Browser-Based Deep Behavioral Detection of Web Cryptomining with CoinSpy

Kelton, Conor; Balasubramanian, Aruna; Raghavendra, Ramya; Srivatsa, Mudhakar

doi:10.14722/madweb.2020.23002

Cited by 14 publications

(10 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bian et al [15] proposed MineThrottle, which uses a block-level profiler and dynamic instrumentation of the Wasm code that is pointed by the profiler at compile time. Kelton et al [19] proposed CoinSpy which utilizes computation, memory, and network features. Conti et al [23] used Hardware Performance Counters (HPC) data to detect cryptojacking.…”

Section: A Malicious Cryptocurreny Mining Detection Systemsmentioning

confidence: 99%

“…However, only a small portion of prior studies [17], [10], [12] take this change into account. Secondly, cryptojacking detection systems [17], [10], [12], [18], [15], [19] relying on dynamic analysis features can suffer from high computational overhead, reduced measurement accuracies due to noise caused by other processes, and false positives resulted from benign websites using the same technologies. For this reason, practical applications of such schemes may cause quality-of-experience issues for end-users.…”

Section: B Challenges and Need For A New Detection Systemmentioning

confidence: 99%

“…SEISMIC [17], MineThrottle [15] and MineSweeper [10] employ code instrumentations. ML models based on a number of dynamic analysis features were utilized by RAPID [18], OUTGUARD [12], and CoinSpy [19]. Conti et al [23] made use of Hardware Performance Counters (HPC) data to detect cryptojacking.…”

Section: Related Workmentioning

confidence: 99%

“…Most of these techniques are based on the analysis of dynamic features. These include fixed thresholds [16], semantic instruction-count-based signature matching [17], CPU, memory and network traffic features [18], [19], [20], runtime, network, mining-related and browser-based features [12], block-level profiling and dynamic instrumentation [15], [21], [22], hardware performance counters [23], and instructioncount-based analysis and memory events [10]. Although such existing detection systems are promising and report high detection accuracy, there are several issues to consider.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

MINOS: A Lightweight Real-Time Cryptojacking Detection System

Naseem¹,

Arış²,

Babun³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Emerging WebAssembly(Wasm)-based cryptojacking malware covertly uses the computational resources of users without their consent or knowledge. Indeed, most victims of this malware are unaware of such unauthorized use of their computing power due to techniques employed by cryptojacking malware authors such as CPU throttling and obfuscation. A number of dynamic analysis-based detection mechanisms exist that aim to circumvent such techniques. However, since these mechanisms use dynamic features, the collection of such features, as well as the actual detection of the malware, require that the cryptojacking malware run for a certain amount of time, effectively mining for that period, and therefore causing significant overhead. To solve these limitations, in this paper, we propose MINOS, a novel, extremely lightweight cryptojacking detection system that uses deep learning techniques to accurately detect the presence of unwarranted Wasm-based mining activity in real-time. MINOS uses an image-based classification technique to distinguish between benign webpages and those using Wasm to implement unauthorized mining. Specifically, the classifier implements a convolutional neural network (CNN) model trained with a comprehensive dataset of current malicious and benign Wasm binaries. MINOS achieves exceptional accuracy with a low TNR and FPR. Moreover, our extensive performance analysis of MINOS shows that the proposed detection technique can detect mining activity instantaneously from the most current in-the-wild cryptojacking malware with an accuracy of 98.97%, in an average of 25.9 milliseconds while using a maximum of 4% of the CPU and 6.5% of RAM, proving that MINOS is highly effective while lightweight, fast, and computationally inexpensive. * Minos is the beast in Dante's Divine Comedy that acts as a judge in underworld and decides which layer of the hell the sinner goes to.

show abstract

Section: A Malicious Cryptocurreny Mining Detection Systemsmentioning

confidence: 99%

Section: B Challenges and Need For A New Detection Systemmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

MINOS: A Lightweight Real-Time Cryptojacking Detection System

Naseem¹,

Arış²,

Babun³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Existing cryptojacking detection approaches mainly use the following four techniques: blacklisting-based [14], [16], [25], [37], [42], [45], resource monitoring-based [38], [40], thread count-based [38], [41], and WebAssembly-based techniques [35], [42]. Although they all provide insights into detecting cryptojacking, they have limitations in terms of the precise detection of cryptojacking.…”

Section: Introductionmentioning

confidence: 99%

Circuit: A JavaScript Memory Heap-Based Approach for Precisely Detecting Cryptojacking Websites

et al. 2022

View full text Add to dashboard Cite

Cryptojacking is often used by attackers as a means of gaining profits by exploiting users' resources without their consent, despite the anticipated positive effect of browser-based cryptomining. Previous approaches have attempted to detect cryptojacking websites, but they have the following limitations:(1) they failed to detect several cryptojacking websites either because of their evasion techniques or because they cannot detect JavaScript-based cryptojacking and (2) they yielded several false alarms by focusing only on limited characteristics of cryptojacking, such as counting computer resources. In this paper, we propose CIRCUIT, a precise approach for detecting cryptojacking websites. We primarily focuse on the JavaScript memory heap, which is resilient to script code obfuscation and provides information about the objects declared in the script code and their reference relations. We then extract a reference flow that can represent the script code behavior of the website from the JavaScript memory heap. Hence, CIRCUIT determines that a website is running cryptojacking if it contains a reference flow for cryptojacking. In our experiments, we found 1,813 real-world cryptojacking websites among 300K popular websites. Moreover, we provided new insights into cryptojacking by modeling the identified evasion techniques and considering the fact that characteristics of cryptojacking websites now appear on normal websites as well.

show abstract