Abstract
Cryptojacking is a cybersecurity threat in which cybercriminals use unauthorized computing resources for cryptocurrency mining. This kind of illegal activity is showing an intensifying trend when cryptocurrency becomes widely acceptable. However, the machine learning (ML) based detection approaches cannot be applied in real-time yet due to low performance.
First, compared with domain experts the ML researchers have a tendency to extend feature set with statistical functions, which are very computational heavy. Second, in network security research analyzed metadata are hardly collected if the targeted traffic is a kind of mice-flow (1–2% of total traffic). Netflow is a sampling technique and statistically it cannot be applied in such a case. Third, the ML community usually ignores data preprocessing costs which may take more time than the inference itself. These three types of fundamental weakness prevent the ML based detection algorithms from being applied to a large network in real-time.
We propose a novel symbolic reasoning framework to accurately detect such illegal cryptojacking in real-time. To deal with mice-flows, Netflow-plus traffic analyzing technique is proposed to compute TCP metadata using a parallel protocol parser in which every TCP flow is analyzed but the TCP payload. High performance is maintained by only addition based aggregation is allowed. Feature set selection is done by domain experts without using any STD and VAR statistic functions. Building upon the aforementioned foundations, a symbolic reasoning frame is designed to capture cryptojacking activities based on a behavior model. A series of Boolean-expression based filters is applied first to significantly reduce solution search space by three orders of magnitude. The fixed-packet-length communication behavior of Stratum protocol is then model by using linear diophantine equations. Since Stratum is predominantly used in cryptojacking, detection Stratum equals to finding out cryptojacking. By combining Netflow-plus traffic analysis and symbolic reasoning framework our system can deal with not only clear-text but encrypted traffic, and it achieved satisfactory detection results in a large campus network in real-time.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alikhanov, J., Jang, R., Abuhamad, M., Mohaisen, D., Nyang, D., Noh, Y.: Investigating the effect of traffic sampling on machine learning-based network intrusion detection approaches. IEEE Access 10, 5801–5823 (2021)
Campazas-Vega, A., Crespo-Martínez, I.S., Guerrero-Higueras, Á.M., Álvarez-Aparicio, C., Matellán, V.: Analysis of NetFlow features’ importance in malicious network traffic detection. In: Gude Prego, J.J., de la Puerta, J.G., García Bringas, P., Quintián, H., Corchado, E. (eds.) CISIS - ICEUTE 2021. AISC, vol. 1400, pp. 52–61. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-87872-6_6
Caprolu, M., Raponi, S., Oligeri, G., Di Pietro, R.: Cryptomining makes noise: a machine learning approach for cryptojacking detection. arXiv preprint arXiv:1910.09272 (2019)
Cisco-Netflow: Using netflow sampling to select the network traffic to track. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/xe-3s/asr1000/nf-xe-3s-asr1000-book/nflow-filt-samp-traff-xe.pdf. Accessed 29 July 2022
Clearclouds: Network traffic visualization. http://www.ido-net.net. Accessed 29 July 2022
Feng, Y., Li, J., Sisodia, D.: CJ-Sniffer: measurement and content-agnostic detection of cryptojacking traffic. In: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, pp. 482–494 (2022)
Gomes, F., Correia, M.: Cryptojacking detection with CPU usage metrics. In: 2020 IEEE 19th International Symposium on Network Computing and Applications (NCA), pp. 1–10. IEEE (2020)
Gomes, G., Dias, L., Correia, M.: CryingJackpot: network flows and performance counters against cryptojacking. In: 2020 IEEE 19th International Symposium on Network Computing and Applications (NCA), pp. 1–10. IEEE (2020)
Hu, X., Shu, Z., Song, X., Cheng, G., Gong, J.: Detecting cryptojacking traffic based on network behavior features. In: 2021 IEEE Global Communications Conference (GLOBECOM), pp. 01–06. IEEE (2021)
Huang, J., Li, Y.F., Xie, M.: An empirical analysis of data preprocessing for machine learning-based software cost estimation. Inf. Softw. Technol. 67, 108–127 (2015)
Lashkari, A.H., Zang, Y., Owhuo, G., Mamun, M., Gil, G.: CICFlowmeter (2017)
i Muñoz, J.Z., Suárez-Varela, J., Barlet-Ros, P.: Detecting cryptocurrency miners with netFlow/IPFIX network measurements. In: 2019 IEEE International Symposium on Measurements & Networking (M &N), pp. 1–6. IEEE (2019)
Nfdump: Nfdump- toolset in order to collect and process netflow data. https://github.com/phaag/nfdump. Accessed 1 Oct 2022
Pastor, A., et al.: Detection of encrypted cryptomining malware connections with machine and deep learning. IEEE Access 8, 158036–158055 (2020)
Recabarren, R., Carbunar, B.: Hardening stratum, the bitcoin pool mining protocol. arXiv preprint arXiv:1703.06545 (2017)
Russo, M., Šrndić, N., Laskov, P.: Detection of illicit cryptomining using network metadata. EURASIP J. Inf. Secur. 2021(1), 1–20 (2021)
Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: International Conference on Information Systems Security & Privacy (2018)
Wan, G., Gong, F., Barbette, T., Durumeric, Z.: Retina: analyzing 100GbE traffic on commodity hardware. In: Proceedings of ACM 36th SIGCOMM Conference, pp. 530–544. ACM (2022)
Wang, J., Cheng, H., Hua, B., Tang, X.: Practice of parallelizing network applications on multi-core architectures. In: Proceedings of the 23rd International Conference on Supercomputing, 2009, Yorktown Heights, NY, USA, 8–12 June 2009, pp. 204–213. ACM (2009). https://doi.org/10.1145/1542275.1542307
Yang, Z.: Mining traffic data (2023). https://github.com/banzhuanle/Mining-traffic-datasets
Acknowledgments
The project was supported by Open Fund of Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Yang, Z. et al. (2024). Real-Time Symbolic Reasoning Framework for Cryptojacking Detection Based on Netflow-Plus Analysis. In: Ge, C., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2023. Lecture Notes in Computer Science, vol 14527. Springer, Singapore. https://doi.org/10.1007/978-981-97-0945-8_14
Download citation
DOI: https://doi.org/10.1007/978-981-97-0945-8_14
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-97-0944-1
Online ISBN: 978-981-97-0945-8
eBook Packages: Computer ScienceComputer Science (R0)