Detection of illicit cryptomining using network metadata-Reference-Cited by-同舟云学术

Detection of illicit cryptomining using network metadata

Published:2021-12 Issue:1 Volume:2021 Page:
ISSN:2510-523X
Container-title:EURASIP Journal on Information Security
language:en
Short-container-title:EURASIP J. on Info. Security

Author:

Russo Michele^ORCID,Šrndić Nedim,Laskov Pavel

Abstract

AbstractIllicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims’ computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it provides strong anonymity and is efficiently mined on CPUs.Illicit mining crucially relies on communication between compromised systems and remote mining pools using the de facto standard protocol Stratum. While prior research primarily focused on endpoint-based detection of in-browser mining, in this paper, we address network-based detection of cryptomining malware in general. We propose XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records. Our detector is trained offline using only mining traffic and does not require privacy-sensitive normal network traffic, which facilitates its adoption and integration.In our experiments, XMR-Ray attained 98.94% detection rate at 0.05% false alarm rate, outperforming the closest competitor. Our evaluation furthermore demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries. Finally, by deploying our detector in a large university network, we show its effectiveness in protecting real-world systems.

Publisher

Springer Science and Business Media LLC

Subject

Computer Science Applications,Signal Processing

Link

https://link.springer.com/content/pdf/10.1186/s13635-021-00126-1.pdf

Reference116 articles.

1. S. Higgins, $600 billion: cryptocurrency market cap sets new record (2017). https://www.coindesk.com/600-billion-cryptocurrency-market-cap-sets-new-record/ Accessed 19 Apr 2021.

2. CoinMarketCap, Global cryptocurrency charts - total market capitalization (2021). https://coinmarketcap.com/charts/ Accessed 17 May 2021.

3. M. Yamazaki, Tokyo-based cryptocurrency exchange hacked, losing $530 million: NHK (2018). https://www.reuters.com/article/us-japan-cryptocurrency/tokyo-based-cryptocurrency-exchange-hacked-losing-530-million-nhk-idUSKBN1FF29C Accessed 21 Apr 2021.

4. J. Russell, Korean crypto exchange Bithumb says it lost over $30M following a hack (2018). https://techcrunch.com/2018/06/19/korean-crypto-exchange-bithumb-says-it-lost-over-30m-following-a-hack/ Accessed 21 Apr 2021.

5. M. Yuval, CoinDash TGE Hack findings report 15.11.17 (2017). https://blog.coindash.io/coi---tge-hack-findings-report-15-11-17-9657465192e1 Accessed 21 Apr 2021.

Cited by 11 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Malware Threats Targeting Cryptocurrency: A Comparative Study;2024 2nd International Conference on Cyber Resilience (ICCR);2024-02-26

2. Real-Time Symbolic Reasoning Framework for Cryptojacking Detection Based on Netflow-Plus Analysis;Lecture Notes in Computer Science;2024

3. Under the Dark: A Systematical Study of Stealthy Mining Pools (Ab)use in the Wild;Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security;2023-11-15

4. User authentication and access control to blockchain-based forensic log data;EURASIP Journal on Information Security;2023-07-25

5. Forensic Analysis of Cryptojacking in Host-Based Docker Containers Using Honeypots;ICC 2023 - IEEE International Conference on Communications;2023-05-28