TY - JOUR
T1 - Cryptomining makes noise
T2 - Detecting cryptojacking via Machine Learning
AU - Caprolu, Maurantonio
AU - Raponi, Simone
AU - Oligeri, Gabriele
AU - Di Pietro, Roberto
N1 - Funding Information:
This publication was partially supported by awards NPRP11S-0109-180242, NPRP12S-0125-190013, and NPRP12C-0814-190012 from the QNRF-Qatar National Research Fund, a member of The Qatar Foundation, and by awards HU.BW.723008.S077.HBKU (Innovation - Cycle 1) from Hamad Bin Khalifa University. The information and views set out in this publication are those of the authors and do not necessarily reflect the official opinion of the QNRF. The authors would like to thank the anonymous reviewers and the AE that, with their insightful comments, helped increasing the quality of the paper. Open Access funding provided by the Qatar National Library.
Funding Information:
This publication was partially supported by awards NPRP11S-0109-180242 , NPRP12S-0125-190013 , and NPRP12C-0814-190012 from the QNRF-Qatar National Research Fund , a member of The Qatar Foundation, and by awards HU.BW.723008.S077.HBKU (Innovation - Cycle 1) from Hamad Bin Khalifa University . The information and views set out in this publication are those of the authors and do not necessarily reflect the official opinion of the QNRF. The authors would like to thank the anonymous reviewers and the AE that, with their insightful comments, helped increasing the quality of the paper. Open Access funding provided by the Qatar National Library.
Publisher Copyright:
© 2021 The Author(s)
PY - 2021/4/1
Y1 - 2021/4/1
N2 - Cryptojacking occurs when an adversary illicitly runs crypto-mining software over the devices of unaware users. This novel cybersecurity attack, that is emerging in both the literature and in the wild, has proved to be very effective given the simplicity of running a crypto-client into a target device. Several countermeasures have recently been proposed, with different features and performance, but all characterized by a host-based architecture. The cited solutions, designed to protect the individual user, are not suitable for efficiently protecting a corporate network, especially against insiders. In this paper, we propose a network-based approach to detect and identify crypto-clients activities by solely relying on the network traffic, even when encrypted and mixed with non-malicious traces. First, we provide a detailed analysis of the real network traces generated by three major cryptocurrencies, Bitcoin, Monero, and Bytecoin, considering both the normal traffic and the one shaped by a VPN. Then, we propose Crypto-Aegis, a Machine Learning (ML) based framework built over the results of our investigation, aimed at detecting cryptocurrencies related activities, e.g., pool mining, solo mining, and active full nodes. Our solution achieves a striking 0.96 of F1-score and 0.99 of AUC for the ROC, while enjoying a few other properties, such as device and infrastructure independence. Given the extent and novelty of the addressed threat we believe that our approach, supported by its excellent results, pave the way for further research in this area.
AB - Cryptojacking occurs when an adversary illicitly runs crypto-mining software over the devices of unaware users. This novel cybersecurity attack, that is emerging in both the literature and in the wild, has proved to be very effective given the simplicity of running a crypto-client into a target device. Several countermeasures have recently been proposed, with different features and performance, but all characterized by a host-based architecture. The cited solutions, designed to protect the individual user, are not suitable for efficiently protecting a corporate network, especially against insiders. In this paper, we propose a network-based approach to detect and identify crypto-clients activities by solely relying on the network traffic, even when encrypted and mixed with non-malicious traces. First, we provide a detailed analysis of the real network traces generated by three major cryptocurrencies, Bitcoin, Monero, and Bytecoin, considering both the normal traffic and the one shaped by a VPN. Then, we propose Crypto-Aegis, a Machine Learning (ML) based framework built over the results of our investigation, aimed at detecting cryptocurrencies related activities, e.g., pool mining, solo mining, and active full nodes. Our solution achieves a striking 0.96 of F1-score and 0.99 of AUC for the ROC, while enjoying a few other properties, such as device and infrastructure independence. Given the extent and novelty of the addressed threat we believe that our approach, supported by its excellent results, pave the way for further research in this area.
KW - Blockchain
KW - Cryptocurrencies
KW - Cryptojacking
KW - Machine Learning
KW - Network traffic analysis
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=85101812007&partnerID=8YFLogxK
U2 - 10.1016/j.comcom.2021.02.016
DO - 10.1016/j.comcom.2021.02.016
M3 - Article
AN - SCOPUS:85101812007
SN - 0140-3664
VL - 171
SP - 126
EP - 139
JO - Computer Communications
JF - Computer Communications
ER -