Cryptocurrency malware hunting: A deep Recurrent Neural Network approach

doi:10.1016/j.asoc.2020.106630

Applied Soft Computing

Volume 96, November 2020, 106630

https://doi.org/10.1016/j.asoc.2020.106630 Get rights and content

Highlights

•
Criminals have found that cryptocurrency can demonstrate to be a highly profitable effort.
•
We propose a deep Recurrent Neural Network (RNN) learning model for hunting cryptocurrency malware threats.
•
Our proposed model utilizes the RNN to analyze windows applications Opcodes as a case study.
•
The trained model is evaluated with five different Long Short-Term Memory configurations conducted by 10-fold cross-validation (CV) technique.

Abstract

In recent years, cryptocurrency trades have increased dramatically, and this trend has attracted cyber-threat actors to exploit the existing vulnerabilities and infect their targets. The malicious actors use cryptocurrency malware to perform complex computational tasks using infected devices. Since cryptocurrency malware threats perform a legal process, it is a challenging task to detect this type of threat by a manual or heuristic method. In this paper, we propose a novel deep Recurrent Neural Network (RNN) learning model for hunting cryptocurrency malware threats. Specifically, our proposed model utilizes the RNN to analyze Windows applications’ operation codes (Opcodes) as a case study. We collect a real-world dataset that comprises of 500 cryptocurrency malware and 200 benign-ware samples, respectively. The proposed model trains with five different Long Short-Term Memory (LSTM) structures and is evaluated by a 10-fold cross-validation (CV) technique. The obtained results prove that a 3-layer configuration model gains 98% of detection accuracy, which is the highest rate among other current configurations. We also applied traditional machine learning (ML) classifiers to show the applicability of deep learners (LSTM) versus traditional models in dealing with cryptocurrency malware.

Introduction

Blockchain technology was introduced to the real-world through Bitcoin cryptocurrency in [1], [2]. As its backbone, this technology offers several key features in network communication such as decentralization, transparency, security, and trust in a peer-to-peer manner. Blockchain has a vital role in empowering cryptocurrencies. Bitcoin, Monero, and Ethereum have demonstrated to be practically useful in other domains beyond payments due to their secure-by-design nature [3], [4], [5], [6], [7], [8]. The ever-rising popularity of cryptocurrencies is generating a considerable amount of interest among developers and security researchers [9], [10], [11].

Mining is a vital process that is responsible for the verification of transactions in all cryptocurrencies that run on blockchain [2], [12]. This process requires the first blockchain network nodes (known as miners) to solve a complex mathematical problem to generate new blocks and retain the integrity of the transactions. Miners must solve a hash problem to create a valid block. Eventually, miners take an amount of the mined currency as a reward, and this process can generate an income for a cryptocurrency miner in the network as well as for malicious actors [9], [12].

There is a growing concern about the security of users when involved in the distribution networks and particularly in applications involving blockchain technology. Based on the recent incidents, the number of cryptocurrency malware has drastically increased [13], [14]. Increasing the value of diverse cryptocurrencies in the digital world has made malware and malicious crypto-miners famous as recent as 2017 [15]. The most common method to infect an unknown victim’s device is installing the mining software on the victim’s machine without any verification. In 2017, Coinhive took advantage of the victim’s computational power by placing a few lines of JavaScript code into their web pages in order to mine cryptocurrency [15].

Cryptocurrency malware is an approach to abuse victim’s machines (laptops, computers, smartphones, tablets) without their verification to mine cryptocurrency [13], [16]. The malicious actors use cryptocurrency malware to steal computational power and resources from their victims’ devices to compute complex equations [17], [18], [19], [20]. Therefore, the malware actors can compete against other miner’s cryptocurrency computational tasks without the costly overhead [16], [21]. The victims may not be aware when they are under attack of cryptocurrency malware. Virtually, the entire cryptocurrency malware software is designed to remain stealth from users, but that does not mean the side effects are not present. Some common side effects include:

•
reducing the speed of other processes
•
growing your electricity bills
•
decreasing the lifetime of your device

Depending on how smart the attack design, cryptocurrency mining relates to exceptionally high processor task that has considerable side effects [16], [21], [22].

In recent years, Machine Learning (ML) based malware threat detection solutions have obtained promising results in everyday malware hunting tasks [23]. Besides these, deep learning (DL) methods have also been applied in complex malware threat detection tasks [21], [22]. In prior research, a wide range of models for detecting malware based on the dynamic and static analysis have been proposed [24], [25], [26]. In this paper, we propose a model that benefits from Recurrent Neural Network (RNN) to detect cryptocurrency malware based on a given application’s operation codes (opcodes). The main goal of RNN is to use serial or sequence information, and RNNs are known as a return. As a result, RNN can efficiently predict objects of a sequence (or series) of inputs. In this case, the output will depend on previous calculations. Indeed, RNNs have an internal state (memory) that holds information about what has been calculated, and they can process variable-length sequences of inputs. Moreover, RNN has flexibility and high power, so using RNN in cryptocurrency malware hunting is a viable solution due to the fact that RNN efficiently can consider and learn the sequence of opcodes with variable-length sequences during the training step.

Our approach does not require any modification on opcodes. This paper targets MS Windows cryptocurrency malware threats, since a considerable number of users, use the MS Windows OS platform for trading cryptocurrencies [25]. We evaluate our model by comparing its performance against methods that use conventional machine learning classifiers like, SVM, K-Nearest Neighbor, Naïve Bayes, Decision Tree, and Random Forest, as well as Ada-Boost. Ada-Boost is an ensemble learning technique [27]. Therefore, the main contributions of this paper are as follows:

•
a three-layer Deep Recurrent Neural Network (RNN) model to detect cryptocurrency malware threats in the MS Windows platform.
•
a dataset that consists of $500$ real-world cryptocurrency malware applications and over $200$ legitimate cryptocurrency application.
•
a comparative analysis among traditional ML algorithms and the proposed model to show the effectiveness of RNN on detecting cryptocurrency malware threats.

The rest of the paper is structured as follows. Section 2 demonstrates a review of related work. In Section 3, we define our proposed methodology for cryptocurrency malware hunting. The experimental results and comparisons are presented in Section 4. Finally, in Section 5, we present our concluding remarks and discuss our future work towards cryptocurrency malware threats.

Section snippets

Related work

In this section, we mention the most relevant machine learning-based malware threat hunting works. In recent years, a large number of researchers have focused on malware threat hunting based on ML algorithms. ML algorithms used for different malware hunting challenges to detect patterns and find malware from benign applications. In this section, we review related work pertaining to our work done on malware threat hunting.

Joshua Saxe et al. [28] proposed a deep neural network-based malware

Cryptocurrency malware hunting methodology

In this section, we present the cryptocurrency malware hunting methodology which consists of four stages, as illustrated in Fig. 1. In the first stage, we collected cryptocurrency malware and benign samples. All the collected samples belong to the MS Windows OS platform. Next, we executed the collected samples simulated environment and decompiling and unpacking these files to extract their opcodes. In the next step, we created a feature vector based on each sample’s opcode. Finally, we used the

Experimental results

In this section, we present the experimental results of our proposed model for cryptocurrency malware classification and hunting. Experiments are obtained with the collected datasets of both malware and benign samples. We built five LSTM models with different configurations that it presented in Table 2.

We defined dataset $A$ as $A = {L_{1}, L_{2}, L_{3}, \dots, L_{n}}$ and each our sample of the datasets is defined as $L$ . In fact, all samples have a considerable number of sets of opcode, $L = {m_{1}, m_{2}, m_{3}, \dots, m_{n}}$ . We also

Conclusion

Nowadays, Cryptocurrency usage in different applications leads to an increase in concurrency malware threats for this technology user. To overcome this challenge, we proposed a deep model that applied Recurrent Neural Network architecture to detect the cryptocurrency malware application based on their opcodes sequence. In fact, we evaluated our proposed model based on the Cryptocurrency applications’ opcodes analysis and obtained a detection accuracy of $98.25 %$ against this malware family. In

CRediT authorship contribution statement

Abbas Yazdinejad: Conceptualization, Data curation. Hamed HaddadPajouh: Formal analysis. Ali Dehghantanha: Methodology, Project administration. Reza M. Parizi: Funding acquisition, Investigation. Gautam Srivastava: Writing - original draft. Mu-Yen Chen: Writing - review & editing.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (47)

GuesmiK. et al.
Portfolio diversification with virtual currency: Evidence from bitcoin
Int. Rev. Financ. Anal.
(2019)
MallquiD.C. et al.
Predicting the direction, maximum, minimum and closing prices of daily Bitcoin exchange rate using machine learning techniques
Appl. Soft Comput.
(2019)
YazdinejadA. et al.
P4-to-blockchain: A secure blockchain-enabled packet parser for software defined networking
Comput. Secur.
(2020)
BorgesT.A. et al.
Ensemble of machine learning algorithms for cryptocurrency investment with different data resampling methods
Appl. Soft Comput.
(2020)
TaylorP.J. et al.
A systematic literature review of blockchain cyber security
Digit. Commun. Netw.
(2020)
GargiuloF. et al.
Deep neural network for hierarchical extreme multi-label text classification
Appl. Soft Comput.
(2019)
RhodeM. et al.
Early-stage malware prediction using recurrent neural networks
Comput. Secur.
(2018)
HaddadPajouhH. et al.
A deep Recurrent Neural Network based approach for Internet of Things malware threat hunting
Future Gener. Comput. Syst.
(2018)
YazdinejadA. et al.
A high-performance framework for a network programmable packet processor using P4 and FPGA
J. Netw. Comput. Appl.
(2020)
YuanY. et al.
Blockchain and cryptocurrencies: Model, techniques, and applications
IEEE Trans. Syst. Man Cybern.
(2018)

YazdinejadA. et al.

Blockchain-enabled authentication handover with efficient privacy protection in SDN-based 5G networks

IEEE Trans. Netw. Sci. Eng.

(2019)

SovbetovY.

Factors influencing cryptocurrency prices: Evidence from bitcoin, ethereum, dash, litcoin, and monero

J. Econ. Financ. Anal.

(2018)

WoodG.

Ethereum: A secure decentralised generalised transaction ledger

Ethereum Proj. Yellow Pap.

(2014)

A. Yazdinejad, R.M. Parizi, G. Srivastava, A. Dehghantanha, K.R. Choo, Energy efficient decentralized authentication in...

DraghicescuD. et al.

Crypto-mining application fingerprinting method

YazdinejadA. et al.

An energy-efficient SDN controller architecture for IoT networks with blockchain-based security

IEEE Trans. Serv. Comput.

(2020)

YazdinejadA. et al.

Decentralized authentication of distributed patients in hospital networks using blockchain

IEEE J. Biomed. Health Inf.

(2020)

EyalI. et al.

Majority is not enough: Bitcoin mining is vulnerable

Commun. ACM

(2018)

RüthJ. et al.

Digging into browser-based crypto mining

ZimbaA. et al.

Crypto mining attacks in information systems: an emerging threat to cyber security

J. Comput. Inf. Syst.

(2018)

GhoshU. et al.

Towards secure software-defined networking integrated cyber-physical systems: Attacks and countermeasures

MadhanE. et al.

An improved communications in cyber physical system architecture, protocols and applications

RatheeG. et al.

A blockchain framework for securing connected and autonomous vehicles

Sensors

(2019)

Cited by (98)

A performance overview of machine learning-based defense strategies for advanced persistent threats in industrial control systems
2023, Computers and Security
Cybersecurity incident response is a very crucial part of the cybersecurity management system. Adversaries emerge and evolve with new cybersecurity tactics, techniques, and procedures (TTPs). It is essential to detect the TTPs in a timely manner to respond effectively and mitigate the vulnerabilities to secure business operations. This research focuses on TTP identification and detection based on a machine learning approach. Early identification and detection are paramount in protecting, responding to, and recovering from such adversarial attacks. Analyzing use cases is a critical tool to ensure proper and in-depth evaluation of sector-specific cybersecurity challenges. In this regard, this study investigates existing known methodologies for cyber-attacks such as Mitre attacks, and developed a method for identifying threat cases. In addition, Windows-based threat cases are implemented, comprehensive datasets are generated, and supervised machine learning models are applied to detect threats effectively and efficiently. Random forest outperforms other models with the highest accuracy of 99%. Future work can be done for generating threat cases based on multiple log sources, including network security and endpoint protection device, and achieve high accuracy by removing false positives using machine learning. Similarly, real-time threat detection is also envisioned for future work.
SDIF-CNN: Stacking deep image features using fine-tuned convolution neural network models for real-world malware detection and classification
2023, Applied Soft Computing
The detection of malware is a complex problem in the area of Internet security. Developing a malware defense system that is less costly to detect large-scale malware is needed. This paper proposes a novel malware detection and classification architecture based on image visualization as SDIF-CNN: Stacking deep image features using fine-tuned convolution neural networks. The hybrid methodology of transfer learning as fine-tuning and feature extractor of deep convolution neural network models is designed. At first, the pre-trained VGG16 CNN model is deeply fine-tuned with different hyperparameters, including the number of layers, learning rate, momentum, etc. The transfer learning-based fine-tuned VGG16 model is used as a feature extractor along with the three similar pre-trained CNN models, VGG19, ResNet50, and InceptionV3, to obtain the diverse feature map. The extracted features are horizontally concatenated to construct a single feature map. The different feature selection methodologies, including filter-based methods and embedded methods, such as linear regression and random forest, are designed to discard the irrelevant features from a stacked feature map. After that, this study uses six machine learning and deep learning classifiers- K-Nearest Neighbor (K-NN), Support Vector Machine (SVM), Random Forest (RF), Multi-Layer Perceptron (MLP), Extra Tree (ET), and Gaussian Naive Bayes (GNB) by using the stacked feature map as a training feature vector. The hyperparameter optimization of the MLP model as the best classifier is performed using a randomized search algorithm to devise an optimal classifier. The experiments are performed using a publicly benchmarked MalImg dataset of 9339 images from 25 families. The model is also validated on real-world and packed malicious programs to prove the generalization of the proposed methodology in detecting real-world malware. In the proposed system, the MLP model obtained the best performance results as 98.55% accuracy, 99% precision, 99% recall, and 99% F1-score for MalImg datasets, and accuracy of 94.78% for real-world malware datasets. The proposed methodology is resilient to commonly used obfuscation techniques and does not depend upon code disassembly, reverse engineering analysis, and highly resource-intensive dynamic analysis.
Accurate threat hunting in industrial internet of things edge devices
2023, Digital Communications and Networks
Industrial Internet of Things (IIoT) systems depend on a growing number of edge devices such as sensors, controllers, and robots for data collection, transmission, storage, and processing. Any kind of malicious or abnormal function by each of these devices can jeopardize the security of the entire IIoT. Moreover, they can allow malicious software installed on end nodes to penetrate the network. This paper presents a parallel ensemble model for threat hunting based on anomalies in the behavior of IIoT edge devices. The proposed model is flexible enough to use several state-of-the-art classifiers as the basic learner and efficiently classifies multi-class anomalies using the Multi-class AdaBoost and majority voting. Experimental evaluations using a dataset consisting of multi-source normal records and multi-class anomalies demonstrate that our model outperforms existing approaches in terms of accuracy, F1 score, recall, and precision.
Evolving malware variants as antigens for antivirus systems
2023, Expert Systems with Applications
This paper proposes MAGE — A Malware Antigen Generating Evolutionary algorithm that is capable of generating unseen variants of a given source malware. MAGE evolves malware variants by employing code transformation functions as mutation operators and intra-population Jaccard similarity metric as fitness function. By virtue of these design choices, MAGE is capable of generating active malware variants with diverse code structure variations while retaining the maliciousness of the source malware. These malware variants (similar to biological antigens) generated throughout the run of MAGE forms a potential dataset of malware variants. The dataset can be used to train an adaptive Antivirus engine to learn the code structure variations that make up the space of malware variants. This could augment the engines ability to detect unseen malware variants, thus preventing attacks from the same. The efficacy of MAGE has been demonstrated with two malware viz. Timid , a COM infector and Intruder, an EXE infector. The simulation experiments demonstrate the potential and versatility of MAGE towards generating diverse malware variants.
SwiftR: Cross-platform ransomware fingerprinting using hierarchical neural networks on hybrid features
2023, Expert Systems with Applications
Ransomware has been largely exploited by cybercriminals to target individuals and organizations. In response to the increasing number and magnitude of ransomware attacks, it is important to consider the following problems when designing a ransomware fingerprinting solution: (i) how to make the solution portable to different hardware platforms and different dynamic analysis reports, (ii) how to design a solution that considers real-world use-cases, and (iii) how to evaluate the solution under realistic and challenging evaluation scenarios. To deal with these problems, we propose SwiftR, a novel portable framework for cross-platform ransomware detection and fingerprinting. SwiftR provides an accurate ransomware detection capability that relies on raw hybrid features along with advanced deep learning techniques. SwiftR is cross-platform as it is agnostic to architectures and operating systems by leveraging two novel types of features: (1) the assembly code Intermediate Representation (IR) features that are derived from static analysis, and (2) word-based features that are derived from the behavioral analysis reports, which are produced during dynamic analysis. SwiftR is supervised, and consists of two novel components: (a) Static SwiftR that proposes a novel architecture, called Hierarchical Neural Network (HNN), and (b) Dynamic SwiftR that applies LSTM on word embedding sequences when the Static SwiftR provides a low probability confidence. SwiftR aims to address the limitations of previous works by considering real-world use cases and challenging evaluation scenarios, i.e., time-resiliency, unknown family resiliency, and production evaluation scenarios. In addition, we extensively evaluate SwiftR on a dataset of 40.3K samples, which is the largest one compared to previous works. An F1-score of 98%, 96%, and 94% is achieved for ransomware detection, segregation between ransomware and other malware, and ransomware family attribution respectively. Furthermore, SwiftR maintains its high performance when deployed in a production environment where it processes 183K samples.
An ensemble deep learning model for cyber threat hunting in industrial internet of things
2023, Digital Communications and Networks
Citation Excerpt :
This problem affects the learning of long-term dependency in data and makes it difficult to predict and detect anomalies, decreasing anomaly detection accuracy and other evaluation metrics. Therefore, Recurrent Neural Network (RNN) [35] as well as LSTM architectures [23] are used to solve the problem of long-term dependence in time series data, as the vanishing gradient or exploding gradient often occurs in dealing with long-term dependent time series data [36]. In order to resolve the aforementioned long-time dependency issues in IIoT cyber threat hunting, an ensemble model in this paper based on the deep learning RNN model is proposed and the LSTM architecture [37] is applied to dominate long-time dependency problems in IIoT cyber threat hunting.
By the emergence of the fourth industrial revolution, interconnected devices and sensors generate large-scale, dynamic, and inharmonious data in Industrial Internet of Things (IIoT) platforms. Such vast heterogeneous data increase the challenges of security risks and data analysis procedures. As IIoT grows, cyber-attacks become more diverse and complex, making existing anomaly detection models less effective to operate. In this paper, an ensemble deep learning model that uses the benefits of the Long Short-Term Memory (LSTM) and the Auto-Encoder (AE) architecture to identify out-of-norm activities for cyber threat hunting in IIoT is proposed. In this model, the LSTM is applied to create a model on normal time series of data (past and present data) to learn normal data patterns and the important features of data are identified by AE to reduce data dimension. In addition, the imbalanced nature of IIoT datasets has not been considered in most of the previous literature, affecting low accuracy and performance. To solve this problem, the proposed model extracts new balanced data from the imbalanced datasets, and these new balanced data are fed into the deep LSTM AE anomaly detection model. In this paper, the proposed model is evaluated on two real IIoT datasets -Gas Pipeline (GP) and Secure Water Treatment (SWaT) that are imbalanced and consist of long-term and short-term dependency on data. The results are compared with conventional machine learning classifiers, Random Forest (RF), Multi-Layer Perceptron (MLP), Decision Tree (DT), and Super Vector Machines (SVM), in which higher performance in terms of accuracy is obtained, 99.3% and 99.7% based on GP and SWaT datasets, respectively. Moreover, the proposed ensemble model is compared with advanced related models, including Stacked Auto-Encoders (SAE), Naive Bayes (NB), Projective Adaptive Resonance Theory (PART), Convolutional Auto-Encoder (C-AE), and Package Signatures (PS) based LSTM (PS-LSTM) model.

View all citing articles on Scopus

View full text

Cryptocurrency malware hunting: A deep Recurrent Neural Network approach

Highlights

Abstract

Introduction

Section snippets

Related work

Cryptocurrency malware hunting methodology

Experimental results

Conclusion

CRediT authorship contribution statement

Declaration of Competing Interest

Int. Rev. Financ. Anal.

Appl. Soft Comput.

Comput. Secur.

Appl. Soft Comput.

Digit. Commun. Netw.

Appl. Soft Comput.

Comput. Secur.

Future Gener. Comput. Syst.

J. Netw. Comput. Appl.

Blockchain and cryptocurrencies: Model, techniques, and applications

IEEE Trans. Syst. Man Cybern.

Blockchain-enabled authentication handover with efficient privacy protection in SDN-based 5G networks

IEEE Trans. Netw. Sci. Eng.

Factors influencing cryptocurrency prices: Evidence from bitcoin, ethereum, dash, litcoin, and monero

J. Econ. Financ. Anal.

Ethereum: A secure decentralised generalised transaction ledger

Ethereum Proj. Yellow Pap.

Crypto-mining application fingerprinting method

An energy-efficient SDN controller architecture for IoT networks with blockchain-based security

IEEE Trans. Serv. Comput.

Decentralized authentication of distributed patients in hospital networks using blockchain

IEEE J. Biomed. Health Inf.

Majority is not enough: Bitcoin mining is vulnerable

Commun. ACM

Digging into browser-based crypto mining

Crypto mining attacks in information systems: an emerging threat to cyber security

J. Comput. Inf. Syst.

Towards secure software-defined networking integrated cyber-physical systems: Attacks and countermeasures

An improved communications in cyber physical system architecture, protocols and applications

A blockchain framework for securing connected and autonomous vehicles

Sensors