, extensible architecture and is available to the open-source community.

computer science, theory & methods,engineering, electrical & electronic

Yushi Cheng,Xiaoyu Ji,Wenyuan Xu,Hao Pan,Zhuangdi Zhu,Chuang-Wen You,Yi-Chao Chen,Lili Qiu

DOI: https://doi.org/10.1145/3321705.3329817

2019-01-01

Abstract:Mobile devices have emerged as the most popular platforms to access information. However, they have also become a major concern of privacy violation and previous researches have demonstrated various approaches to infer user privacy based on mobile devices. In this paper, we study a new side channel of a laptop that could be harvested by a commercial-off-the-shelf (COTS) mobile device, eg, a smartphone. We propose MagAttack, which exploits the electromagnetic (EM) side channel of a laptop to infer user activities, i.e., application launching and application operation. The key insight of MagAttack is that applications are discrepant in essence due to the different compositions of instructions, which can be reflected on the CPU power consumption, and thus the corresponding EM emissions. MagAttack is challenging since that EM signals are noisy due to the dynamics of applications and the limited sampling rate of the built-in magnetometers in COTS mobile devices. We overcome these challenges and convert noisy coarse-grained EM signals to robust fine-grained features. We implement MagAttack on both an iOS and an Android smartphone without any hardware modification, and evaluate its performance with 13 popular applications and 50 top websites in China. The results demonstrate that MagAttack can recognize aforementioned 13 applications with an average accuracy of 98.6%, and figure out the visiting operation among 50 websites with an average accuracy of 84.7%.

Shize Zhang,Zhiliang Wang,Jiahai Yang,Xin Cheng,Xiaoqian Ma,Hui Zhang,Bo Wang,Zimu Li,Jianping Wu

DOI: https://doi.org/10.1145/3485832.3485835

2021-01-01

Abstract:With the development of cryptocurrencies’ market, the problem of cryptojacking, which is an unauthorized control of someone else’s computer to mine cryptocurrency, has been more and more serious. Existing cryptojacking detection methods require to install anti-virus software on the host or load plug-in in the browser, which are difficult to deploy on enterprise or campus networks with a large number of hosts and servers. To bridge the gap, we propose MineHunter, a practical cryptomining traffic detection algorithm based on time series tracking. Instead of being deployed at the hosts, MineHunter detects the cryptomining traffic at the entrance of enterprise or campus networks. Minehunter has taken into account the challenges faced by the actual deployment environment, including extremely unbalanced datasets, controllable alarms, traffic confusion, and efficiency. The accurate network-level detection is achieved by analyzing the network traffic characteristics of cryptomining and investigating the association between the network flow sequence of cryptomining and the block creation sequence of cryptocurrency. We evaluate our algorithm at the entrance of a large office building in a campus network for a month. The total volumes exceed 28 TeraBytes. Our experimental results show that MineHunter can achieve precision of 97.0% and recall of 99.7%.

G Yu,G Yang,T Li,X Han,S Guan,J Zhang,G Gu

DOI: https://doi.org/10.1007/978-981-33-4922-3_5

2020-01-01

Abstract:AbstractWeb-based cryptocurrency mining attacks, also known as cryptojacking, become increasingly popular. A large number of diverse platforms (e.g., Windows, Linux, Android, and iOS) and devices (e.g., PC, smartphones, tablets, and even critical infrastructures) are widely impacted. Although a variety of detection approaches were recently proposed, it is challenging to apply these approaches to attack prevention directly.Instead, in this paper, we present a novel generic and accurate defense solution, called “MinerGate”, against cryptojacking attacks. To achieve the goal, MinerGate is designed as an extension of network gateways or proxies to protect all devices behind it. When attacks are identified, MinerGate can enforce security rules on victim devices, such as stopping the execution of related JavaScript code and alerting victims. Compared to prior approaches, MinerGate does not require any modification of browsers or apps to collect the runtime features. Instead, MinerGate focuses on the semantics of mining payloads (usually written in WebAssembly/asm.js), and semantic-based features.In our evaluation, we first verify the correctness of MinerGate by testing MinerGate in a real environment. Then, we check MinerGate’s performance and confirm MinerGate introduces relatively low overhead. Last, we verify the accuracy of MinerGate. For this purpose, we collect the largest WebAssembly/asm.js related code with ground truth to build our experiment dataset. By comparing prior approaches and MinerGate on the dataset, we find MinerGate achieves better accuracy and coverage (i.e., 99% accuracy and 98% recall). Our dataset will be available online, which should be helpful for more solid understanding of cryptojacking attacks.

Ankit Gangwal,Samuele Giuliano Piazzetta,Gianluca Lain,Mauro Conti

DOI: https://doi.org/10.48550/arXiv.1909.00268

2020-12-15

Abstract:Cybercriminals have been exploiting cryptocurrencies to commit various unique financial frauds. Covert cryptomining - which is defined as an unauthorized harnessing of victims' computational resources to mine cryptocurrencies - is one of the prevalent ways nowadays used by cybercriminals to earn financial benefits. Such exploitation of resources causes financial losses to the victims. In this paper, we present our novel and efficient approach to detect covert cryptomining. Our solution is a generic solution that, unlike currently available solutions to detect covert cryptomining, is not tailored to a specific cryptocurrency or a particular form of cryptomining. In particular, we focus on the core mining algorithms and utilize Hardware Performance Counters (HPC) to create clean signatures that grasp the execution pattern of these algorithms on a processor. We built a complete implementation of our solution employing advanced machine learning techniques. We evaluated our methodology on two different processors through an exhaustive set of experiments. In our experiments, we considered all the cryptocurrencies mined by the top-10 mining pools, which collectively represent the largest share (84% during Q3 2018) of the cryptomining market. Our results show that our classifier can achieve a near-perfect classification with samples of length as low as five seconds. Due to its robust and practical design, our solution can even adapt to zero-day cryptocurrencies. Finally, we believe our solution is scalable and can be deployed to tackle the uprising problem of covert cryptomining.

Cryptography and Security

Geng Hong,Zhemin Yang,Sen Yang,Lei Zhang,Yuhong Nan,Zhibo Zhang,Min Yang,Yuan Zhang,Zhiyun Qian,Hai-Xin Duan

DOI: https://doi.org/10.1145/3243734.3243840

2018-01-01

Abstract:As a new mechanism to monetize web content, cryptocurrency mining is becoming increasingly popular. The idea is simple: a webpage delivers extra workload (JavaScript) that consumes computational resources on the client machine to solve cryptographic puzzles, typically without notifying users or having explicit user consent. This new mechanism, often heavily abused and thus considered a threat termed "cryptojacking", is estimated to affect over 10 million web users every month; however, only a few anecdotal reports exist so far and little is known about its severeness, infrastructure, and technical characteristics behind the scene. This is likely due to the lack of effective approaches to detect cryptojacking at a large-scale (e.g., VirusTotal). In this paper, we take a first step towards an in-depth study over cryptojacking. By leveraging a set of inherent characteristics of cryptojacking scripts, we build CMTracker, a behavior-based detector with two runtime profilers for automatically tracking Cryptocurrency Mining scripts and their related domains. Surprisingly, our approach successfully discovered 2,770 unique cryptojacking samples from 853,936 popular web pages, including 868 among top 100K in Alexa list. Leveraging these samples, we gain a more comprehensive picture of the cryptojacking attacks, including their impact, distribution mechanisms, obfuscation, and attempts to evade detection. For instance, a diverse set of organizations benefit from cryptojacking based on the unique wallet ids. In addition, to stay under the radar, they frequently update their attack domains (fastflux) on the order of days. Many attackers also apply evasion techniques, including limiting the CPU usage, obfuscating the code, etc.

Ivan Petrov,Luca Invernizzi,Elie Bursztein

DOI: https://doi.org/10.48550/arXiv.2006.10861

2020-06-24

Abstract:Traffic monetization is a crucial component of running most for-profit online businesses. One of its latest incarnations is cryptocurrency mining, where a website instructs the visitor's browser to participate in building a cryptocurrency ledger (e.g., Bitcoin, Monero) in exchange for a small reward in the same currency. In its essence, this practice trades the user's electric bill (or battery level) for cryptocurrency. With user consent, this exchange can be a legitimate funding source - for example, UNICEF has collected over 27k charity donations on a website dedicated to this purpose, <a class="link-external link-http" href="http://thehopepage.org" rel="external noopener nofollow">this http URL</a>. Regrettably, this practice also easily lends itself to abuse: in this form, called cryptojacking, attacks surreptitiously mine in the users browser, and profits are collected either by website owners or by hackers that planted the mining script into a vulnerable page. Cryptojackers have been bettering their evasion techniques, incorporating in their toolkits domain fluxing, content obfuscation, the use of WebAssembly, and throttling. Whereas most state-of-the-art defenses address multiple of these evasion techniques, none is resistant against all. In this paper, we offer a novel detection method, CoinPolice, that is robust against all of the aforementioned evasion techniques. CoinPolice flips throttling against cryptojackers, artificially varying the browser's CPU power to observe the presence of throttling. Based on a deep neural network classifier, CoinPolice can detect 97.87% of hidden miners with a low false positive rate (0.74%). We compare CoinPolice performance with the current state of the art and show our approach outperforms it when detecting aggressively throttled miners. Finally, we deploy Coinpolice to perform the largest-scale cryptoming investigation to date, identifying 6700 sites that monetize traffic in this fashion.

Cryptography and Security

Guangquan Xu,Wenyu Dong,Jun Xing,Wenqing Lei,Jian Liu,Lixiao Gong,Meiqi Feng,Xi Zheng,Shaoying Liu

DOI: https://doi.org/10.1016/j.dcan.2022.04.030

IF: 6.348

2022-05-01

Digital Communications and Networks

Abstract:Cryptojacking is a type of resource embezzlement attack, wherein an attacker secretly executes the cryptocurrency mining program in the target host to gain profits. It has been common since 2017, and in fact, it once became the greatest threat to network security. To better prove the attack ability the harm caused by cryptojacking, this paper proposes a new covert browser-based mining attack model named Delay-CJ, this model was deployed in a simulation environment for evaluation. Based on the general framework of cryptojacking, Delay-CJ adds hybrid evasion detection techniques and applies the delayed execution strategy specifically for video websites in the prototype implementation. The results show that the existing detection methods used for testing may become invalid as result of this model. In view of this situation, to achieve a more general and robust detection scheme, we built a cryptojacking detection system named CJDetector, which is based on cryptojacking process features. Specifically, it identifies malicious mining by monitoring CPU usage and analyzing the function call information. This system not only effectively detects the attack in our example but also has universal applicability. The recognition accuracy of CJDetector reaches 99.33%. Finally, we tested the web pages in Alexa 50K websites to investigate cryptojacking activity in the real network. We found that although cryptojacking is indeed on the decline, it remains a part of network security threats that cannot be ignored.

telecommunications

Hadeel A. Almurshid,Iman Almomani,M. A. Khalifa,Walid El-Shafai

DOI: https://doi.org/10.1109/access.2024.3488192

IF: 3.9

2024-11-09

IEEE Access

Abstract:Recent statistics indicate a continuous rise in cryptojacking malware. This malware covertly exploits users' device resources to mine cryptocurrencies, such as Bitcoin, without their knowledge or consent. Cryptocurrency mining involves participants competing to generate a unique hash, with successful miners earning cryptocurrency tokens as rewards. As the difficulty of mining new cryptocurrencies increases, greater computational power and resources are required. Unfortunately, the growing popularity of cryptocurrencies has led to a significant increase in cryptojacking malware. Compounding this issue is the lack of adequate, practical solutions to combat this threat. Current shortcomings include a limited number of related studies, particularly in host-based cryptojacking, a scarcity of recent research, reliance on small or outdated datasets, and a shallow understanding of the behavior and characteristics of cryptojacking malware. This paper aims to address these gaps by introducing a holistic, intelligent cryptojacking malware detection system that: 1) provides a detailed analysis of the lifecycle of both host-based and web-based cryptojacking malware; 2) conducts a critical comparison of existing solutions, highlighting their weaknesses; 3) applies deep static analysis to identify key indicators crucial for cryptojacking analysis; 4) executes thorough dynamic analysis to demonstrate the real-world impact of cryptojacking; 5) utilizes a new, large, and robust cryptojacking dataset (CJDS) with over 100,000 samples, where the details of constructing this dataset are provided, (f) develops vision-based predictive models using 23 convolutional neural network (CNN) algorithms, extensively evaluated with comprehensive metrics; and 6) integrates the best-performing model to bulid a highly efficient cryptojacking detection system with an accuracy of 99%. This research offers valuable insights into the characteristics and consequences of cryptojacking, paving the way for further advancements in cybersecurity. It aims to protect digital environments from unauthorized resource exploitation and enhance the security of cryptocurrency-based systems.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hamid Darabian,Sajad Homayounoot,Ali Dehghantanha,Sattar Hashemi,Hadis Karimipour,Reza M. Parizi,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1007/s10723-020-09510-6

2020-01-21

Journal of Grid Computing

Abstract:Cryptomining malware (also referred to as cryptojacking) has changed the cyber threat landscape. Such malware exploits the victim's CPU or GPU resources with the aim of generating cryptocurrency. In this paper, we study the potential of using deep learning techniques to detect cryptomining malware by utilizing both static and dynamic analysis approaches. To facilitate dynamic analysis, we establish an environment to capture the system call events of 1500 Portable Executable (PE) samples of the cryptomining malware. We also demonstrate how one can perform static analysis of PE files' opcode sequences. In our study, we evaluate the performance of using Long Short-Term Memory (LSTM), Attention-based LSTM (ATT-LSTM), and Convolutional Neural Networks (CNN) on our sequential data (opcodes and system call invocations) for classification by a Softmax function. We achieve an accuracy rate of 95% in the static analysis and an accuracy rate of 99% in the dynamic analysis.

computer science, information systems, theory & methods

Yongkang Tang,Shaoqing Li,Fan Zhang,Liang Fang

DOI: https://doi.org/10.1049/iet-ifs.2017.0354

2018-01-01

IET Information Security

Abstract:Hardware Trojan (HT) is increasingly becoming a serious problem in the information security field. Compared to other countermeasures, thermal maps based detection can mitigate process variation (PV) and have a higher accuracy. However, HT cannot be differentiated from the others directly from the original thermal maps. Therefore, in this study, the authors first propose a general HT detection framework based on difference temperature matrix, and introduce the PV mitigation mechanism. Then, they demonstrate how principal component analysis can implement spatial projection transformation and expose HT signal. Finally, they introduce their experimental setup and design, and then validate their countermeasure with Xilinx field programmable gate arrays which are configured with the pure AES circuit and the infected AES circuits. The power proportions (PPs) of HTs in the different infected AES circuits are various. The experimental results indicate that their proposed countermeasure can clearly detect HT with 0.14% small PP.

Stanislav Dashevskyi,Yury Zhauniarovich,Olga Gadyatskaya,Aleksandr Pilgun,Hamza Ouhssain

DOI: https://doi.org/10.1145/3374664.3375724

2020-02-24

Abstract:Cryptojacking applications pose a serious threat to mobile devices. Due to the extensive computations, they deplete the battery fast and can even damage the device. In this work we make a step towards combating this threat. We collected and manually verified a large dataset of Android mining apps. In this paper, we analyze the gathered miners and identify how they work, what are the most popular libraries and APIs used to facilitate their development, and what static features are typical for this class of applications. Further, we analyzed our dataset using VirusTotal. The majority of our samples is considered malicious by at least one VirusTotal scanner, but 16 apps are not detected by any engine; and at least 5 apks were not seen previously by the service. Mining code could be obfuscated or fetched at runtime, and there are many confusing miner-related apps that actually do not mine. Thus, static features alone are not sufficient for miner detection. We have collected a feature set of dynamic metrics both for miners and unrelated benign apps, and built a machine learning-based tool for dynamic detection. Our BrenntDroid tool is able to detect miners with 95% of accuracy on our dataset. This preprint is a technical report accompanying the paper "Dissecting Android Cryptocurrency Miners" published in ACM CODASPY 2020.

Cryptography and Security

Wenjuan Lian,Guoqing Nie,Yanyan Kang,Bin Jia,Yang Zhang

DOI: https://doi.org/10.23919/jcc.2022.02.014

2022-02-01

China Communications

Abstract:In recent years, with the increase in the price of cryptocurrencies, the number of malicious cryptomining software has increased significantly. With their powerful spreading ability, cryptomining malware can unknowingly occupy our resources, harm our interests, and damage more legitimate assets. However, although current traditional rule-based malware detection methods have a low false alarm rate, they have a relatively low detection rate when faced with a large volume of emerging malware. Even though common machine learning-based or deep learning-based methods have certain ability to learn and detect unknown malware, the characteristics they learn are single and independent, and cannot be learned adaptively. Aiming at the above problems, we propose a deep learning model with multi-input of multi-modal features, which can simultaneously accept digital features and image features on different dimensions. The model in turn includes parallel learning of three sub-models and ensemble learning of another specific sub-model. The four sub-models can be processed in parallel on different devices and can be further applied to edge computing environments. The model can adaptively learn multi-modal features and output prediction results. The detection rate of our model is as high as 97.01% and the false alarm rate is only 0.63%. The experimental results prove the advantage and effectiveness of the proposed method.

telecommunications

Peifa Sun,Mengda Lyu,Hui Li,Bo Yang,Lizhi Peng

DOI: https://doi.org/10.1016/j.comcom.2022.06.044

IF: 5.047

2022-09-01

Computer Communications

Abstract:Cryptocurrency is becoming more and more popular due to its superiority to traditional currencies, resulting in the boom of mining. Mining cryptocurrencies requires tremendous computing resources, and extensive high-performance computers are used for mining nowadays. A significant consequent problem is the huge amount of energy consuming for mining. Thus, managing mining behaviors become an urgent issue. There are two main ways to detecting mining behavior. One is to deploy a detecting program on the target host, and use features of system calls to detect the mining behaviors. The other is to deploy detection models on network, and identify mining behaviors via network traffic. Comparing with the former method, detecting mining behavior by traffic is “non-contact”, and can monitor a whole network instead of a single host. We propose in this paper a convolutional function based method to extract the features from the first few packets of flows to identify mining traffic. We first extract the size of each packet of a flow, and then design a convolution function with a sliding window to extract meaningful features from the packet size sequence. This method maps the flows to a feature space in which the mining flows can be distinguished from the normal flows easily. We collect a set of mining traffic traces including 8 types of cryptocurrency mining behaviors in a real network, and launch a set of empirical studies using this data set. We also develop an online mining traffic identification platform to validate the performance of our proposal. Both the offline experimental results and the online validation results suggests that our proposal can achieve high performance satisfying the real mining traffic detecting requirements.

computer science, information systems,telecommunications,engineering, electrical & electronic

Han Zhang,Yinhao Zhou,Ying Li

DOI: https://doi.org/10.1109/ats59501.2023.10317998

2023-01-01

Abstract:Among all hardware security threats, the malicious circuits surreptitiously inserted into third-Party Intellectual Property (3PIP) cores, known as Hardware Trojans (HTs), is one of the main concerns. The early discovery of HTs is crucial because any countermeasure after the fabrication process would be expensive or unavailable. Graph Neural Networks (GNN), with the intuitive graph representation of a hardware design, has emerged as a powerful technique to solve this problem. However, most of these networks have two limitations, including the loss of dynamic structural features and the portability issue of using trained models in other designs. To this end, we address such limitations by proposing a new edge-featured Data Flow Graph (DFG) generation method that combines circuit structures with simulation data to establish HTs detection based on Graph Attention Networks (GAT). The solution is utilizing GAT to extract the HTs features from DFG, then identifying the known and unknown HTs hidden in different circuits. We evaluate this methodology on our dataset by expanding Trusthub HTs benchmarks. The results show that our approach can realize the HTs detection with high recall and precision in a short time. Compared with the previous method, our method has more scalable capability and excellent prospects in HTs detection.