POSTER: Content-Agnostic Identification of Cryptojacking in Network Traffic

Feng, Yebo; Sisodia, Devkishen; Li, Jun

doi:10.1145/3320269.3405440

Cited by 8 publications

(2 citation statements)

References 5 publications

(5 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Features Detail Network and hash [12] src and dst Ips, src and dst port numbers, protocol, packet size, hash-rate CPU and RAM [13] CPU usage, RAM, Average Quadratic Deviation, Operative Memory, CPU Power Network [14] Traffic volume and flow times CPU [15] CPU usage at user and system kernel level, CPU idle, CPU servicing hardware and software interrupts, and CPU's hypervisor CPU [16] CPU usage CPU and hash [17] CPU usage, Usage of WebAssembly and WebWorkers, Hash and URL CPU and RAM [18] CPU and memory usage, CPU usage even after the website is closed and less inbound traffic CPU [19], [20] CPU utilization Hash [21] Hash libraries, cumulative time of websites spent on hashing Opcode and GPU [22] Rarely used opcodes Legitimate User Applications [23], [24], [20] Usage of legitimate applications to complete the operation JavaScript code injections [25], [26], [27], [12], [19] JavaScript injection is a method by which we can input and utilise our own JavaScript code in a page, whether by submitting the form in the address bar or by locating an XSS vulnerability on a website.…”

Section: Featuresmentioning

confidence: 99%

Features, Analysis Techniques, and Detection Methods of Cryptojacking Malware: A Survey

Kadhum,

Firdaus,

Hisham

et al. 2024

JOIV : Int. J. Inform. Visualization

View full text Add to dashboard Cite

Various types of malwares are capable of bringing harm to users. The list of types are root exploits, botnets, trojans, spyware, worms, viruses, ransomware, and cryptojacking. Cryptojacking is a significant proportion of cyberattacks in which exploiters mine cryptocurrencies using the victim’s devices, for instance, smartphones, tablets, servers, or computers. It is also defined as the illegal utilization of victim resources (CPU, RAM, and GPU) to mine cryptocurrencies without detection. The purpose of cryptojacking, along with numerous other forms of cybercrime, is monetary gain. Furthermore, it also intended to stay concealed from the victim's viewpoint. Following this crime, to the author's knowledge, a paper focusing solely on a review of cryptojacking research is still unavailable. This paper presents cryptojacking detection information to address this deficiency, including methods, detection, analysis techniques, and features. As cryptojacking malware is a type that executes its activities using the network, most of the analysis and features fall into dynamic activities. However, static analysis is also included in the security researcher’s option. The codes that are involved are opcode and JavaScript. This demonstrates that these two languages are vital programming languages to focus on to detect cryptojacking. Moreover, the researchers also begin to adopt deep learning in their experiments to detect cryptojacking malware. This paper also examines potential future developments in the detection of cryptojacking.

show abstract

Section: Featuresmentioning

confidence: 99%

Features, Analysis Techniques, and Detection Methods of Cryptojacking Malware: A Survey

Kadhum,

Firdaus,

Hisham

et al. 2024

JOIV : Int. J. Inform. Visualization

View full text Add to dashboard Cite

show abstract

“…This approach is nevertheless susceptible to evasion using JavaScript obfuscation and bears a substantial operational burden associated with HTTPS proxies. Several papers [90, 91,92,93] rely on computing features upon packet flows and training binary classification machine learning models. They achieve high detection accuracy at the expenses of computation and deployment overhead.…”

Section: Related Workmentioning

confidence: 99%

Detection of illicit cryptomining using network metadata

Russo

Šrndić

Laskov

2021

Preprint

View full text Add to dashboard Cite

Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims' computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it provides strong anonymity and is efficiently mined on CPUs. Illicit mining crucially relies on communication between compromised systems and remote mining pools using the de facto standard protocol Stratum. While prior research primarily focused on endpoint-based detection of in-browser mining, in this paper we address network-based detection of cryptomining malware in general. We propose XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records. Our detector is trained offline using only mining traffic and does not require privacy-sensitive normal network traffic, which facilitates its adoption and integration. In our experiments, XMR-Ray attained 98.94% detection rate at 0.05% false alarm rate, outperforming the closest competitor. Our evaluation furthermore demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries. Finally, by deploying our detector in a large university network, we show its effectiveness in protecting real-world systems.

show abstract