Shize Zhang,Zhiliang Wang,Jiahai Yang,Xin Cheng,Xiaoqian Ma,Hui Zhang,Bo Wang,Zimu Li,Jianping Wu

DOI: https://doi.org/10.1145/3485832.3485835

2021-01-01

Abstract:With the development of cryptocurrencies’ market, the problem of cryptojacking, which is an unauthorized control of someone else’s computer to mine cryptocurrency, has been more and more serious. Existing cryptojacking detection methods require to install anti-virus software on the host or load plug-in in the browser, which are difficult to deploy on enterprise or campus networks with a large number of hosts and servers. To bridge the gap, we propose MineHunter, a practical cryptomining traffic detection algorithm based on time series tracking. Instead of being deployed at the hosts, MineHunter detects the cryptomining traffic at the entrance of enterprise or campus networks. Minehunter has taken into account the challenges faced by the actual deployment environment, including extremely unbalanced datasets, controllable alarms, traffic confusion, and efficiency. The accurate network-level detection is achieved by analyzing the network traffic characteristics of cryptomining and investigating the association between the network flow sequence of cryptomining and the block creation sequence of cryptocurrency. We evaluate our algorithm at the entrance of a large office building in a campus network for a month. The total volumes exceed 28 TeraBytes. Our experimental results show that MineHunter can achieve precision of 97.0% and recall of 99.7%.

Ke Ye,Meng Shen,Zhenbo Gao,Liehuang Zhu

DOI: https://doi.org/10.1007/978-981-19-8043-5_20

2022-01-01

Abstract:With the rapid development of blockchain, cryptocurrency gains more attention due to its anonymity and decentralization. However, illegal cryptocurrency mining problems, e.g., unauthorized control of victims' devices or appropriate public resources, become more and more serious. Existing mining detection methods need to be deployed locally and require authorization from administrators, which hardly supervise an entire network segment, as it brings high installation and maintenance costs. To solve this problem, in this paper, we propose a lightweight mining behavior detection method based on traffic analysis, which leverages communication packets in the first n seconds of a flow to achieve a real-time response. The experiment results with real-world datasets prove that the proposed method can achieve 94.04% F1 score using only the first 40 s packets, 98.22% F1 score using the first 120 s packets. Moreover, it can realize unknown cryptomining service discovery for about 96.37% F1 score. Instead of installing antivirus software on the host, the proposed method based on traffic analysis can be deployed at the gateways, which brings convenience for network management.

Xiaoyan Hu,Boquan Lin,Guang Cheng,Ruidong Li,Hua Wu

DOI: https://doi.org/10.1109/icc45041.2023.10279537

2023-01-01

Abstract:In recent years, the good revenue generated by cryptocurrency mining has attracted a lot of people to participate in it. It has also caught the attention of hackers, and cryptojacking attacks are becoming more common. Detecting cryptomining behavior can effectively reduce the lost caused by cryptojacking attacks. Existing host-based cryptomining detection methods can protect only end devices and violate users' privacy. Besides, network-based solutions can not better handle anti-reconnaissance means of encrypted proxy. To bridge this gap, we propose a cryptomining traffic detection model based on K-S Test(CMD-KST). Our traffic analysis study confirms that the feature distributions of cryptomining traffic over an encrypted proxy are still stable and unique. CMD-KST compares the feature distributions of a network flow segment with that of cryptomining traffic over the encrypted proxy to complete the detection task. CMD-KST is easily deployable and can detect cryptomining traffic at the entrance of the managed network. Our experimental results demonstrate that CMD-KST achieves a recall of 98.84% without generating false positives and takes only 6 minutes of analyzing mining traffic to complete the detection. CMD-KST is faster than other network-based cryptomining traffic detection methods and achieves a higher precision. Furthermore, the adversarial evaluation shows that it is challenging for the attackers to counteract our detection.

Peifa Sun,Mengda Lyu,Hui Li,Bo Yang,Lizhi Peng

DOI: https://doi.org/10.1016/j.comcom.2022.06.044

IF: 5.047

2022-09-01

Computer Communications

Abstract:Cryptocurrency is becoming more and more popular due to its superiority to traditional currencies, resulting in the boom of mining. Mining cryptocurrencies requires tremendous computing resources, and extensive high-performance computers are used for mining nowadays. A significant consequent problem is the huge amount of energy consuming for mining. Thus, managing mining behaviors become an urgent issue. There are two main ways to detecting mining behavior. One is to deploy a detecting program on the target host, and use features of system calls to detect the mining behaviors. The other is to deploy detection models on network, and identify mining behaviors via network traffic. Comparing with the former method, detecting mining behavior by traffic is “non-contact”, and can monitor a whole network instead of a single host. We propose in this paper a convolutional function based method to extract the features from the first few packets of flows to identify mining traffic. We first extract the size of each packet of a flow, and then design a convolution function with a sliding window to extract meaningful features from the packet size sequence. This method maps the flows to a feature space in which the mining flows can be distinguished from the normal flows easily. We collect a set of mining traffic traces including 8 types of cryptocurrency mining behaviors in a real network, and launch a set of empirical studies using this data set. We also develop an online mining traffic identification platform to validate the performance of our proposal. Both the offline experimental results and the online validation results suggests that our proposal can achieve high performance satisfying the real mining traffic detecting requirements.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaoyan Hu,Zhuozhuo Shu,Xiaoyi Song,Guang Cheng,Jian Gong

DOI: https://doi.org/10.1109/globecom46510.2021.9685085

2021-01-01

Abstract:Bitcoin and other digital cryptocurrencies have de-veloped rapidly in recent years. To reduce hardware and power costs, many criminals use the botnet to infect other hosts to mine cryptocurrency for themselves, which has led to the proliferation of mining botnets and is referred to as cryptojacking. At present, the mechanisms specific to cryptojacking detection include host-based, Deep Packet Inspection (DPI) based, and dynamic network characteristics based. Host-based detection requires detection installation and running at each host, and the other two are heavyweight. Besides, DPI-based detection is a breach of privacy and loses efficacy if encountering encrypted traffic. This paper de-signs a lightweight cryptojacking traffic detection method based on network behavior features for an ISP, without referring to the payload of network traffic. We set up an environment to collect cryptojacking traffic and conduct a cryptojacking traffic study to obtain its discriminative network traffic features extracted from only the first four packets in a flow. Our experimental study suggests that the machine learning classifier, random forest, based on the extracted discriminative network traffic features can accurately and efficiently detect cryptojacking traffic.

Yilei Wang,Chunmei Li,Yiting Zhang,Tao Li,Jianting Ning,Keke Gai,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/jiot.2024.3367689

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Cryptojacking is a new type of Internet of Things (IoT) attack, where an attacker hijacks the computing power of IoT devices, such as wireless routers, smart TVs, set-top boxes, or cameras, to mine cryptocurrencies, e.g., PyRoMineIoT. The attackers launch selfish mining-like (SM-like) attacks to obtain lucrative mining rewards with the stolen computing power, once the power exceeds a threshold. Generally, a single deep learning (DL) model with a single feature (e.g., fork height) is trained to detect SM-like attacks. However, the existing model fails to detect every SM-like attack since the model training ignores other distinctive features (e.g., mining rewards and blocking rate) of SM-like attacks. In this article, SM-NEEDLE, an ensemble DL (NEEDLE) method is proposed to detect SM-like attacks. More specifically, the distinctive features are extracted from the blockchain system, where SM-like simulators emulate the strategies of SM-like attacks. Further, to circumvent the local optima problem caused by the single DL model (e.g., Back-Propagation Neural Network, BPNN), the SM-NEEDLE trains multiple BPNNs with these distinctive features. Evaluation results indicate the accuracy and false negative rate (FNR) of SM-NEEDLE for detecting SM-like attacks (including SM1 and its variants) are 98.9% and 1.48%, respectively. That is, 98.9% of SM-like attacks are correctly identified and only 1.48% of attacks are undetectable.

Jingqiang Liu,Zihao Zhao,Xiang Cui,Zhi Wang,Qixu Liu

DOI: https://doi.org/10.1109/dsc.2018.00079

2018-01-01

Abstract:Transactions in the cryptocurrency market has been extremely hot in recent years, with the price of cryptocurrency climbing all the way. Hackers have turned their attentions to cryptocurrencies, and have used various means to acquire cryptocurrencies illegally, which caused huge losses to the victims. Some browsers block malicious mining activities from the network protocol level, but they do not have the ability to detect mining samples themselves, and it is difficult to make effective detection of homogenous mining samples of the network layer. To solve these problems, based on the attack pattern of browser mining, the browser-based silent mining features are analyzed, and a method to detect browser silent mining behavior is proposed. This method drives known malicious mining samples, extracts heap snapshots and stack code features of a dynamically running browser, and performs automated detection based on recurrent neural network. By modifying the kernel code of Chrome, a browser-based silent miner detection prototype system BMDetector was designed and implemented. With 1159 samples detected and analyzed, experimental results show that the recognition rate of the original mining sample is 98%, and 92% for the encrypted and confused, which is an effective and feasible method.

HUO Yuehua,ZHAO Faqi,WU Wenhao

DOI: https://doi.org/10.13272/j.issn.1671-251x.17944

2022-01-01

Abstract:The coal mine network is faced with the threat of malicious traffic encrypted by the transport layer security protocol (TLS) generated by malicious software and the high false alarm rate of encrypted traffic during detection. In order to solve the above problems, a multi-feature fusion malicious traffic detection method for coal mine network TLS encryption is proposed. The characteristics of multiple and heterogeneous malicious traffic features of TLS encryption are analyzed. The connection features, metadata and TLS encrypted protocol handshake features of coal mine network TLS encrypted malicious traffic in the transmission process are extracted. A coal mine network TLS encrypted traffic characteristic set is constructed by using a flow fingerprint method. The features in the feature set are standardized, one-hot encoded and normalized, so as to obtain an efficient sample set. Five sub-models of decision tree (DT), K-nearest neighbor (KNN), Gaussian Naive Bayes (GNB), L2 logistic regression (LR) and stochastic gradient descent (SGD) classifiers were used to test the above feature sets. In order to improve the robustness of the detection model, combined with the principle of the voting method, five classifier sub-models are combined to construct a muti-model voting classifier (MVC) detection model. Five classifier sub-models are used as voters. Each classifier sub-model trains the sample set separately, and votes according to the principle of minority obeying majority to get the final prediction value of each sample. The experimental results show that the proposed feature set reduces the dimension of the sample set and improves the detection efficiency of TLS encrypted traffic. DT classifier and KNN classifier perform best on the data set, reaching more than 99% accuracy. But they have the risk of overfitting. Although the LR classifier and SGD classifier sub-models have also achieved recognition accuracy of more than 90%, the false positive rate of these two sub-models is too high. The GNB classifier sub-model performs the worst, with an accuracy of 82%. But it has the advantage of low false-positive rate. The accuracy and recall rate of that MVC detection model on a data set is more than 99%, the false alarm rate is 0.13%. The detection rate of encrypted malicious traffic is improved, and the false alarm rate of encrypted traffic detection is 0. And the comprehensive performance of the MVC detection model is better than that of other classifier sub-models.

Wenjuan Lian,Guoqing Nie,Yanyan Kang,Bin Jia,Yang Zhang

DOI: https://doi.org/10.23919/jcc.2022.02.014

2022-02-01

China Communications

Abstract:In recent years, with the increase in the price of cryptocurrencies, the number of malicious cryptomining software has increased significantly. With their powerful spreading ability, cryptomining malware can unknowingly occupy our resources, harm our interests, and damage more legitimate assets. However, although current traditional rule-based malware detection methods have a low false alarm rate, they have a relatively low detection rate when faced with a large volume of emerging malware. Even though common machine learning-based or deep learning-based methods have certain ability to learn and detect unknown malware, the characteristics they learn are single and independent, and cannot be learned adaptively. Aiming at the above problems, we propose a deep learning model with multi-input of multi-modal features, which can simultaneously accept digital features and image features on different dimensions. The model in turn includes parallel learning of three sub-models and ensemble learning of another specific sub-model. The four sub-models can be processed in parallel on different devices and can be further applied to edge computing environments. The model can adaptively learn multi-modal features and output prediction results. The detection rate of our model is as high as 97.01% and the false alarm rate is only 0.63%. The experimental results prove the advantage and effectiveness of the proposed method.

telecommunications

Wei Zheng,Xuange Huang,Renchao Xie,Qinqin Tang,Tao Huang

DOI: https://doi.org/10.1109/iccc59590.2023.10507257

2023-01-01

Abstract:With the skyrocketing prices and soaring trading volumes of Bitcoin and other cryptocurrencies, the harms caused by malicious cryptomining activities are also increasing. Hackers are increasingly utilizing malicious software to conduct network attacks for cryptocurrency mining, posing threats not only to user privacy but also leading to the consumption of computing resources and increased electricity costs. Despite these challenges, existing detection methods, such as using blacklists to protect users’ browser antivirus programs, only offer partial solutions to this problem, as attackers can easily bypass their detection by frequently changing their domain names using domain generation algorithms. To address these issues, this paper employs deep learning technology and designs a method for detecting malicious cryptomining domains. This method combines blacklist detection with Long Short-Term Memory (LSTM) and is capable of identifying malicious domains from a large number of domain samples. Experimental results demonstrate that the proposed method produces excellent classification and detection outcomes.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Peiran Wang,Yuqiang Sun,Cheng Huang,Yutong Du,Genpei Liang,Gang Long

DOI: https://doi.org/10.1109/cse53436.2021.00022

2021-01-01

Abstract:Because of the rise of the Monroe coin, many JavaScript files with embedded malicious code are used to mine cryptocurrency using the computing power of the browser client. This kind of script does not have any obvious behaviors when it is running, so it is difficult for common users to witness them easily. This feature could lead the browser side cryptocurrency mining abused without the user’s permission. Traditional browser security strategies focus on information disclosure and malicious code execution, but not suitable for such scenes. Thus, we present a novel detection method named MineDetector using a machine learning algorithm and static features for automatically detecting browser-side cryptojacking scripts on the websites. MineDetector extracts five static feature groups available from the abstract syntax tree and text of codes and combines them using the machine learning method to build a powerful cryptojacking classifier. In the real experiment, MineDetector achieves the accuracy of 99.41% and the recall of 93.55% and has better performance in time comparing with present dynamic methods. We also made our work user-friendly by developing a browser extension that is click-to-run on the Chrome browser.

Ankit Gangwal,Samuele Giuliano Piazzetta,Gianluca Lain,Mauro Conti

DOI: https://doi.org/10.48550/arXiv.1909.00268

2020-12-15

Abstract:Cybercriminals have been exploiting cryptocurrencies to commit various unique financial frauds. Covert cryptomining - which is defined as an unauthorized harnessing of victims' computational resources to mine cryptocurrencies - is one of the prevalent ways nowadays used by cybercriminals to earn financial benefits. Such exploitation of resources causes financial losses to the victims. In this paper, we present our novel and efficient approach to detect covert cryptomining. Our solution is a generic solution that, unlike currently available solutions to detect covert cryptomining, is not tailored to a specific cryptocurrency or a particular form of cryptomining. In particular, we focus on the core mining algorithms and utilize Hardware Performance Counters (HPC) to create clean signatures that grasp the execution pattern of these algorithms on a processor. We built a complete implementation of our solution employing advanced machine learning techniques. We evaluated our methodology on two different processors through an exhaustive set of experiments. In our experiments, we considered all the cryptocurrencies mined by the top-10 mining pools, which collectively represent the largest share (84% during Q3 2018) of the cryptomining market. Our results show that our classifier can achieve a near-perfect classification with samples of length as low as five seconds. Due to its robust and practical design, our solution can even adapt to zero-day cryptocurrencies. Finally, we believe our solution is scalable and can be deployed to tackle the uprising problem of covert cryptomining.

Cryptography and Security

Aaron Zimba,Mumbi Chishimba,Christabel Ngongola-Reinke,Tozgani Fainess Mbale

DOI: https://doi.org/10.48550/arXiv.2102.10634

2021-02-22

Abstract:Cryptocurrencies have emerged as a new form of digital money that has not escaped the eyes of cyber-attackers. Traditionally, they have been maliciously used as a medium of exchange for proceeds of crime in the cyber dark-market by cyber-criminals. However, cyber-criminals have devised an exploitative technique of directly acquiring cryptocurrencies from benign users' CPUs without their knowledge through a process called crypto mining. The presence of crypto mining activities in a network is often an indicator of compromise of illegal usage of network resources for crypto mining purposes. Crypto mining has had a financial toll on victims such as corporate networks and individual home users. This paper addresses the detection of crypto mining attacks in a generic network environment using dynamic network characteristics. It tackles an in-depth overview of crypto mining operational details and proposes a semi-supervised machine learning approach to detection using various crypto mining features derived from complex network characteristics. The results demonstrate that the integration of semi-supervised learning with complex network theory modeling is effective at detecting crypto mining activities in a network environment. Such an approach is helpful during security mitigation by network security administrators and law enforcement agencies.

Cryptography and Security

Ivan Petrov,Luca Invernizzi,Elie Bursztein

DOI: https://doi.org/10.48550/arXiv.2006.10861

2020-06-24

Abstract:Traffic monetization is a crucial component of running most for-profit online businesses. One of its latest incarnations is cryptocurrency mining, where a website instructs the visitor's browser to participate in building a cryptocurrency ledger (e.g., Bitcoin, Monero) in exchange for a small reward in the same currency. In its essence, this practice trades the user's electric bill (or battery level) for cryptocurrency. With user consent, this exchange can be a legitimate funding source - for example, UNICEF has collected over 27k charity donations on a website dedicated to this purpose, <a class="link-external link-http" href="http://thehopepage.org" rel="external noopener nofollow">this http URL</a>. Regrettably, this practice also easily lends itself to abuse: in this form, called cryptojacking, attacks surreptitiously mine in the users browser, and profits are collected either by website owners or by hackers that planted the mining script into a vulnerable page. Cryptojackers have been bettering their evasion techniques, incorporating in their toolkits domain fluxing, content obfuscation, the use of WebAssembly, and throttling. Whereas most state-of-the-art defenses address multiple of these evasion techniques, none is resistant against all. In this paper, we offer a novel detection method, CoinPolice, that is robust against all of the aforementioned evasion techniques. CoinPolice flips throttling against cryptojackers, artificially varying the browser's CPU power to observe the presence of throttling. Based on a deep neural network classifier, CoinPolice can detect 97.87% of hidden miners with a low false positive rate (0.74%). We compare CoinPolice performance with the current state of the art and show our approach outperforms it when detecting aggressively throttled miners. Finally, we deploy Coinpolice to perform the largest-scale cryptoming investigation to date, identifying 6700 sites that monetize traffic in this fashion.

Cryptography and Security

G Yu,G Yang,T Li,X Han,S Guan,J Zhang,G Gu

DOI: https://doi.org/10.1007/978-981-33-4922-3_5

2020-01-01

Abstract:AbstractWeb-based cryptocurrency mining attacks, also known as cryptojacking, become increasingly popular. A large number of diverse platforms (e.g., Windows, Linux, Android, and iOS) and devices (e.g., PC, smartphones, tablets, and even critical infrastructures) are widely impacted. Although a variety of detection approaches were recently proposed, it is challenging to apply these approaches to attack prevention directly.Instead, in this paper, we present a novel generic and accurate defense solution, called “MinerGate”, against cryptojacking attacks. To achieve the goal, MinerGate is designed as an extension of network gateways or proxies to protect all devices behind it. When attacks are identified, MinerGate can enforce security rules on victim devices, such as stopping the execution of related JavaScript code and alerting victims. Compared to prior approaches, MinerGate does not require any modification of browsers or apps to collect the runtime features. Instead, MinerGate focuses on the semantics of mining payloads (usually written in WebAssembly/asm.js), and semantic-based features.In our evaluation, we first verify the correctness of MinerGate by testing MinerGate in a real environment. Then, we check MinerGate’s performance and confirm MinerGate introduces relatively low overhead. Last, we verify the accuracy of MinerGate. For this purpose, we collect the largest WebAssembly/asm.js related code with ground truth to build our experiment dataset. By comparing prior approaches and MinerGate on the dataset, we find MinerGate achieves better accuracy and coverage (i.e., 99% accuracy and 98% recall). Our dataset will be available online, which should be helpful for more solid understanding of cryptojacking attacks.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Qianjin Ying,Yulei Yu,Donghai Tian,Xiaoqi Jia,Rui Ma,Changzhen Hu

DOI: https://doi.org/10.1007/s10723-022-09621-2

2022-01-01

Journal of Grid Computing

Abstract:With the increasing value of digital cryptocurrency in recent years, the digital cryptocurrency mining industry is becoming prosperous. However, this industry has also gained attention from adversaries who exploit users’ computers to mine cryptocurrency covertly. To detect cryptojacking attacks, many static and dynamic methods are proposed. However, the existing solutions still have some limitations in terms of effectiveness, performance, and transparency. To address these issues, we present CJSpector, a novel hardware-based approach for cryptojacking detection. This method first leverages the Intel Processor Trace mechanism to collect the run-time control flow information of a web browser. Next, CJSpector makes use of two optimization approaches based on the library functionality and information gain to preprocess the control flow information. Finally, it leverages Recurrent Neural Network (RNN) for cryptojacking detection. The evaluation shows that our method can detect in-browser covert cryptocurrency mining effectively and transparently with a small performance cost.

Zhenrui Zhang,Geng Hong,Xiang Li,Zhuoqun Fu,Jia Zhang,Mingxuan Liu,Chuhan Wang,Jianjun Chen,Baojun Liu,Haixin Duan,Chao Zhang,Min Yang

DOI: https://doi.org/10.1145/3576915.3616677

2023-01-01

Abstract:Cryptocurrency mining is a crucial operation in blockchains, and miners often join mining pools to increase their chances of earning rewards. However, the energy-intensive nature of PoW cryptocurrency mining has led to its ban in New York State of the United States, China, and India. As a result, mining pools, serving as a central hub for mining activities, have become prime targets for regulatory enforcement. Furthermore, cryptojacking malware refers to self-owned stealthy mining pools to evade detection techniques and conceal profit wallet addresses. However, no systematic research has been conducted to analyze it, largely due to a lack of full understanding of the protocol implementation, usage, and port distribution of the stealth mining pool. To the best of our knowledge, we carry out the first large-scale and longitudinal measurement research of stealthy mining pools to fill this gap. We report 7,629 stealthy mining pools among 59 countries. Further, we study the inner mechanisms of stealthy mining pools. By examining the 19,601 stealthy mining pool domains and IPs, our analysis reveals that stealthy mining pools carefully craft their domain semantics, protocol support, and lifespan to provide underground, user-friendly, and robust mining services. What's worse, we uncover a strong correlation between stealthy mining pools and malware, with 23.3% of them being labeled as malicious. Besides, we evaluate the tricks used to evade state-of-the-art mining detection, including migrating domain name resolution methods, leveraging the botnet, and enabling TLS encryption. Finally, we conduct a qualitative study to evaluate the profit gains of malicious cryptomining activities through the stealthy pool from an insider perspective. Our results show that criminals have the potential to earn more than 1 million USD per year, boasting an average ROI of 2,750%. We have informed the relevant ISPs about uncovered stealthy mining pools and have received their acknowledgments.

Rongfeng Zheng,Jiayong Liu,Weina Niu,Liang Liu,Kai Li,Shan Liao

DOI: https://doi.org/10.1155/2020/8824659

IF: 1.968

2020-01-01

Security and Communication Networks

Abstract:The explosive growth in network traffic in recent times has resulted in increased processing pressure on network intrusion detection systems. In addition, there is a lack of reliable methods for preprocessing network traffic generated by benign applications that do not steal users' data from their devices. To alleviate these problems, this study analyzed the differences between benign and malicious traffic produced by benign applications and malware, respectively. To fully express these differences, this study proposed a new set of statistical features for training a clustering model. Furthermore, to mine the communication channels generated by benign applications in batches, a semisupervised clustering method was adopted. Using a small number of labeled samples, our method aggregated historical network traffic into two types of clusters. The cluster that did not contain labeled malicious samples was regarded as a benign traffic cluster. The experimental results were compared using four types of clustering algorithms. The density-based spatial clustering of applications with noise (DBSCAN) clustering algorithm was selected to mine benign communication channels. We also compared our method with two other methods, and the results demonstrated that the benign channels mined through our method were more reliable. Finally, using our method, 1,811 benign transport layer security (TLS) channels were mined from 18,357 TLS communication channels. The number of flows carried by these benign channels comprised 65.37% of the entire network flows, and no malicious flow was included in our results, which proves the effectiveness of our method.