Detection of illicit cryptomining using network metadata
Abstract Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims’ computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it p...
Guardado en:
| Autores principales: | , , |
|---|---|
| Formato: | article |
| Lenguaje: | EN |
| Publicado: |
SpringerOpen
2021
|
| Materias: | |
| Acceso en línea: | https://doaj.org/article/58a39e89dfcc4878b72917f3919e8eda |
| Etiquetas: |
Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
|
| id |
oai:doaj.org-article:58a39e89dfcc4878b72917f3919e8eda |
|---|---|
| record_format |
dspace |
| spelling |
oai:doaj.org-article:58a39e89dfcc4878b72917f3919e8eda2021-12-05T12:25:47ZDetection of illicit cryptomining using network metadata10.1186/s13635-021-00126-12510-523Xhttps://doaj.org/article/58a39e89dfcc4878b72917f3919e8eda2021-12-01T00:00:00Zhttps://doi.org/10.1186/s13635-021-00126-1https://doaj.org/toc/2510-523XAbstract Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims’ computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it provides strong anonymity and is efficiently mined on CPUs.Illicit mining crucially relies on communication between compromised systems and remote mining pools using the de facto standard protocol Stratum. While prior research primarily focused on endpoint-based detection of in-browser mining, in this paper, we address network-based detection of cryptomining malware in general. We propose XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records. Our detector is trained offline using only mining traffic and does not require privacy-sensitive normal network traffic, which facilitates its adoption and integration.In our experiments, XMR-Ray attained 98.94% detection rate at 0.05% false alarm rate, outperforming the closest competitor. Our evaluation furthermore demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries. Finally, by deploying our detector in a large university network, we show its effectiveness in protecting real-world systems.Michele RussoNedim ŠrndićPavel LaskovSpringerOpenarticleDetectionMalwareCryptominingMoneroNetFlowMachine learningComputer engineering. Computer hardwareTK7885-7895Electronic computers. Computer scienceQA75.5-76.95ENEURASIP Journal on Information Security, Vol 2021, Iss 1, Pp 1-20 (2021) |
| institution |
DOAJ |
| collection |
DOAJ |
| language |
EN |
| topic |
Detection Malware Cryptomining Monero NetFlow Machine learning Computer engineering. Computer hardware TK7885-7895 Electronic computers. Computer science QA75.5-76.95 |
| spellingShingle |
Detection Malware Cryptomining Monero NetFlow Machine learning Computer engineering. Computer hardware TK7885-7895 Electronic computers. Computer science QA75.5-76.95 Michele Russo Nedim Šrndić Pavel Laskov Detection of illicit cryptomining using network metadata |
| description |
Abstract Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims’ computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it provides strong anonymity and is efficiently mined on CPUs.Illicit mining crucially relies on communication between compromised systems and remote mining pools using the de facto standard protocol Stratum. While prior research primarily focused on endpoint-based detection of in-browser mining, in this paper, we address network-based detection of cryptomining malware in general. We propose XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records. Our detector is trained offline using only mining traffic and does not require privacy-sensitive normal network traffic, which facilitates its adoption and integration.In our experiments, XMR-Ray attained 98.94% detection rate at 0.05% false alarm rate, outperforming the closest competitor. Our evaluation furthermore demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries. Finally, by deploying our detector in a large university network, we show its effectiveness in protecting real-world systems. |
| format |
article |
| author |
Michele Russo Nedim Šrndić Pavel Laskov |
| author_facet |
Michele Russo Nedim Šrndić Pavel Laskov |
| author_sort |
Michele Russo |
| title |
Detection of illicit cryptomining using network metadata |
| title_short |
Detection of illicit cryptomining using network metadata |
| title_full |
Detection of illicit cryptomining using network metadata |
| title_fullStr |
Detection of illicit cryptomining using network metadata |
| title_full_unstemmed |
Detection of illicit cryptomining using network metadata |
| title_sort |
detection of illicit cryptomining using network metadata |
| publisher |
SpringerOpen |
| publishDate |
2021 |
| url |
https://doaj.org/article/58a39e89dfcc4878b72917f3919e8eda |
| work_keys_str_mv |
AT michelerusso detectionofillicitcryptominingusingnetworkmetadata AT nedimsrndic detectionofillicitcryptominingusingnetworkmetadata AT pavellaskov detectionofillicitcryptominingusingnetworkmetadata |
| _version_ |
1718371957766881280 |