Detecting Cryptomining Malware: a Deep Learning Approach for Static and Dynamic Analysis

Abstract

Cryptomining malware (also referred to as cryptojacking) has changed the cyber threat landscape. Such malware exploits the victim’s CPU or GPU resources with the aim of generating cryptocurrency. In this paper, we study the potential of using deep learning techniques to detect cryptomining malware by utilizing both static and dynamic analysis approaches. To facilitate dynamic analysis, we establish an environment to capture the system call events of 1500 Portable Executable (PE) samples of the cryptomining malware. We also demonstrate how one can perform static analysis of PE files’ opcode sequences. In our study, we evaluate the performance of using Long Short-Term Memory (LSTM), Attention-based LSTM (ATT-LSTM), and Convolutional Neural Networks (CNN) on our sequential data (opcodes and system call invocations) for classification by a Softmax function. We achieve an accuracy rate of 95% in the static analysis and an accuracy rate of 99% in the dynamic analysis.

This is a preview of subscription content, access via your institution.

References

  1. 1.

    Abadi, M., Agarwal, A., Barham, P., Brevdo, E., Chen, Z., Citro, C., Corrado, G. S., Davis, A., Dean, J., Devin, M., et al.: Tensorflow: Large-scale machine learning on heterogeneous distributed systems. arXiv:1603.04467 (2016)

  2. 2.

    Bahdanau, D., Cho, K., Bengio, Y.: Neural machine translation by jointly learning to align and translate. arXiv:1409.0473 (2014)

  3. 3.

    Bahrami, P. N., Dehghantanha, A., Dargahi, T., Parizi, R. M., Choo, K. R., Javadi, H. H. S.: Cyber kill chain-based taxonomy of advanced persistent threat actors: Analogy of tactics, techniques, and procedures. J. Inf. Process. Sys. 15(4), 865–889 (2019). https://doi.org/10.3745/JIPS.03.0126

    Article  Google Scholar 

  4. 4.

    Bai, S., Kolter, J. Z., Koltun, V.: An empirical evaluation of generic convolutional and recurrent networks for sequence modeling. arXiv:1803.01271 (2018)

  5. 5.

    Baldwin, J., Dehghantanha, A.: Leveraging support vector machine for opcode density based detection of crypto-ransomware. In: Cyber Threat Intelligence, pp 107–136. Springer (2018)

  6. 6.

    Bishop, C. M.: Pattern Recognition and Machine Learning, chap. 2, pp 113–116. Springer, Berlin (2006)

    Google Scholar 

  7. 7.

    Boughorbel, S., Jarray, F., El-Anbari, M.: Optimal classifier for imbalanced data using matthews correlation coefficient metric. PLOS ONE 12(6), e0177678 (2017). https://doi.org/10.1371/journal.pone.0177678

    Article  Google Scholar 

  8. 8.

    Brown, S. D.: Cryptocurrency and criminality. The Police Journal: Theory Practice and Principles 89(4), 327–339 (2016). https://doi.org/10.1177/0032258x16658927

    Article  Google Scholar 

  9. 9.

    Carlin, D., O’kane, P., Sezer, S., Burgess, J.: Detecting cryptomining using dynamic analysis. In: 2018 16th Annual Conference on Privacy, Security and Trust (PST), pp 1–6. IEEE (2018)

  10. 10.

    Carlin, D., OrKane, P., Sezer, S., Burgess, J.: Detecting cryptomining using dynamic analysis. In: 2018 16th Annual Conference on Privacy, Security and Trust (PST). https://doi.org/10.1109/pst.2018.8514167. IEEE (2018)

  11. 11.

    Choo, K. K. R., et al.: Cyber threat landscape faced by financial and insurance industry. Trends and issues in crime and criminal justice (408), 1–6 (2011)

  12. 12.

    Choo, K. R.: The cyber threat landscape: Challenges and future research directions. Computers & Security 30(8), 719–731 (2011)

    Article  Google Scholar 

  13. 13.

    Chorowski, J., Bahdanau, D., Serdyuk, D., Cho, K., Bengio, Y.: Attention-based models for speech recognition. In: Proceedings of the 28th International Conference on Neural Information Processing Systems - Volume 1, NIPS’15. http://dl.acm.org/citation.cfm?id=2969239.2969304, pp 577–585. MIT Press, Cambridge (2015)

  14. 14.

    Cireşan, D. C., Meier, U., Masci, J., Gambardella, L. M., Schmidhuber, J.: Flexible, high performance convolutional neural networks for image classification. In: Proceedings of the Twenty-Second International Joint Conference on Artificial Intelligence - Volume Volume Two, IJCAI’11. https://doi.org/10.5591/978-1-57735-516-8/IJCAI11-210, pp 1237–1242. AAAI Press (2011)

  15. 15.

    Conti, M., Dargahi, T., Dehghantanha, A.: Cyber Threat Intelligence: Challenges and Opportunities. Springer, Berlin (2018)

    Google Scholar 

  16. 16.

    Costin, A., Zaddach, J.: Iot malware: Comprehensive Survey, Analysis Framework and Case Studies. BlackHat, USA (2018)

    Google Scholar 

  17. 17.

    Courtois, N. T., Emirdag, P., Wang, Z.: On detection of bitcoin mining redirection attacks. In: 2015 International Conference on Information Systems Security and Privacy (ICISSP), pp 98–105. IEEE (2015)

  18. 18.

    Darabian, H., Dehghantanha, A., Hashemi, S., Homayoun, S., Choo, K. K. R.: An opcode-based technique for polymorphic internet of things malware detection. Concurrency and Computation: Practice and Experience, pp. e5173. https://doi.org/10.1002/cpe.5173 (2019)

  19. 19.

    Draghicescu, D., Caranica, A., Vulpe, A., Fratu, O.: Crypto-mining application fingerprinting method. In: 2018 International Conference on Communications (COMM). https://doi.org/10.1109/iccomm.2018.8484745. IEEE (2018)

  20. 20.

    Gers, F. A., Schmidhuber, J., Cummins, F.: Learning to forget: Continual prediction with LSTM. Neural Comput. 12(10), 2451–2471 (2000). https://doi.org/10.1162/089976600300015015

    Article  Google Scholar 

  21. 21.

    Graves, A., Jaitly, N., Mohamed, A.: Hybrid speech recognition with deep bidirectional LSTM. In: 2013 IEEE Workshop on Automatic Speech Recognition and Understanding. IEEE (2013), https://doi.org/10.1109/asru.2013.6707742

  22. 22.

    Hasan, S., Alam, M., Khan, T., Javaid, N., Khan, A.: Extraction of malware iocs and ttps mapping with coas. Computer and Cyber Security: Principles, Algorithm, Applications, and Perspectives, p. 335 (2018)

  23. 23.

    Hashemi, H., Azmoodeh, A., Hamzeh, A., Hashemi, S.: Graph embedding as a new approach for unknown malware detection. Journal of Computer Virology and Hacking Techniques 13(3), 153–166 (2016). https://doi.org/10.1007/s11416-016-0278-y

    Article  Google Scholar 

  24. 24.

    Hermann, K.M., Kočiský, T., Grefenstette, E., Espeholt, L., Kay, W., Suleyman, M., Blunsom, P.: Teaching machines to read and comprehend. In: Proceedings of the 28th International Conference on Neural Information Processing Systems - Volume 1, NIPS’15, pp 1693–1701. MIT Press, Cambridge (2015). http://dl.acm.org/citation.cfm?id=2969239.2969428

  25. 25.

    Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R.: Know abnormal, find evil: Frequent pattern mining for ransomware threat hunting and intelligence. IEEE Transactions on Emerging Topics in Computing, pp. 1–1. https://doi.org/10.1109/tetc.2017.2756908 (2017)

  26. 26.

    Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R., Choo, K. K. R., Newton, D. E.: DRTHIS: Deep Ransomware threat hunting and intelligence system at the fog layer. Futur. Gener. Comput. Syst. 90, 94–104 (2019). https://doi.org/10.1016/j.future.2018.07.045

    Article  Google Scholar 

  27. 27.

    Kananizadeh, S., Kononenko, K.: Predictive mitigation of timing channels - threat defense for machine codes. J. Grid Comput. 15(3), 395–414 (2017)

    Article  Google Scholar 

  28. 28.

    Kingma, D. P., Ba, J.: Adam: A method for stochastic optimization. arXiv:1412.6980 (2014)

  29. 29.

    Kovács, J.: Supporting programmable autoscaling rules for containers and virtual machines on clouds. J. Grid Comput. 17(4), 813–829 (2019)

    Article  Google Scholar 

  30. 30.

    Längkvist, M., Karlsson, L., Loutfi, A.: A review of unsupervised feature learning and deep learning for time-series modeling. Pattern Recogn. Lett. 42, 11–24 (2014). https://doi.org/10.1016/j.patrec.2014.01.008

    Article  Google Scholar 

  31. 31.

    Parizi, R.M., Dehghantanha, A.: On the understanding of gamification in blockchain systems. In: 2018 6th International Conference on Future Internet of Things and Cloud Workshops (Ficloudw), pp 214–219 (2018), https://doi.org/10.1109/W-FiCloud.2018.00041

  32. 32.

    Ma, Y., Peng, H., Cambria, E.: Targeted aspect-based sentiment analysis via embedding commonsense knowledge into an attentive Lstm. In: Thirty-Second AAAI Conference on Artificial Intelligence (2018)

  33. 33.

    Milosevic, N., Dehghantanha, A., Choo, K. K. R.: Machine learning aided android malware classification. Computers & Electrical Engineering 61, 266–274 (2017). https://doi.org/10.1016/j.compeleceng.2017.02.013

    Article  Google Scholar 

  34. 34.

    Mukhopadhyay, U., Skjellum, A., Hambolu, O., Oakley, J., Yu, L., Brooks, R.: A brief survey of cryptocurrency systems. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST). IEEE (2016), https://doi.org/10.1109/pst.2016.7906988

  35. 35.

    O’Shea, K., Nash, R.: An introduction to convolutional neural networks. arXiv:1511.08458 (2015)

  36. 36.

    Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., et al.: Scikit-learn: Machine learning in python. J. Mach. Learn. Res. 12(Oct), 2825–2830 (2011)

    MATH  MathSciNet  Google Scholar 

  37. 37.

    Pennington, J., Socher, R., Manning, C.: Glove: Global vectors for word representation. In: Proceedings of the 2014 conference on empirical methods in natural language processing (EMNLP), pp. 1532–1543 (2014)

  38. 38.

    Rüth, J., Zimmermann, T., Wolsing, K., Hohlfeld, O.: Digging into browser-based crypto mining. In: Proceedings of the Internet Measurement Conference 2018, pp 70–76. ACM (2018)

  39. 39.

    Santos, I., Brezo, F., Nieves, J., Penya, Y.K., Sanz, B., Laorden, C., Bringas, P.G.: Idea: Opcode-sequence-based malware detection. In: Lecture Notes in Computer Science, pp 35–43. Springer, Berlin (2010), https://doi.org/10.1007/978-3-642-11747-3_3

  40. 40.

    Sniezynski, B., Nawrocki, P., Wilk, M., Jarzab, M., Zielinski, K.: VM Reservation plan adaptation using machine learning in cloud computing. J. Grid Comput. 17(4), 797–812 (2019)

    Article  Google Scholar 

  41. 41.

    Srivastava, N., Hinton, G., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.: Dropout: a simple way to prevent neural networks from overfitting. J. Mach. Learn. Res. 15(1), 1929–1958 (2014)

    MATH  MathSciNet  Google Scholar 

  42. 42.

    Stokel-Walker, C.: Are you making cryptocurrency for crooks? New Scientist 237(3161), 16 (2018). https://doi.org/10.1016/s0262-4079(18)30115-5

    Article  Google Scholar 

  43. 43.

    Sundermeyer, M., Schlüter, R., Ney, H.: Lstm neural networks for language modeling. In: Thirteenth Annual Conference of the International Speech Communication Association (2012)

  44. 44.

    Taylor, P.J., Dargahi, T., Dehghantanha, A., Parizi, R.M., Choo, K.K.R.: A systematic literature review of blockchain cyber security. Digital communications and networks. https://doi.org/10.1016/j.dcan.2019.01.005. http://www.sciencedirect.com/science/article/pii/S2352864818301536(2019)

  45. 45.

    Vinod, P., Jaipur, R., Laxmi, V., Gaur, M.: Survey on malware detection methods. In: Proceedings of the 3rd Hackers’ Workshop on Computer and Internet Security (IITKHACK’09), pp. 74–79 (2009)

  46. 46.

    Vukalovic, J., Delija, D.: Advanced persistent threats - detection and defense. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO). IEEE (2015), https://doi.org/10.1109/mipro.2015.7160480

  47. 47.

    Wang, W., Zeng, G.: Bayesian cognitive model in scheduling algorithm for data intensive computing. J. Grid. Comput. 10(1), 173–184 (2012)

    Article  Google Scholar 

  48. 48.

    Wang, Y., Huang, M., Zhu, X., Zhao, L.: Attention-based LSTM for aspect-level sentiment classification. In: Proceedings of the 2016 Conference on Empirical Methods in Natural Language Processing. Association for Computational Linguistics, Austin, Texas. https://doi.org/10.18653/v1/D16-1058, https://www.aclweb.org/anthology/D16-1058, pp 606–615 (2016)

  49. 49.

    Xu, K., Ba, J., Kiros, R., Cho, K., Courville, A., Salakhudinov, R., Zemel, R., Bengio, Y.: Show, attend and tell: Neural image caption generation with visual attention. In: Proceedings of the 32nd International Conference on Machine Learning, Proceedings of Machine Learning Research, vol. 37, pp. 2048–2057. PMLR http://proceedings.mlr.press/v37/xuc15.html (2015)

  50. 50.

    Yang, Z., Yang, D., Dyer, C., He, X., Smola, A., Hovy, E.: Hierarchical attention networks for document classification. In: Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, pp. 1480–1489. Association for Computational Linguistics. https://doi.org/10.18653/v1/n16-1174 (2016)

  51. 51.

    Ye, Y., Li, T., Adjeroh, D., Iyengar, S. S.: A survey on malware detection using data mining techniques. ACM Comput. Surv. 50(3), 1–40 (2017). https://doi.org/10.1145/3073559

    Article  Google Scholar 

  52. 52.

    Yin, C., Zhu, Y., Fei, J., He, X.: A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access 5, 21954–21961 (2017). https://doi.org/10.1109/access.2017.2762418

    Article  Google Scholar 

  53. 53.

    Zhao, Z., Chen, W., Wu, X., Chen, P. C. Y., Liu, J.: LSTM Network: a deep learning approach for short-term traffic forecast. IET Intell. Transp. Syst. 11(2), 68–75 (2017). https://doi.org/10.1049/iet-its.2016.0208

    Article  Google Scholar 

  54. 54.

    Zhou, C., Sun, C., Liu, Z., Lau, F.: A c-lstm neural network for text classification. arXiv:1511.08630 (2015)

  55. 55.

    Zhou, P., Shi, W., Tian, J., Qi, Z., Li, B., Hao, H., Xu, B.: Attention-based bidirectional long short-term memory networks for relation classification. In: Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics (Volume 2: Short Papers), vol. 2, pp 207–212 (2016), https://doi.org/10.18653/v1/p16-2034

  56. 56.

    Zimba, A., Wang, Z., Mulenga, M., Odongo, N. H.: Crypto mining attacks in information systems: an emerging threat to cyber security. J. Comput. Inf. Sys. pp. 1–12. https://doi.org/10.1080/08874417.2018.1477076 (2018)

Download references

Acknowledgements

The authors thank the anonymous reviewers and the handling editor for providing constructive feedback.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Sattar Hashemi.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Darabian, H., Homayounoot, S., Dehghantanha, A. et al. Detecting Cryptomining Malware: a Deep Learning Approach for Static and Dynamic Analysis. J Grid Computing 18, 293–303 (2020). https://doi.org/10.1007/s10723-020-09510-6

Download citation

Keywords

  • CryptoMining malware
  • Deep learning
  • Static analysis
  • Dynamic analysis