Detection of Encrypted Cryptomining Malware Connections With Machine and Deep Learning

Pastor, Antonio; Mozó, Alberto; Vakaruk, Stanislav; Canavese, Daniele; López, Diego; Regano, Leonardo; Gómez-Canaval, Sandra; Lioy, Antonio

doi:10.1109/access.2020.3019658

Cited by 49 publications

(36 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Each security enabler generates data with standard protocols such as Net-Flow v9 [28] or IPFIX, but also provide additional contextual data with 12 statistical information of TCP flows [29]: Round Trip Time (RTT), TCP protocol flags (such as SYN or ACK) , windows scale or Maximum Segment Size (MSS) per flow. The aggregation of this supplementary data source has already demonstrated a clear increment in the performance of the ML algorithms in this specific crypto-mining problem [30]. Accordingly, it is expected that additional network attacks to the 5G Core using encrypted traffic will be detected by the Security Analytic Engine with new ML models based on the same aggregated data provided by the Security Data Collector.…”

Section: Applying Data Aggregation To 5g Securitymentioning

confidence: 93%

Model-based Approach to Multi-domain Monitoring Data Aggregation

Pastor

López

Ordoñez-Lucena

et al. 2021

JICTS

Self Cite

View full text Add to dashboard Cite

The essential propellant for any closed-loop management mechanism is data related to the managed entity. While this is a general evidence, it becomes even more true when dealing with advanced closed-loop systems like the ones supported by Artificial Intelligence (AI), as they require a trustworthy, up-to-date and steady flow of state data to be applicable. Modern network infrastructures provide a vast amount of disparate data sources, especially in the multi-domain scenarios considered by the ETSI Industry Specification Group (ISG) Zero Touch Network and Service Management (ZSM) framework, and proper mechanisms for data aggregation, pre-processing and normalization are required to make possible AI-enabled closed-loop management. So far, solutions proposed for these data aggregation tasks have been specific to concrete data sources and consumers, following ad-hoc approaches unsuitable to address the vast heterogeneity of data sources and potential data consumers. This paper presents a model-based approach to a data aggregator framework, relying on standardized data models and telemetry protocols, and integrated with an open-source network orchestration stack to support their incorporation within network service lifecycles.

show abstract

Section: Applying Data Aggregation To 5g Securitymentioning

confidence: 93%

Model-based Approach to Multi-domain Monitoring Data Aggregation

Pastor

López

Ordoñez-Lucena

et al. 2021

JICTS

Self Cite

View full text Add to dashboard Cite

show abstract

“…We observed in preliminary experiments that very deep networks with a large number of hidden layers or units did not generate significant improvements in performance and on the contrary, they enlarged convergence times and produced non-negligible oscillations in the convergence during the training process. This effect could be explained by the fact that the cryptomining classification problem does not need very complex models to obtain a decent accuracy 13 . Therefore, we selected a moderate number of hidden layers (between 3 and 5) for generator and discriminator networks.…”

Section: Proposed Modelmentioning

confidence: 99%

“…Cryptomining attacks concern the network traffic generated by cybercriminals that create tailored and illegal processes for catching computational resources from users’ devices without their consent to use them in the benefit of the criminal for mining cryptocurrencies. It has been shown that these malicious connections can be detected in real-time with decent accuracy even at the very beginning of the connection’s lifetime by using an ML classifier 13 .…”

Section: Introductionmentioning

confidence: 99%

Synthetic flow-based cryptomining attack generation through Generative Adversarial Networks

Mozó

González-Prieto

Pastor

et al. 2022

Sci Rep

Self Cite

View full text Add to dashboard Cite

Due to the growing rise of cyber attacks in the Internet, the demand of accurate intrusion detection systems (IDS) to prevent these vulnerabilities is increasing. To this aim, Machine Learning (ML) components have been proposed as an efficient and effective solution. However, its applicability scope is limited by two important issues: (i) the shortage of network traffic data datasets for attack analysis, and (ii) the data privacy constraints of the data to be used. To overcome these problems, Generative Adversarial Networks (GANs) have been proposed for synthetic flow-based network traffic generation. However, due to the ill-convergence of the GAN training, none of the existing solutions can generate high-quality fully synthetic data that can totally substitute real data in the training of ML components. In contrast, they mix real with synthetic data, which acts only as data augmentation components, leading to privacy breaches as real data is used. In sharp contrast, in this work we propose a novel and deterministic way to measure the quality of the synthetic data produced by a GAN both with respect to the real data and to its performance when used for ML tasks. As a by-product, we present a heuristic that uses these metrics for selecting the best performing generator during GAN training, leading to a novel stopping criterion, which can be applied even when different types of synthetic data are to be used in the same ML task. We demonstrate the adequacy of our proposal by generating synthetic cryptomining attacks and normal traffic flow-based data using an enhanced version of a Wasserstein GAN. The results evidence that the generated synthetic network traffic can completely replace real data when training a ML-based cryptomining detector, obtaining similar performance and avoiding privacy violations, since real data is not used in the training of the ML-based detector.

show abstract

“…This approach is nevertheless susceptible to evasion using JavaScript obfuscation and bears a substantial operational burden associated with HTTPS proxies. Several papers [90][91][92][93] rely on computing features upon packet flows and training binary classification machine learning models. They achieve high detection accuracy at the expenses of computation and deployment overhead.…”

Section: Network-based Detectionmentioning

confidence: 99%

Detection of illicit cryptomining using network metadata

Russo

Šrndić

Laskov

2021

EURASIP J. on Info. Security

View full text Add to dashboard Cite

Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims’ computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it provides strong anonymity and is efficiently mined on CPUs.Illicit mining crucially relies on communication between compromised systems and remote mining pools using the de facto standard protocol Stratum. While prior research primarily focused on endpoint-based detection of in-browser mining, in this paper, we address network-based detection of cryptomining malware in general. We propose XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records. Our detector is trained offline using only mining traffic and does not require privacy-sensitive normal network traffic, which facilitates its adoption and integration.In our experiments, XMR-Ray attained 98.94% detection rate at 0.05% false alarm rate, outperforming the closest competitor. Our evaluation furthermore demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries. Finally, by deploying our detector in a large university network, we show its effectiveness in protecting real-world systems.

show abstract

Detection of Encrypted Cryptomining Malware Connections With Machine and Deep Learning

Cited by 49 publications

References 28 publications

Model-based Approach to Multi-domain Monitoring Data Aggregation

Model-based Approach to Multi-domain Monitoring Data Aggregation

Synthetic flow-based cryptomining attack generation through Generative Adversarial Networks

Detection of illicit cryptomining using network metadata

Contact Info

Product

Resources

About