No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A Cross-Stack Approach Towards Defending Against Cryptojacking
Abstract
Cryptocurrenices are revolutionizing the way we conduct every day business. Unfortunately, cybercriminals have harnessed this technology for making profit through cryptojacking, the act of maliciously appropriating computational resources for mining cryptocurrencies. In this work, we explore a general solution for detecting cryptojacking attacks irrespective of the application type. We propose an end-to-end detection solution that leverages lightweight microarchitectural changes designed to track instructions that are commonly used in hash algorithms. An evaluation of our implementation shows negligible performance overhead while testing across a mix of workloads from the SPEC 2006 benchmarks.
... Lachtar et al. [7] investigates a cross-platform, generic approach to identifying cryptojacking attempts. We present an end-to-end detection approach that makes use of subtle modifications to the microarchitecture to monitor instructions often employed by hash algorithms. ...
... Overfitting impedes the model's ability to generalize to novel input. The computing time required for training and inference by DNNs may not match real-time requirements, especially in systems that demand instant response, although they can be successful at spotting patterns suggestive of cyber threats [7,15,[27][28][29]. ...
Bitcoin exchange security is crucial because of MEC's widespread use. Cryptojacking has compromised MEC app security and bitcoin exchange ecosystem functionality. This paper propose a cutting-edge neural network and AdaHessian optimization technique for cryptojacking prediction and defense. We provide a cutting-edge deep neural network (DNN) cryptojacking attack prediction approach employing pruning, post-training quantization, and AdaHessian optimization. To solve these problems, this paper apply pruning, post-training quantization, and AdaHessian optimization. A new framework for quick DNN training utilizing AdaHessian optimization can detect cryptojacking attempts with reduced computational cost. Pruning and post-training quantization improve the model for low-CPU on-edge devices. The proposed approach drastically decreases model parameters without affecting Cryptojacking attack prediction. The model has Recall 98.72%, Precision 98.91%, F1-Score 99.09%, MSE 0.0140, RMSE 0.0137, and MAE 0.0139. Our solution beats state-of-the-art approaches in precision, computational efficiency, and resource consumption, allowing more realistic, trustworthy, and cost-effective machine learning models. We address increasing cybersecurity issues holistically by completing the DNN optimization-security loop. Securing Crypto Exchange Operations delivers scalable and efficient Cryptojacking protection, improving machine learning, cybersecurity, and network management.
... Dwork and Noar [9] suggested the use of proof-of-work (PoW) schema to mitigate the proliferation of spam emails: a computation stamp is required to obtain a service; in the context of emails, the service can be the forwarding of a message. In general, PoW is a form of cryptographic proof in which one party (the prover) proves to others (the verifiers) that a certain amount of a specific computational effort has been expended; verifiers can subsequently confirm this expenditure with minimal effort on their part [10]. PoW schema are dissymmetric in favor of the verifier: the computation is moderately hard for the prover, while it is easy for a verifier to check a given solution. ...
... Leaves of a tree are defined inductively: Figure 7. T is such that label(v, T) = order(v, T) for all v ∈ nodes(T). Its array representation is [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15]. The A hash tree, or Merkle tree, is a tree in which every leaf is labeled with the hash value of a data block, and every internal node is labeled with the hash value of the labels of its child nodes. ...
Client puzzle protocols are widely adopted mechanisms for defending against resource exhaustion denial-of-service (DoS) attacks. Among the simplest puzzles used by such protocols, there are cryptographic challenges requiring the finding of hash values with some required properties. However, by the way hash functions are designed, predicting the difficulty of finding hash values with non-trivial properties is impossible. This is the main limitation of simple proof-of-work (PoW) algorithms, such as hashcash. We propose a new data structure combining hashcash and Merkle trees, also known as hash trees. In the proposed data structure, called hashcash tree, all hash values are required to start with a given number of zeros (as for hashcash), and hash values of internal nodes are obtained by hashing the hash values of child nodes (as for hash trees). The client is forced to compute all hash values, but only those in the path from a leaf to the root are required by the server to verify the proof of work. The proposed client puzzle is implemented and evaluated empirically to show that the difficulty of puzzles can be accurately controlled.
... To address the cryptojacking issue, solutions like AIbased classifiers, and security and encryption mechanisms are proposed [6]. Recent studies suggest the use of end-toend cross-stack lightweight hashing [7] which is designed to thrawt cryptojacking injection, blockchain-based cryptojacking detection [8], and lightweight IoT cryptojacking mechanism for in-browser and host-based system [9]. Cryptojacking behavior and pattern detection require AI classifiers. ...
The paper presents a scheme, Quant-Jack, which
employs Quantum Machine Learning (QML) to combat the
cryptojacking threat in Industrial Internet-of-Things (IIoT)
networks. We propose a dual-layered QML architecture, based
on Quantum Neural Networks (QNN) architecture. The first
layer is the QNN detection layer that operates via a weighted
sum approach on time, frequency, and network traffic. The
problem is modeled as multi-objective optimization, which is
solved by an iterative Quantum Approximate Optimization
Algorithm (QAOA). At the QML filtration layer, a Quantum
Metric (QM) is computed that filters anomalies based on
specified thresholds. For performance evaluation, the CSECIC-
IDS 2018 benchmark dataset is augmented with live IIoT
data. The performance is simulated for model parameters like
convergence rate, attack detection time, network throughput
utilization, and other metrics like precision, recall, and F1-
score. For 60 nodes, the measured throughput is 11.84 KBps,
which is an average improvement of 23.44% compared to
baseline quantum models. the QNN model has an accuracy of
0.97 in classifying malign and benign requests, which indicates
the efficacy of the proposed scheme against classical security
designs.
... Rajba et al. [23] presented an analysis highlighting the limitations of web cryptojacking detection methods. Lachtar et al. [15] discussed a cross-stack approach to defending against cryptojacking. Research Gap. ...
This paper conducts a comprehensive examination of the infrastructure supporting cryptojacking operations. The analysis elucidates the methodologies, frameworks, and technologies malicious entities employ to misuse computational resources for unauthorized cryptocurrency mining. The investigation focuses on identifying websites serving as platforms for cryptojacking activities. A dataset of 887 websites, previously identified as cryptojacking sites, was compiled and analyzed to categorize the attacks and malicious activities observed. The study further delves into the DNS IP addresses, registrars, and name servers associated with hosting these websites to understand their structure and components. Various malware and illicit activities linked to these sites were identified, indicating the presence of unauthorized cryptocurrency mining via compromised sites. The findings highlight the vulnerability of website infrastructures to cryptojacking.
... Dwork and Noar [9] proposed the use of proof-of-work (PoW) mechanisms to contrast the proliferation of spam emails, requiring a computational stamp to access a service, for example, forwarding a message in the case of emails. PoW, a cryptographic proof method, entails one party (the prover) demonstrating to others (the verifiers) that a specified computational effort has been expended, which verifiers can subsequently validate with minimal effort on their part [10]. While PoW schemes are asymmetrical in favor of verifiers, posing moderate computational challenges for provers but facilitating easy solution verification, when applied to DoS mitigation, clients act as provers seeking access to a service while servers serve as verifiers providing the required service. ...
Denial of Service (DoS) attacks remain a persistent threat to online systems, necessitating continual innovation in defense mechanisms. In this work, we present an improved algorithm for mitigating DoS attacks through the augmentation of client puzzle protocols. Building upon the foundation of hashcash trees, a recently proposed data structure combining hashcash and Merkle trees, we introduce a new version of the data structure that enhances resistance against parallel computation (a common tactic employed by attackers). By incorporating the labels of children and the next node in a breadth-first traversal into the hash function, we establish a sequential processing order that inhibits parallel node evaluation. The added dependency on the next node significantly elevates the complexity of constructing hashcash trees, introducing a linear number of synchronization points and fortifying resilience against potential attacks. Empirical evaluation demonstrates the efficacy of our approach, showcasing its ability to accurately control puzzle difficulty while bolstering system security against DoS threats.
... Isso acabou atraindo cibercriminosos que passaram a praticar criptojacking, o roubo do poder computacional para mineração de criptomoedas [3,4]. Este tipo de ataque tem ocorrido de várias formas, desde a criação de forks infectados de projetos populares em plataformas Git, a inclusão de softwares maliciosos em lojas de aplicativos móveis, a disponibilização de imagens de contêiner infectadas, ou ainda, através da injeção de scripts maliciosos em sites, de forma que, quando visitadas, exploram o poder de processamento do lado do cliente [5,6]. ...
This study explores the surge in cryptojacking due to the widespreadpopularity of cryptocurrencies. With a focus on safeguardingusers against unauthorized cryptocurrency mining, the articleevaluates five browser extension. Moreover, was developed a botthat can analyze infected sites, generating a final list that was thentested with the extensions to compare their performance. Additionally,the study produces an updated list of infected sites byprocessing URLs from two distinct databases. The bots enable testingwith different databases, facilitating the assessment of variousprotection tools against cryptojacking.
... When the client side starts step CHK-CS of the protocol to see if a pre-image for the target hash was found, as a part of this step it must investigate whether the server indeed exhausted the agreed search space and performed |DS| hashing operations. To confirm this, the client relies on proof of work, which is a concept where a prover demonstrates to a verifier that a certain amount of a computational effort has been expended in a specified interval of time [45]. In the case of 3PC the client knows that approximately r candidates must be returned based on the formula, |X υ | |DS| | l | ≈ r , where P υ (x) = 1 must be satisfied for all hash digests. ...
Using the computational resources of an untrusted third party to crack a password hash can pose a high number of privacy and security risks. The act of revealing the hash digest could in itself negatively impact both the data subject who created the password, and the data controller who stores the hash digest. This paper solves this currently open problem by presenting a Privacy-Preserving Password Cracking protocol (3PC), that prevents the third party cracking server from learning any useful information about the hash digest, or the recovered cleartext. This is achieved by a tailored anonymity set of decoy hashes, based on the concept of predicate encryption, where we extend the definition of a predicate function, to evaluate the output of a one way hash function. The probabilistic information the server obtains during the cracking process can be calculated and minimized to a desired level. While in theory, cracking more hashes would introduce additional overhead, the 3PC protocol enables constant-time lookup regardless of the list size, limited by the input/output operation per second (IOPS) capabilities of the third-party server, allowing the protocol to scale efficiently. We demonstrate these claims both theoretically and in practice, with a real-life use case implemented on an FPGA architecture.
... Proof of Work is a popular type of consensus mechanism in which one node proves to the other node that they spent computational power achieve solving problems [1]. The idea was invented by Moni Naor and Cynthia Dwork in 1993, and later used by Bitcoin as their consensus mechanism to prevent problems such as decentralization. ...
As approaching the era of Ethereum 2.0, the already unique and innovative cryptocurrency will witness a game-changing upgrade, and in this context, there is a lively discussion of the Proof of Work (PoW) and Proof of Stake (PoS) consensus mechanism. Moving from a PoW consensus mechanism to a PoS consensus mechanism is one of the most anticipated changes in this update. A close comparison of the two most popular consensus mechanisms, PoW and PoS, provides some strengths and drawbacks to these mechanisms. This comparison then becomes the building block to identifying the reasons behind Ethereum's upgrade to Proof of Stake. With the help of the comparison, this paper identifies a few drawbacks of the PoW consensus mechanism that Ethereum is currently facing. This paper finds that Ethereum's shift to PoS has indeed reduced the drawbacks of the Proof of Work consensus mechanism, mainly in terms of energy consumption, transaction cost, and confirmation speed.
... On the other hand, the work from (Lachtar et al. 2020) proposes a generic method of preventing/detecting cryptojacking irrespective of the type of application. They systematically present a low overhead, cross stack solution that works by studying a limited number of common instructions in cryptographic hash functions and evaluates their suitability for cryptojacking detection. ...
With the continued growth and popularity of blockchain-based cryptocurrencies there is a parallel growth in illegal mining to earn cryptocurrency. Since mining for cryptocurrencies requires high computational resource; malicious actors have resorted to using malicious file downloads and other methods to illegally use a victim’s system to mine for cryptocurrency without them knowing. This process is known as host-based cryptojacking and is gradually becoming one of the most popular cyberthreats in recent years. There are some proposed traditional machine learning methods to detect host-based cryptojacking but only a few have proposed using deep-learning models for detection. This paper presents a novel approach, dubbed CryptoJackingModel. This approach is a deep-learning host-based cryptojacking detection model that will effectively detect evolving host-based cryptojacking techniques and reduce false positives and false negatives. The approach has an overall accuracy of 98% on a dataset of 129,380 samples and a low performance overhead making it highly scalable. This approach will be an improvement of current countermeasures for detecting, mitigating, and preventing cryptojacking.
... When the client side starts step CHK-CS of the protocol to see if a pre-image for the target hash was found, as a part of this step it must investigate whether the server indeed exhausted the agreed search space and performed |DS| hashing operations. To confirm this, the client relies on proof of work, which is a concept where a prover demonstrates to a verifier that a certain amount of a computational effort has been expended in a specified interval of time [49]. In the case of 3PC the client knows that approximately r candidates must be returned based on the formula, |X υ | |DS| |Σ l | ≈ r, where P υ (x) = 1 must be satisfied for all hash digests. ...
Using the computational resources of an untrusted third party to crack a password hash can pose a high number of privacy and security risks. The act of revealing the hash digest could in itself negatively impact both the data subject who created the password, and the data controller who stores the hash digest. This paper solves this currently open problem by presenting a Privacy-Preserving Password Cracking protocol (3PC), that prevents the third party cracking server from learning any useful information about the hash digest, or the recovered cleartext. This is achieved by a tailored anonymity set of decoy hashes, based on the concept of predicate encryption, where we extend the definition of a predicate function, to evaluate the output of a one way hash function. The protocol allows the client to maintain plausible deniability where the real choice of hash digest cannot be proved, even by the client itself. The probabilistic information the server obtains during the cracking process can be calculated and minimized to a desired level. While in theory cracking a larger set of hashes would decrease computational speed, the 3PC protocol provides constant-time lookup on an arbitrary list size, bounded by the input/output operation per second (IOPS) capabilities of the third party server, thereby allowing the protocol to scale efficiently. We demonstrate these claims both theoretically and in practice, with a real-life use case implemented on an FPGA architecture.
... Hence, a significantly large portion of detection techniques focuses on dynamic analysis to create cryptojacking-specific signatures based on their execution behaviors. The most common dynamic analysis technique is to leverage several CPU utilization metrics such as CPU instructions [18], CPU usage [20], Hardware Performance Counters (HPCs) [10], and so on. These techniques demonstrated that both in-browser and host-based cryptojacking malware samples can be detected with high accuracy when the detection mechanisms are integrated with advanced machine learning (ML) algorithms. ...
... This approach analyzes the execution of a program in a secure environment such as a virtual machine or a sandbox environment. This technique also uses monitoring tools in order to monitor and determine the behaviors of a program and decide if the program is malicious or benign based on its behaviors [140], [141]. This technique allows the vehicle to detect malware without relying on off-board systems, even with zero-day malware that has never been seen before [142]. ...
Recent years have led the path to the evolution of automotive technology and with these new developments, modern vehicles are getting increasingly astute and offering growing quantities of innovative applications that cover various functionalities. These functionalities are controlled by hundreds of Electronic Control Units (ECUs) which are connected to each other via the Control Area Network (CAN) bus. Although ECUs are designed to offer various amenities that are associated with modern vehicles including comfort, such features expose new attack surfaces that can be harnessed by attackers. This trend is exacerbated by the fact that many of these ECUs rely on wireless communication for interacting with the outside world. Therefore, making them vulnerable to common threats such as malware injection that can compromise the overall security of modern vehicles. In this paper, we provide a detailed description of the architecture associated with intelligent vehicles, and identify various security issues and vulnerabilities that impact such systems. We provide an overview of different malware types and the vectors of attacks they leverage for infecting modern vehicles. This work also presents a detailed survey of available defenses against such attacks including: signature, behavior, heuristic, cloud, and machine learning-based detection measures. Furthermore, this paper intends to assist researchers in becoming familiar with the available defenses and how they can be applied to secure intelligent vehicles against emerging malware threats that can compromise the security of today’s vehicles. It also provides future directions for researchers who are interested in developing new defenses that can safeguard intelligent vehicles systems against malware attacks.
... On the other hand, many detection mechanisms have been proposed [113], [115]- [119], [121], [132], [138] using dynamics features. The most commonly used dynamic features in these studies are as follows: • CPU Events [113], [115]- [117], [123], [124], [130], [133]- [135], [138]: CPU events are the most commonly used features among the dynamic analysis-based detection mechanisms because in-browser cryptojacking scripts have to fetch the CPU instructions to perform the mining, independent of the used hardware. If an in-browser operation uses cryptographic libraries too frequently, which is abnormal for regular websites, it can be directly detected by CPU instructions. ...
... On the other hand, many detection mechanisms have been proposed [113], [115]- [119], [121], [132], [138] using dynamics features. The most commonly used dynamic features in these studies are as follows: • CPU Events [113], [115]- [117], [123], [124], [130], [133]- [135], [138]: CPU events are the most commonly used features among the dynamic analysis-based detection mechanisms because in-browser cryptojacking scripts have to fetch the CPU instructions to perform the mining, independent of the used hardware. If an in-browser operation uses cryptographic libraries too frequently, which is abnormal for regular websites, it can be directly detected by CPU instructions. ...
Emerging blockchain and cryptocurrency-based technologies are redefining the way we conduct business in cyberspace. Today, a myriad of blockchain and cryptocurrency systems, applications, and technologies are widely available to companies, end-users, and even malicious actors who want to exploit the computational resources of regular users through \textit{cryptojacking} malware. Especially with ready-to-use mining scripts easily provided by service providers (e.g., Coinhive) and untraceable cryptocurrencies (e.g., Monero), cryptojacking malware has become an indispensable tool for attackers. Indeed, the banking industry, major commercial websites, government and military servers (e.g., US Dept. of Defense), online video sharing platforms (e.g., Youtube), gaming platforms (e.g., Nintendo), critical infrastructure resources (e.g., routers), and even recently widely popular remote video conferencing/meeting programs (e.g., Zoom during the Covid-19 pandemic) have all been the victims of powerful cryptojacking malware campaigns. Nonetheless, existing detection methods such as browser extensions that protect users with blacklist methods or antivirus programs with different analysis methods can only provide a partial panacea to this emerging cryptojacking issue as the attackers can easily bypass them by using obfuscation techniques or changing their domains or scripts frequently. Therefore, many studies in the literature proposed cryptojacking malware detection methods using various dynamic/behavioral features.
Crypto Jacking attack is a type of resource spying in which a crypto-currency mining script is run by the attacker on the victim’s machine to profit. Since 2017 it has been widely used and was previously the most serious threat to network security. Because of the number of malicious actors has increased there is a recent increase in the value of cryptocurrencies. The availability of bit-coin mining software has grown significantly. Mining for crypto-currency has a high inclination to spread. Malware can unintentionally use resources, harm interests, and cause further genuine damage to assets. Learning and identifying new malware have the traits of still being unique and self-sufficient, and they cannot be acquired adaptively in order to overcome the aforementioned concerns. Recently, other countermeasures have been introduced, each with its own set of features and performance, but each with its unique design. In order to increase the profitability of crypto-jacking, attackers are expanding their reach to browsers, network devices, and even Internet of Things (IoT) devices. Browsers, for example, are a particularly enticing target for attackers looking to obtain sensitive data from victims. The listed methods are intended to safeguard the individual user, network, and outsiders, particularly against insiders. The newness of the paper is a comprehensive overview of bitcoin along with crypto-jacking malware detection is presented in order to analyze various types of systems based on behaviour-based, host-based, network flow-based, and so on methods. The main aim of the analysis is based on the supervised and unsupervised machine learning algorithms and other algorithms used in the detection of crypto-jacking malware. In the proposed paper combination of the decision tree method (based on Behaviour, Executable) and the crying jackpot method (based on Host, Network) are examined to classify the type of which crypto-jacking attack that takes place within the target victim. The uniqueness of the paper is informative with real-world applications for malware recognition and malware categorization to detect a crypto-jacking attack.KeywordsCrypto-jackingBehaviour-basedHost-basedNetwork-basedCrypto-currency
Nowadays, Docker Containers are currently being adopted as industry standards for software delivery, because they provide quick and responsive delivery and handle performance and scalability challenges. However, attackers are exploiting them to introduce malicious instructions in publicly available images to perform unauthorized use of third-party’s computer resources for Cryptojacking. We developed a machine learning based model to detect Docker images that lead to cryptojacking. The dataset used is composed of 800 Docker images collected from Docker hub, half of which contains instructions for cryptomining, and the other half does not contain such instructions. We trained 10 classification algorithms and evaluated them using the K-Fold Cross Validation approach. The results showed accuracy scores ranging from 89% to 97%. Stochastic Gradient Descent for Logistic Regression outperformed the other algorithms reaching an accuracy score of 97%. With these results, we conclude that machine learning algorithms can detect Docker images carrying cryptojacking malware with a good performance.
The anonymous Bitcoin inventor Satoshi Nakamoto provided an explanation of how the distributed peer-to-peer linked-structure of the blockchain technology may be utilized to address the problems of double-spending and maintaining the sequence of transactions almost ten years ago (Nakamoto, 2008). In order to arrange transactions, Bitcoin groups them into blocks with the same date and a set size. The network's nodes (miners) must connect the blocks in order to create a blockchain, with each block including the hash of the block before it (Crosby et al., 2016). The blockchain architecture can thus store an accurate and traceable ledger among all transactions.
Since its emergence as a public, decentralized, and trustless ledger for digital currency, the blockchain technology has garnered significant adoption in a diverse range of industries. Blockchain is a type of data storage technique which renders it difficult or not possible to change, hack, or cheat the system. A blockchain is basically a collection of computer systems that keeps multiple copies of each transaction in a distributed digital ledger. Every time a new transaction occurs on the blockchain, a recording of it is added to each participant's ledger, and each block on the chain consists of a number of transactions. Distributed Ledger Technology (DLT) refers to the decentralized database that is governed by numerous users.
Blockchain is a network of decentralized, distributed blocks used to store the information with digital signatures. Transactions are more secured and tamper-proof because of the characteristics of blockchain, notably decentralization, immutability, transparency, and auditability. Blockchain technology has applications outside of cryptocurrencies, including risk assessment, healthcare services, and financial and social operations. Numerous studies have focused on the potential that blockchain technology offers in numerous application domains. This thesis paper compares several consensus techniques, describes the taxonomy and architecture of blockchain, and covers obstacles including scalability, privacy, interoperability, energy consumption, and regulatory issues.
First of all, this paper obtained with introduction part including the statement and significance, operational definitions, the objectives and scope. Secondly, the paper describes the literature review including definitions of blockchain technology, topology of blockchain, concepts and architectural roots of blockchain, the theories, and evolution of blockchain. Thirdly, research methodology including the methods that are in use to building blockchain such as Proof-of-Work, Proof-of-Stake, Proof-of-Authority etc. This part also includes the usecases of blockchain and data analysis with with blockchain statistical reports. Fourthly, the most important part is to building a blockchain using docker, geth, and ubuntu (wsl for windows). this part includes how to build own blockchain, executing consensus mechanisms and deploy the smart contract. Lastly, the conclusion part including discussion of research finding and policy recommendation.
More than 2000 different cryptocurrencies are currently available in business and FinTech applications. Cryptocurrency is a digital payment system that does not rely on banks to verify their financial transactions and can enable anyone anywhere to send and receive their payments. Crypto mining attracts investors to mine and gets some coins as a reward for using the cryptocurrency. However, hackers can exploit the computing power without the explicit authorization of a user by launching a cryptojacking attack and then using it to mine cryptocurrency. The detection and protection of cryptojacking attacks are essential, and thus, miners are continuously working to find innovative ways to overcome this issue. This chapter provides an overview of the cryptojacking landscape. It offers recommendations to guide researchers and practitioners to overcome the identified challenges faced while realizing a mitigation strategy to combat cryptojacking malware attacks.
The popularity of cryptocurrencies has garnered interest from cybercriminals, spurring an onslaught of cryptojacking campaigns that aim to hijack computational resources for the purpose of mining cryptocurrencies. In this paper, we present a cross-stack cryptojacking defense system that spans the hardware and OS layers. Unlike prior work that is confined to detecting cryptojacking behavior within web browsers, our solution is application agnostic. We show that tracking instructions that are frequently used in cryptographic hash functions serve as reliable signatures for fingerprinting cryptojacking activity. We demonstrate that our solution is resilient to multi-threaded and throttling evasion techniques that are commonly employed by cryptojacking malware. We characterize the robustness of our solution by extensively testing a diverse set of workloads that include real consumer applications. Finally, an evaluation of our proof-of-concept implementation shows minimal performance impact while running a mix of benchmark applications.
The ever-increasing prevalence of malware has led to the explorations of various detection mechanisms. Several recent works propose to use Hardware Performance Counters (HPCs) values with machine learning classification models for malware detection. HPCs are hardware units that record low-level micro-architectural behavior, such as cache hits/misses, branch (mis)prediction, and load/store operations. However, this information does not reliably capture the nature of the application, i.e. whether it is benign or malicious. In this paper, we claim and experimentally support that using the micro-architectural level information obtained from HPCs cannot distinguish between benignware and malware. We evaluate the fidelity of malware detection using HPCs. We perform quantitative analysis using Principal Component Analysis (PCA) to systematically select micro-architectural events that have the most predictive powers. We then run 1,924 programs, 962 benignware and 962 malware, on our experimental setups. We achieve 83.39%, 84.84%, 83.59%, 75.01%, 78.75%, and 14.32% F1-score (a metric of detection rates) of Decision Tree (DT), Random Forest (RF), K Nearest Neighbors (KNN), Adaboost, Neural Net (NN), and Naive Bayes, respectively. We cross-validate our models 1,000 times to show the distributions of detection rates in various models. Our cross-validation analysis shows that many of the experiments produce low F1-scores. The F1-score of models in DT, RF, KNN, Adaboost, NN, and Naive Bayes is 80.22%, 81.29%, 80.22%, 70.32%, 35.66%, and 9.903%, respectively. To further highlight the incapability of malware detection using HPCs, we show that one benignware (Notepad++) infused with malware (ransomware) cannot be detected by HPC-based malware detection.
Recent work demonstrated hardware-based online malware detection using only low-level features. This detector is envisioned as a first line of defense that prioritizes the application of more expensive and more accurate software detectors. Critical to such a framework is the detection performance of the hardware detector. In this paper, we explore the use of both specialized detectors and ensemble learning techniques to improve performance of the hardware detector. The proposed detectors reduce the false positive rate by more than half compared to a single detector, while increasing the detection rate. We also contribute approximate metrics to quantify the detection overhead, and show that the proposed detectors achieve more than 11x reduction in overhead compared to a software only detector (1.87x compared to prior work), while improving detection time. Finally, we characterize the hardware complexity by extending an open core and synthesizing it on an FPGA platform, showing that the overhead is minimal.
The proliferation of computers in any domain is followed by the proliferation of malware in that domain. Systems, including the latest mobile platforms, are laden with viruses, rootkits, spyware, adware and other classes of malware. Despite the existence of anti-virus software, malware threats persist and are growing as there exist a myriad of ways to subvert anti-virus (AV) software. In fact, attackers today exploit bugs in the AV software to break into systems.
In this paper, we examine the feasibility of building a malware detector in hardware using existing performance counters. We find that data from performance counters can be used to identify malware and that our detection techniques are robust to minor variations in malware programs. As a result, after examining a small set of variations within a family of malware on Android ARM and Intel Linux platforms, we can detect many variations within that family. Further, our proposed hardware modifications allow the malware detector to run securely beneath the system software, thus setting the stage for AV implementations that are simpler and less buggy than software AV. Combined, the robustness and security of hardware AV techniques have the potential to advance state-of-the-art online malware detection.
In-browser cryptojacking is a form of resource abuse that leverages end-users' machines to mine cryptocurrency without obtaining the users' consent. In this paper, we design, implement, and evaluate Outguard, an automated cryptojacking detection system. We construct a large ground-truth dataset, extract several features using an instrumented web browser, and ultimately select seven distinctive features that are used to build an SVM classification model. Outguardachieves a 97.9% TPR and 1.1% FPR and is reasonably tolerant to adversarial evasions. We utilized Outguardin the wild by deploying it across the Alexa Top 1M websites and found 6,302 cryptojacking sites, of which 3,600 are new detections that were absent from the training data. These cryptojacking sites paint a broad picture of the cryptojacking ecosystem, with particular emphasis on the prevalence of cryptojacking websites and the shared infrastructure that provides clues to the operators behind the cryptojacking phenomenon.
As a new mechanism to monetize web content, cryptocurrency mining is becoming increasingly popular. The idea is simple: a webpage delivers extra workload (JavaScript) that consumes computational resources on the client machine to solve cryptographic puzzles, typically without notifying users or having explicit user consent. This new mechanism, often heavily abused and thus considered a threat termed "cryptojacking", is estimated to affect over 10 million web users every month; however, only a few anecdotal reports exist so far and little is known about its severeness, infrastructure, and technical characteristics behind the scene. This is likely due to the lack of effective approaches to detect cryptojacking at a large-scale (e.g., VirusTotal). In this paper, we take a first step towards an in-depth study over cryptojacking. By leveraging a set of inherent characteristics of cryptojacking scripts, we build CMTracker, a behavior-based detector with two runtime profilers for automatically tracking Cryptocurrency Mining scripts and their related domains. Surprisingly, our approach successfully discovered 2,770 unique cryptojacking samples from 853,936 popular web pages, including 868 among top 100K in Alexa list. Leveraging these samples, we gain a more comprehensive picture of the cryptojacking attacks, including their impact, distribution mechanisms, obfuscation, and attempts to evade detection. For instance, a diverse set of organizations benefit from cryptojacking based on the unique wallet ids. In addition, to stay under the radar, they frequently update their attack domains (fastflux) on the order of days. Many attackers also apply evasion techniques, including limiting the CPU usage, obfuscating the code, etc.
Intel software development emulator
- tal