Abstract
With the rising popularity of cryptocurrencies and the increasing value of the whole industry, people are incentivized to join and earn revenues by cryptomining—using computational resources for cryptocurrency transaction verification. Nevertheless, there is an increasing number of abusive cryptomining cases, and it is reported that “coin miner malware” grew by more than 4000% in 2018. In this work, we analyzed the cryptominer network communication and proposed the DeCrypto system that can detect and report mining on high-speed 100 Gbps backbone Internet lines with millions of users. The detector uses the concept of heterogeneous weak-indication detectors (Machine-Learning-based, domain-based, and payload-based) that work together and create a robust and accurate detector with an extremely low false-positive rate. The detector was implemented and evaluated on a real nationwide high-speed network and proved efficient in a real-world deployment.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
Longer TCP connections are split into multiple flows.
References
Baciu, P.: Czech prime minister accuses pirate party of mining bitcoin (2018). https://bitcoinist.com/prime-minister-accuses-czech-pirate-party-of-mining-bitcoin-so-what/
Bedford Taylor, M.: The evolution of bitcoin hardware. Computer 50(9), 58–66 (2017). https://doi.org/10.1109/MC.2017.3571056
Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)
BTC.com: Professional data service for global blockchain enthusiasts. https://explorer.btc.com/
Bushra Alahmadi, L.A., Martinovic, I.: 99% false positives: a qualitative study of SOC analysts’ perspectives on security alarms. In: 31st USENIX Security Symposium (USENIX Security 2022). USENIX Association, Boston (2022). https://www.usenix.org/conference/usenixsecurity22/presentation/alahmadi
Cappé, O., Moulines, E., Pesquet, J.C., Petropulu, A.P., Yang, X.: Long-range dependence and heavy-tail modeling for teletraffic data. IEEE Signal Process. Mag. 19(3), 14–27 (2002)
Cejka, T., et al.: NEMEA: a framework for network traffic analysis. In: 12th International Conference on Network and Service Management (CNSM) (2016)
Cimpanu, C.: Malvertising campaign mines cryptocurrency right in your browser (2017). https://www.malwarebytes.com/malvertising
CoinMarketCap: Coinmarketcap. https://coinmarketcap.com. Accessed 8 Aug 2022
Dempster, A.P.: Upper and lower probabilities induced by a multivalued mapping. Ann. Math. Stat. 38(2), 325–339 (1967). https://doi.org/10.1214/aoms/1177698950
FBI: FBI: internet crime report 2021. https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
Hayward, A.: What are privacy coins? Monero, zcash, and dash explained (2021). https://decrypt.co/resources/what-are-privacy-coins-monero-zcash-and-dash-explained
Hill, K.: Government researcher misused supercomputers to mine a surprisingly small amount of bitcoin (2014). https://www.forbes.com/sites/kashmirhill/2014/06/06/government-researcher-misused-supercomputers-to-mine-bitcoin/
Hofstede, R., et al.: Flow monitoring explained: from packet capture to data analysis with NetFlow and IPFIX. IEEE Commun. Surv. Tutor. 16(4), 2037–2064 (2014). https://doi.org/10.1109/COMST.2014.2321898
Hruska, J.: Browser-based mining malware found on pirate bay, other sites (2017). https://www.extremetech.com/internet/255971-browser-based-cryptocurrency-malware-appears-online-pirate-bay
Hynek, K., Čejka, T., Žádník, M., Kubátová, H.: Evaluating bad hosts using adaptive blacklist filter. In: 2020 9th Mediterranean Conference on Embedded Computing (MECO), pp. 1–5 (2020). https://doi.org/10.1109/MECO49872.2020.9134244
Jamieson, S.: The ethics and legality of port scanning. Technical report, SANS Institute (2001). https://www.sans.org/white-papers/71/
JustFirewalls: 2022 cyber security trends: Top 5 threats to watch out for this year. https://www.justfirewalls.com/2022-cyber-security-trends-top-5-threats-to-watch-out-for-this-year
Kharraz, A., et al.: Outguard: detecting in-browser covert cryptocurrency mining in the wild. In: The World Wide Web Conference, WWW 2019, pp. 840–852. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3308558.3313665
Khatri, Y.: Crypto mining malware has netted nearly 5% of all monero, says research (2019). https://www.coindesk.com/markets/2019/01/10/crypto-mining-malware-has-netted-nearly-5-of-all-monero-says-research/
Liu, J., Zhao, Z., Cui, X., Wang, Z., Liu, Q.: A novel approach for detecting browser-based silent miner. In: 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC), pp. 490–497 (2018). https://doi.org/10.1109/DSC.2018.00079
McAffee: Mcafee labs threats report (2018). https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-dec-2018.pdf
McMillan, R.: Harvard researcher was caught mining the bitcoin derivative, dogecoin (2014). https://www.wired.com/2014/02/harvard-dogecoin/
MiningPoolStats: Miningpoolstats. https://miningpoolstats.stream/monero
Muñoz, J.Z.I., Suárez-Varela, J., Barlet-Ros, P.: Detecting cryptocurrency miners with NetFlow/IPFIX network measurements. In: 2019 IEEE International Symposium on Measurements Networking (M N), pp. 1–6 (2019). https://doi.org/10.1109/IWMN.2019.8804995
Nakamoto, S.: A peer-to-peer electronic cash system. Bitcoin.org 4, 2 (2008). https://bitcoin.org/bitcoin.pdf
Palatinus, M.: Stratum mining protocol. Slushpool.com (2019). https://slushpool.com/help/manual/stratum-protocol
Pastrana, S., Suarez-Tangil, G.: A first look at the crypto-mining malware ecosystem: a decade of unrestricted wealth. In: Proceedings of the Internet Measurement Conference, IMC 2019, pp. 73–86. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3355369.3355576
Pektaş, A., Acarman, T.: Deep learning to detect botnet via network flow summaries. Neural Comput. Appl. 31(11), 8021–8033 (2018). https://doi.org/10.1007/s00521-018-3595-x
Plný, R., Hynek, K., Čejka, T.: Decrypto. https://github.com/plnyrich/DeCrypto
Plný, R., Hynek, K., Čejka, T.: Rules generator. https://github.com/plnyrich/RulesGenerator
Plný, R., Hynek, K., Čejka, T.: Datasets of cryptomining communication (2022). https://doi.org/10.5281/zenodo.7189292
PurpleSec LLC: Cyber Security Statistics: The Ultimate List of Stats, Data, & Trends for 2022 (2022). https://purplesec.us/resources/cyber-security-statistics/#Start
Quinlan, J.R.: C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers Inc., San Francisco (1993)
Recabarren, R., Carbunar, B.: Hardening stratum, the bitcoin pool mining protocol. Proc. Priv. Enhanc. Technol. 3, 54–71 (2017)
Ren, L., Ward, P.A.: Pooled mining is driving blockchains toward centralized systems. In: 2019 38th International Symposium on Reliable Distributed Systems Workshops (SRDSW), pp. 43–48 (2019). https://doi.org/10.1109/SRDSW49218.2019.00015
Schapire, R.E.: Explaining AdaBoost. In: Schölkopf, B., Luo, Z., Vovk, V. (eds.) Empirical Inference, pp. 37–52. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41136-6_5
Scornet, E.: Trees, forests, and impurity-based variable importance. arXiv preprint arXiv:2001.04295 (2020)
Shafer, G.: A Mathematical Theory of Evidence. Princeton University Press, Princeton (2021). https://doi.org/10.1515/9780691214696
Swedan, A., Khuffash, A.N., Othman, O., Awad, A.: Detection and prevention of malicious cryptocurrency mining on internet-connected devices. In: Proceedings of the 2nd International Conference on Future Networks and Distributed Systems, ICFNDS 2018. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3231053.3231076
Tsangaratos, P., Ilia, I.: Comparison of a logistic regression and naïve bayes classifier in landslide susceptibility assessments: the influence of models complexity and training dataset size. CATENA 145, 164–179 (2016). https://doi.org/10.1016/j.catena.2016.06.004
Veselý, V., Žádník, M.: How to detect cryptocurrency miners? By traffic forensics! Digit. Invest. 31, 100884 (2019). https://doi.org/10.1016/j.diin.2019.08.002
Vuijsje, E.: Cryptocurrency malvertising campaign hijacks users’ browsers. https://www.geoedge.com/cryptocurrency-malvertising-campaign-hijacks-users-browsers/
Watorek, M., Drożdż, S., Kwapinń, J., Minati, L., Oswiecimka, P., Stanuszek, M.: Multiscale characteristics of the emerging global cryptocurrency market. Phys. Rep. 901, 1–82 (2021). https://doi.org/10.1016/j.physrep.2020.10.005. Multiscale characteristics of the emerging global cryptocurrency market
Zvik, E.W.: The crypto mining threat: the security risk posed by bitcoin and what you can do about it (2018). https://www.catonetworks.com/blog/the-crypto-mining-threat/
Acknowledgments
This research was funded by the Ministry of Interior of the Czech Republic, grant No. VJ02010024: Flow-Based Encrypted Traffic Analysis and also by the Grant Agency of the CTU in Prague, grant No. SGS20/210/OHK3/3T/18 funded by the MEYS of the Czech Republic.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
1.1 A.1 Detailed Results of Weak-Indication Classifiers
Table 8 and Table 9 show detailed results of the DeCrypto system together with true positives (TP), false positives (FP), false negatives (FN) and true negatives (TN).
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Plný, R., Hynek, K., Čejka, T. (2022). DeCrypto: Finding Cryptocurrency Miners on ISP Networks. In: Reiser, H.P., Kyas, M. (eds) Secure IT Systems. NordSec 2022. Lecture Notes in Computer Science, vol 13700. Springer, Cham. https://doi.org/10.1007/978-3-031-22295-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-22295-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22294-8
Online ISBN: 978-3-031-22295-5
eBook Packages: Computer ScienceComputer Science (R0)