Skip to main content
SpringerLink
Log in

CJSpector: A Novel Cryptojacking Detection Method Using Hardware Trace and Deep Learning

  • Published:
Journal of Grid Computing Aims and scope Submit manuscript

Abstract

With the increasing value of digital cryptocurrency in recent years, the digital cryptocurrency mining industry is becoming prosperous. However, this industry has also gained attention from adversaries who exploit users’ computers to mine cryptocurrency covertly. To detect cryptojacking attacks, many static and dynamic methods are proposed. However, the existing solutions still have some limitations in terms of effectiveness, performance, and transparency. To address these issues, we present CJSpector, a novel hardware-based approach for cryptojacking detection. This method first leverages the Intel Processor Trace mechanism to collect the run-time control flow information of a web browser. Next, CJSpector makes use of two optimization approaches based on the library functionality and information gain to preprocess the control flow information. Finally, it leverages Recurrent Neural Network (RNN) for cryptojacking detection. The evaluation shows that our method can detect in-browser covert cryptocurrency mining effectively and transparently with a small performance cost.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Data Availability Statement

The datasets generated and analysed during the current study are available from the corresponding author on reasonable request.

References

  1. Alaeiyan, M., Parsa, S., Conti, M.: Analysis and classification of context-based malware behavior. Comput. Commun. 136, 76–90 (2019)

    Article  Google Scholar 

  2. Bian, W., Meng, W., Wang, Y.: Poster: Detecting webassembly-based cryptocurrency mining. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2685–2687 (2019)

  3. Bian, W., Meng, W., Zhang, M.: Minethrottle: Defending against wasm in-browser cryptojacking. In: Proceedings of The Web Conference 2020, pp. 3112–3118 (2020)

  4. Burgess, J., Carlin, D., O’Kane, P., Sezer, S.: Manic: Multi-step assessment for crypto-miners. In: 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), IEEE, pp. 1–8 (2019)

  5. Caprolu, M., Raponi, S., Oligeri, G., Di Pietro, R.: Cryptomining makes noise: Detecting cryptojacking via machine learning. Comput. Commun. 171, 126–139 (2021)

    Article  Google Scholar 

  6. Carlin, D., O’kane, P., Sezer, S., Burgess, J.: Detecting cryptomining using dynamic analysis. In: 2018 16Th Annual Conference on Privacy, Security and Trust (PST), IEEE, pp. 1–6 (2018)

  7. Darabian, H., Homayounoot, S., Dehghantanha, A., Hashemi, S., Karimipour, H., Parizi, R.M., Choo, K.K.R.: Detecting cryptomining malware: a deep learning approach for static and dynamic analysis. Journal of Grid Computing pp. 1–11 (2020)

  8. Dr.Mine: https://github.com/1lastbr3ath/drmine (2018)

  9. Eskandari, S., Leoutsarakos, A., Mursch, T., Clark, J.: A First Look at Browser-Based Cryptojacking. In: 2018 IEEE European Symposium on Security and Privacy Workshops (Euros&PW), IEEE, pp. 58–66 (2018)

  10. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), pp. 191–206 (2003)

  11. Gomes, G., Dias, L., Correia, M.: Cryingjackpot: Network Flows and Performance Counters against Cryptojacking. In: 2020 IEEE 19Th International Symposium on Network Computing and Applications (NCA), IEEE, pp. 1–10 (2020)

  12. Haas, A., Rossberg, A., Schuff, D.L., Titzer, B.L., Holman, M., Gohman, D., Wagner, L., Zakai, A., Bastien, J.: Bringing the web up to speed with webassembly. In: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 185–200 (2017)

  13. Handaya, W.B.T., Yusoff, M.N., Jantan, A.: State of the art: The monero cryptocurrency mining malware detection using supervised machine learning algorithms (2020)

  14. Herrera, A.: Optimizing away javascript obfuscation. In: 2020 IEEE 20Th International Working Conference on Source Code Analysis and Manipulation (SCAM), IEEE, pp. 215–220 (2020)

  15. Hong, G., Yang, Z., Yang, S., Zhang, L., Nan, Y., Zhang, Z., Yang, M., Zhang, Y., Qian, Z., Duan, H.: How you get shot in the back: a systematical study about cryptojacking in the real world. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1701–1713 (2018)

  16. Kelton, C., Balasubramanian, A., Raghavendra, R., Srivatsa, M.: Browser-based deep behavioral detection of web cryptomining with coinspy. In: 27Th Annual Network and Distributed System Security Symposium, NDSS, pp. 23–26 (2020)

  17. Kharraz, A., Ma, Z., Murley, P., Lever, C., Mason, J., Miller, A., Borisov, N., Antonakakis, M., Bailey, M.: Outguard: Detecting In-browser covert cryptocurrency mining in the wild. In: The World Wide Web Conference, pp. 840–852 (2019)

  18. Khiruparaj, T.P., Abishek Madhu, V., Sathia Bhama, P.R.K.: Unmasking file-based cryptojacking. In: Peter, J.D., Fernandes, S.L., Alavi, A.H. (eds.) Intelligence in Big Data Technologies—Beyond the Hype, pp 137–146. Springer, Singapore (2021)

  19. Konoth, R.K., Vineti, E., Moonsamy, V., Lindorfer, M., Kruegel, C., Bos, H., Vigna, G.: Minesweeper: an in-depth look into drive-by cryptocurrency mining and its defense. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1714–1730 (2018)

  20. Liu, J., Zhao, Z., Cui, X., Wang, Z., Liu, Q.: A novel approach for detecting browser-based silent miner. In: 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC), IEEE, pp. 490–497 (2018)

  21. i Muñoz, J.Z., Suárez-Varela, J., Barlet-Ros, P.: Detecting cryptocurrency miners with Netflow/Ipfix network measurements. In: 2019 IEEE International Symposium on Measurements & Networking (M&N), IEEE, pp. 1–6 (2019)

  22. Musch, M., Wressnegger, C., Johns, M., Rieck, K.: Thieves in the browser: Web-based cryptojacking in the wild. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–10 (2019)

  23. Naseem, F., Aris, A., Babun, L., Tekiner, E., Uluagac, A.S.: Minos: A lightweight real-time cryptojacking detection system. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), vol. 2125 (2021)

  24. Neto, H.N.C., Lopez, M.A., Fernandes, N.C., Mattos, D.M.: Minecap: Super incremental learning for detecting and blocking cryptocurrency mining on software-defined networking. Ann. Telecommun. 75(3), 121–131 (2020)

    Article  Google Scholar 

  25. Ning, R., Wang, C., Xin, C., Li, J., Zhu, L., Wu, H.: Capjack: Capture In-Browser Crypto-Jacking by deep capsule network through behavioral analysis. In: IEEE INFOCOM 2019-IEEE Conference on Computer Communications, IEEE, pp. 1873–1881 (2019)

  26. Nofer, M., Gomber, P., Hinz, O., Schiereck, D.: Blockchain. Bus. Inf. Syst. Eng. 59(3), 183–187 (2017)

    Article  Google Scholar 

  27. PublicWWW: https://publicwww.com (2017)

  28. Rauchberger, J., Schrittwieser, S., Dam, T., Luh, R., Buhov, D., Pötzelsberger, G., Kim, H.: The other side of the coin: a framework for detecting and analyzing web-based cryptocurrency mining campaigns. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–10 (2018)

  29. Rodriguez, J.D.P., Posegga, J.: Rapid: Resource and api-based detection against in-browser miners. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 313–326 (2018)

  30. Rüth, J., Zimmermann, T., Wolsing, K., Hohlfeld, O.: Digging into browser-based crypto mining. In: Proceedings of the Internet Measurement Conference 2018, pp. 70–76 (2018)

  31. Saad, M., Khormali, A., Mohaisen, A.: End-to-end analysis of in-browser cryptojacking. arXiv:1809.02152 (2018)

  32. Saad, M., Khormali, A., Mohaisen, A.: Dine and Dash: Static, dynamic, and economic analysis of in-browser cryptojacking. In: 2019 APWG Symposium on Electronic Crime Research (Ecrime), IEEE, pp. 1–12 (2019)

  33. Security, T.: https://s.tencent.com/research/report/1257.html (2018)

  34. Sun, J., Cao, D., Liu, X., Zhao, Z., Wang, W., Gong, X., Zhang, J.: Selwasm: A code protection mechanism for webassembly. In: 2019 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/Socialcom/Sustaincom), IEEE, pp. 1099–1106 (2019)

  35. Tahir, R., Durrani, S., Ahmed, F., Saeed, H., Zaffar, F., Ilyas, S.: The browsers strike back: Countering cryptojacking and parasitic miners on the web. In: IEEE INFOCOM 2019–IEEE Conference on Computer Communications, -IEEE, pp. 703–711 (2019)

  36. Tahir, R., Huzaifa, M., Das, A., Ahmad, M., Gunter, C., Zaffar, F., Caesar, M., Borisov, N.: Mining on someone else’s dime: Mitigating covert mining operations in clouds and enterprises. In: International Symposium on Research in Attacks, Intrusions, and Defenses, Springer, pp. 287–310 (2017)

  37. Tekiner, E., Acar, A., Uluagac, A.S., Kirda, E., Selcuk, A.A.: Sok: Cryptojacking malware. arXiv:2103.03851 (2021)

  38. Wang, W., Ferrell, B., Xu, X., Hamlen, K.W., Hao, S.: Seismic: Secure in-lined script monitors for interrupting cryptojacks. In: European Symposium on Research in Computer Security, Springer, pp. 122–142 (2018)

  39. Xu, W., Zhang, F., Zhu, S.: The power of obfuscation techniques in malicious Javascript code: A measurement study. In: 2012 7Th International Conference on Malicious and Unwanted Software, IEEE, pp. 9–16 (2012)

  40. Zhou, B., Gupta, A., Jahanshahi, R., Egele, M., Joshi, A.: Hardware performance counters can detect malware: Myth or fact?. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, ASIACCS ’18, pp. 457–468 (2018)

Download references

Acknowledgements

This work was supported in part by Strategic Priority Research Program of Chinese Academy of Sciences (No.XDC02010900), National Key Research and Development Program of China (No.2016QY04W0903), Beijing Municipal Science and Technology Commission (No.Z191100007119010) and National Natural Science Foundation of China (No.61772078 and No.61602035), CCF-NSFOCUS Kun-Peng Scientific Research Foundation, and Open Found of Key Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences.

Author information

Authors and Affiliations

  1. Beijing Key Laboratory of Software Security Engineering Technique, Beijing Institute of Technology, Beijing, 100081, China

    Qianjin Ying, Donghai Tian, Rui Ma & Changzhen Hu

  2. North Automatic Control Technology Institute, Taiyuan, 030006, China

    Yulei Yu

  3. Key Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100049, China

    Donghai Tian & Xiaoqi Jia

Authors
  1. Qianjin Ying
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yulei Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Donghai Tian
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xiaoqi Jia
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Rui Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Changzhen Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Donghai Tian.

Ethics declarations

Conflict of Interests

The authors declare that they have no conflict of interest.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ying, Q., Yu, Y., Tian, D. et al. CJSpector: A Novel Cryptojacking Detection Method Using Hardware Trace and Deep Learning. J Grid Computing 20, 31 (2022). https://doi.org/10.1007/s10723-022-09621-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10723-022-09621-2

Keywords

Search

Navigation