skip to main content
10.1145/3545948.3545973acmotherconferencesArticle/Chapter ViewAbstractPublication PagesraidConference Proceedingsconference-collections
research-article

CJ-Sniffer: Measurement and Content-Agnostic Detection of Cryptojacking Traffic

Published: 26 October 2022 Publication History

Abstract

With the continuous appreciation of cryptocurrency, cryptojacking, the act by which computing resources are stolen to mine cryptocurrencies, is becoming more rampant. In this paper, we conduct a measurement study on cryptojacking network traffic and propose CryptoJacking-Sniffer (CJ-Sniffer), an easily deployable, privacy-aware approach to protecting all devices within a network against cryptojacking. Compared with existing approaches that suffer from privacy concerns or high overhead, CJ-Sniffer only needs to access anonymized, content-agnostic metadata of network traffic from the gateway of the network to efficiently detect cryptojacking traffic. In particular, while cryptojacking traffic is also cryptocurrency mining traffic, CJ-Sniffer is the first approach to distinguishing cryptojacking traffic from user-initiated cryptocurrency mining traffic, making it possible to only filter cryptojacking traffic, rather than blindly filtering all cryptocurrency mining traffic as commonly practiced. After constructing a statistical model to identify all the cryptocurrency mining traffic, CJ-Sniffer extracts variation vectors from packet intervals and utilizes a long short-term memory (LSTM) network to further identify cryptojacking traffic. We evaluated CJ-Sniffer with a packet-level cryptomining dataset. Our evaluation results demonstrate that CJ-Sniffer achieves an accuracy of over 99% with reasonable delays.

References

[1]
2017. CoinIMP: FREE JavaScript Mining - Browser Mining. https://www.coinimp.com/. Accessed: 2021-04-15.
[2]
2017. XMRig: high performance, open source, cross platform XMR miner. https://github.com/xmrig/xmrig. Accessed: 2021-04-15.
[3]
2018. Easy Pool Miner. https://jefreesujit.github.io/easyminer/. Accessed: 2021-04-15.
[4]
2019. Minero: Monero miner for Web browsers. https://minero.cc/. Accessed: 2021-04-15.
[5]
2019. WebMinePool: Multifunctional mining service for site owners and individuals. https://www.webminepool.com/. Accessed: 2021-04-15.
[6]
2021. The history of Ethereum. https://ethereum.org/en/history/. Accessed: 2022-4-6.
[7]
2021. PF-RING: High-speed packet capture, filtering and analysis. https://www.ntop.org/products/packet-capture/pf_ring/. Accessed: 2021-05.
[8]
Spenser Reinhardt Lilia Gonzalez Medina Josh Reynolds Alan Smith Alex Mcdonnell, Nichols Mavis. 2019. Blocking Cryptocurrency Mining Using Cisco Security Products.
[9]
Hugo LJ Bijmans, Tim M Booij, and Christian Doerr. 2019. Inadvertently making cyber criminals rich: A comprehensive study of cryptojacking campaigns at internet scale. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 1627–1644.
[10]
Andrew Brandt. 2021. Compromised Exchange server hosting cryptojacker targeting other Exchange servers. https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/.
[11]
Maurantonio Caprolu, Simone Raponi, Gabriele Oligeri, and Roberto Di Pietro. 2019. Cryptomining makes noise: a machine learning approach for cryptojacking detection. arXiv preprint arXiv:1910.09272(2019).
[12]
Maurantonio Caprolu, Simone Raponi, Gabriele Oligeri, and Roberto Di Pietro. 2021. Cryptomining makes noise: Detecting cryptojacking via Machine Learning. Computer Communications 171 (2021), 126–139.
[13]
Lin William Cong, Zhiguo He, and Jiasun Li. 2021. Decentralized mining in centralized pools. The Review of Financial Studies 34, 3 (2021), 1191–1235.
[14]
Hamid Darabian, Sajad Homayounoot, Ali Dehghantanha, Sattar Hashemi, Hadis Karimipour, Reza M Parizi, and Kim-Kwang Raymond Choo. 2020. Detecting Cryptomining Malware: a Deep Learning Approach for Static and Dynamic Analysis. Journal of Grid Computing(2020), 1–11.
[15]
dEBRYUNE, dnaleor, and Monero project. 2018. PoW change and key reuse. https://www.getmonero.org/2018/02/11/PoW-change-and-key-reuse.html. Accessed: 2022-4-6.
[16]
Darragh Delaney. 2018. How to Detect Cryptocurrency Mining Activity on Your Network. https://www.netfort.com/blog/detect-cryptocurrency-mining-activity/.
[17]
Howard B Demuth, Mark H Beale, Orlando De Jess, and Martin T Hagan. 2014. Neural network design. Martin Hagan.
[18]
Yebo Feng. 2022. Packet-Level Cryptomining Network Traffic Dataset. https://github.com/yebof/CJ-Sniffer-Dataset.
[19]
Yebo Feng. 2022. Toward Finer Granularity Analysis of Network Traffic. (2022).
[20]
Yebo Feng, Devkishen Sisodia, and Jun Li. 2020. Poster: Content-agnostic identification of cryptojacking in network traffic. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. 907–909.
[21]
Fábio Gomes and Miguel Correia. 2020. Cryptojacking Detection with CPU Usage Metrics. In 2020 IEEE 19th International Symposium on Network Computing and Applications (NCA). IEEE, 1–10.
[22]
Gilberto Gomes, Luis Dias, and Miguel Correia. 2020. CryingJackpot: Network flows and performance counters against cryptojacking. In 2020 IEEE 19th International Symposium on Network Computing and Applications (NCA). IEEE, 1–10.
[23]
Sepp Hochreiter and Jürgen Schmidhuber. 1997. Long short-term memory. Neural computation 9, 8 (1997), 1735–1780.
[24]
Geng Hong, Zhemin Yang, Sen Yang, Lei Zhang, Yuhong Nan, Zhibo Zhang, Min Yang, Yuan Zhang, Zhiyun Qian, and Haixin Duan. 2018. How you get shot in the back: A systematical study about cryptojacking in the real world. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.
[25]
Xiaoyan Hu, Zhuozhuo Shu, Xiaoyi Song, Guang Cheng, and Jian Gong. 2021. Detecting Cryptojacking Traffic Based on Network Behavior Features. In 2021 IEEE Global Communications Conference (GLOBECOM). IEEE, 01–06.
[26]
Jordi Zayuelas i Muñoz, José Suárez-Varela, and Pere Barlet-Ros. 2019. Detecting cryptocurrency miners with NetFlow/IPFIX network measurements. In 2019 IEEE International Symposium on Measurements & Networking (M&N). IEEE, 1–6.
[27]
Sainathan Ganesh Iyer and Anurag Dipakumar Pawar. 2018. GPU and CPU accelerated mining of cryptocurrencies and their financial analysis. In 2018 2nd International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud)(I-SMAC) I-SMAC (IoT in Social, Mobile, Analytics and Cloud)(I-SMAC), 2018 2nd International Conference on. IEEE, 599–604.
[28]
Marc Juarez, Mohsen Imani, Mike Perry, Claudia Diaz, and Matthew Wright. 2016. Toward an efficient website fingerprinting defense. In European Symposium on Research in Computer Security. Springer, 27–46.
[29]
Thomas Karagiannis, Konstantina Papagiannaki, and Michalis Faloutsos. 2005. BLINC: multilevel traffic classification in the dark. In Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications. 229–240.
[30]
Monero Research Lab. 2018. MONERO, a Private Digital Currency. https://www.getmonero.org/.
[31]
Monero Research Lab. 2021. Monero Documentation - CryptoNight, a memory hard hash function. https://monerodocs.org/proof-of-work/cryptonight/.
[32]
Xiaoqi Li, Peng Jiang, Ting Chen, Xiapu Luo, and Qiaoyan Wen. 2020. A survey on the security of blockchain systems. Future Generation Computer Systems 107 (2020), 841–853.
[33]
Xiaojun Liu, Wenbo Wang, Dusit Niyato, Narisa Zhao, and Ping Wang. 2018. Evolutionary game for mining pool selection in blockchain networks. IEEE Wireless Communications Letters 7, 5 (2018), 760–763.
[34]
Frank J Massey Jr. 1951. The Kolmogorov-Smirnov test for goodness of fit. Journal of the American statistical Association 46, 253(1951), 68–78.
[35]
Angela Orebaugh, Gilbert Ramirez, and Jay Beale. 2006. Wireshark & Ethereal network protocol analyzer toolkit. Elsevier.
[36]
Eva Papadogiannaki and Sotiris Ioannidis. 2021. A survey on encrypted network traffic analysis applications, techniques, and countermeasures. ACM Computing Surveys (CSUR) 54, 6 (2021), 1–35.
[37]
Antonio Pastor, Alberto Mozo, Stanislav Vakaruk, Daniele Canavese, Diego R López, Leonardo Regano, Sandra Gómez-Canaval, and Antonio Lioy. 2020. Detection of encrypted cryptomining malware connections with machine and deep learning. IEEE Access 8(2020), 158036–158055.
[38]
Ivan Petrov, Luca Invernizzi, and Elie Bursztein. 2020. Coinpolice: Detecting hidden cryptojacking attacks with neural networks. arXiv preprint arXiv:2006.10861(2020).
[39]
Peter Phaal, Sonia Panchen, and Neil McKee. 2001. RFC3176: InMon Corporation’s sFlow: A Method for Monitoring Traffic in Switched and Routed Networks.
[40]
Ruben Recabarren and Bogdan Carbunar. 2017. Hardening stratum, the bitcoin pool mining protocol. Proceedings on Privacy Enhancing Technologies3 (2017), 57–74.
[41]
Luigi Rizzo. 2012. netmap: a novel framework for fast packet I/O. In 21st USENIX Security Symposium (USENIX Security 12). 101–112.
[42]
Rashid Tahir, Sultan Durrani, Faizan Ahmed, Hammas Saeed, Fareed Zaffar, and Saqib Ilyas. 2019. The browsers strike back: countering cryptojacking and parasitic miners on the web. In IEEE Conference on Computer Communications.
[43]
Unit 42. 2021. Highlights from the Unit 42 Cloud Threat Report, 1H 2021. https://unit42.paloaltonetworks.com/highlights-cloud-threat-report-1h-2021/.
[44]
Said Varlioglu, Bilal Gonen, Murat Ozer, and Mehmet F Bastug. 2020. Is Cryptojacking Dead after Coinhive Shutdown?arXiv preprint arXiv:2001.02975(2020).
[45]
Tao Wang and Ian Goldberg. 2017. Walkie-talkie: An efficient defense against passive website fingerprinting attacks. In 26th {USENIX} Security Symposium ({USENIX} Security 17). 1375–1390.
[46]
Wenhao Wang, Benjamin Ferrell, Xiaoyang Xu, Kevin W Hamlen, and Shuang Hao. 2018. Seismic: Secure in-lined script monitors for interrupting cryptojacks. In European Symposium on Research in Computer Security. Springer, 122–142.
[47]
Charles V Wright, Scott E Coull, and Fabian Monrose. 2009. Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis. In NDSS, Vol. 9. Citeseer.
[48]
Jun Xu, Jinliang Fan, Mostafa Ammar, and Sue B Moon. 2001. On the design and performance of prefix-preserving IP traffic trace anonymization. In Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement. 263–266.
[49]
ZeroDot1. 2020. Simple lists that can help prevent cryptomining in the browser or other applications. https://gitlab.com/ZeroDot1/CoinBlockerLists.
[50]
Shize Zhang, Zhiliang Wang, Jiahai Yang, Xin Cheng, XiaoQian Ma, Hui Zhang, Bo Wang, Zimu Li, and Jianping Wu. 2021. MineHunter: A Practical Cryptomining Traffic Detection Algorithm Based on Time Series Tracking. In Annual Computer Security Applications Conference. 1051–1063.
[51]
Aaron Zimba, Zhaoshun Wang, Mwenge Mulenga, and Nickson Herbert Odongo. 2018. Crypto mining attacks in information systems: An emerging threat to cyber security. Journal of Computer Information Systems(2018), 1–12.

Cited By

View all
  • (2024)Extending C2 Traffic Detection Methodologies: From TLS 1.2 to TLS 1.3-enabled MalwareProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678921(181-196)Online publication date: 30-Sep-2024
  • (2024)Analyzing In-Browser CryptojackingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.337753321:6(5448-5460)Online publication date: Nov-2024
  • (2023)Container Orchestration Honeypot: Observing Attacks in the WildProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607205(381-396)Online publication date: 16-Oct-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses
October 2022
536 pages
ISBN:9781450397049
DOI:10.1145/3545948
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 October 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. anomaly detection
  2. cryptocurrency
  3. cryptojacking
  4. cryptomining
  5. network traffic analysis

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

  • Ripple

Conference

RAID 2022

Acceptance Rates

Overall Acceptance Rate 43 of 173 submissions, 25%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)91
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Extending C2 Traffic Detection Methodologies: From TLS 1.2 to TLS 1.3-enabled MalwareProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678921(181-196)Online publication date: 30-Sep-2024
  • (2024)Analyzing In-Browser CryptojackingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.337753321:6(5448-5460)Online publication date: Nov-2024
  • (2023)Container Orchestration Honeypot: Observing Attacks in the WildProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607205(381-396)Online publication date: 16-Oct-2023
  • (2023)Under the Dark: A Systematical Study of Stealthy Mining Pools (Ab)use in the WildProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616677(326-340)Online publication date: 15-Nov-2023
  • (2023)Detecting Cryptomining Traffic Over an Encrypted Proxy Based on K-S TestICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10279537(3787-3792)Online publication date: 28-May-2023
  • (2023)SoK: Pragmatic Assessment of Machine Learning for Network Intrusion Detection2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00042(592-614)Online publication date: Jul-2023
  • (2023)A Systematic Literature Review of Machine Learning Approaches for In-Browser Cryptojacking Detection2023 7th Cyber Security in Networking Conference (CSNet)10.1109/CSNet59123.2023.10339740(102-108)Online publication date: 16-Oct-2023

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media