Skip to main content

MineCap: super incremental learning for detecting and blocking cryptocurrency mining on software-defined networking

A Correction to this article was published on 29 January 2020

This article has been updated


Covert mining of cryptocurrency implies the use of valuable computing resources and high energy consumption. In this paper, we propose MineCap, a dynamic online mechanism for detecting and blocking covert cryptocurrency mining flows, using machine learning on software-defined networking. The proposed mechanism relies on Spark Streaming for online processing of network flows, and, when identifying a mining flow, it requests the flow blocking to the network controller. We also propose a learning technique called super incremental learning, a variant of the super learner applied to online learning, which takes the classification probabilities of an ensemble of classifiers as features for an incremental learning classifier. Hence, we design an accurate mechanism to classify mining flows that learn with incoming data with an average of 98% accuracy, 99% precision, 97% sensitivity, and 99.9% specificity and avoid concept drift–related issues.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Change history

  • 29 January 2020

    The funding information in the original manuscript is incorrect, the correct information should be the below:


  1. 1.

    Available on

  2. 2.

    Available on

  3. 3.

    Available at

  4. 4.

    The mining traffic used to train the machine learning algorithms originates from the execution of the cpuminer and the xmrig mining applications.

  5. 5.

    Available at

  6. 6.

    The datasets are available upon email requests to the authors.

  7. 7.

    Available at

  8. 8.

    Available at


  1. 1.

    Ingols K (2009) Modeling modern network attacks and countermeasures using attack graphs. Computer security applications conference

  2. 2.

    Porras PA, Valdes A (2001) Network surveillance. US Patent 6,321,338

  3. 3.

    de Oliveira MT, Carrara GR, Fernandes NC, Albuquerque CVN, Carrano RC, de Medeiros DSV, Mattos DMF (2019) Towards a performance evaluation of private blockchain frameworks using a realistic workload. In: 2019 22nd conference on innovation in clouds, internet and networks and workshops (ICIN) Paris

  4. 4.

    Tahir R, Huzaifa M, Das A, Ahmad M, Gunter C, Zaffar F, Caesar M, Borisov N (2017) Mining on someone else’s dime: Mitigating covert mining operations in clouds and enterprises. In: International symposium on research in attacks, intrusions, and defenses. Springer, pp 287–310

  5. 5.

    Neto HNC, Fernandes NC, Mattos DMF (2019) Minecap: online detection and blocking of cryptocurrency mining on software-defined networking. In: 1st blockchain, robotics and AI for networking security conference. DNAC

  6. 6.

    Bannour F, Souihi S, Mellouk A (2018) Distributed SDN control: survey, taxonomy, and challenges. IEEE Communications Surveys Tutorials 20(1):333–354

    Article  Google Scholar 

  7. 7.

    Mattos DMF, Duarte OCMB, Pujolle G (2016) Reverse update: a consistent policy update scheme for software-defined networking. IEEE Commun Lett 20(5):886–889

    Article  Google Scholar 

  8. 8.

    Van der Laan MJ, Polley EC, Hubbard AE (2007) Super learner. Statistical Applications in Genetics and Molecular Biology 6(1)

  9. 9.

    Zaharia M, Xin RS, Wendell P, Das T, Armbrust M, Dave A, Meng X, Rosen J, Venkataraman S, Franklin MJ, et al. (2016) Apache spark: a unified engine for big data processing. Commun ACM 59 (11):56–65

    Article  Google Scholar 

  10. 10.

    Konoth RK, Vineti E, Moonsamy V, Lindorfer M, Kruegel C, Bos H, Vigna G (2018) Minesweeper: an in-depth look into drive-by cryptocurrency mining and its defense. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security. ACM, pp 1714–1730

  11. 11.

    Wang W, Ferrell B, Xu X, Hamlen KW, Hao S (2018) Seismic: secure in-lined script monitors for interrupting cryptojacks. In: European symposium on research in computer security. Springer, pp 122–142

  12. 12.

    Sanz IJ, Mattos DMF, Duarte OCMB (2018) SFCPerf: An automatic performance evaluation framework for service function chaining. In: NOMS 2018 - 2018 IEEE/IFIP network operations and management symposium, pp 1–9

  13. 13.

    Carbone P, Ewen S, Haridi S, Katsifodimos A, Markl V, Tzoumas K (2015) Apache flink: unified stream and batch processing in a single engine. Data Engineering: 28–38

  14. 14.

    Andreoni Lopez M, Mattos DMF, Duarte OCMB, Pujolle G (2019) Toward a monitoring and threat detection system based on stream processing as a virtual network function for big data. Concurrency and Computation: Practice and Experience 31(20):e5344

    Article  Google Scholar 

  15. 15.

    Zaharia M, Das T, Li H, Shenker S, Stoica I (2012) Discretized streams: an efficient and fault-tolerant model for stream processing on large clusters. In: Proceedings of the 4th USENIX conference on Hot Topics in Cloud Ccomputing, pp 10–10

  16. 16.

    Fei-Fei L, Fergus R, Perona P (2007) Learning generative visual models from few training examples: an incremental bayesian approach tested on 101 object categories. Computer Vision and Image Understanding 106 (1):59–70. special issue on Generative Model Based Vision

    Article  Google Scholar 

  17. 17.

    Gama J, žliobaitė I, Bifet A, Pechenizkiy M, Bouchachia A (2014) A survey on concept drift adaptation. ACM computing surveys (CSUR) 46(4):44

    Article  Google Scholar 

  18. 18.

    Wang S, Minku LL, Ghezzi D, Caltabiano D, Tino P, Yao X (2013) Concept drift detection for online class imbalance learning. In: The 2013 Int joint conference on neural networks (IJCNN), pp 1–10

  19. 19.

    Polikar R, Upda L, Upda SS, Honavar V (2001) Learn++: an incremental learning algorithm for supervised neural networks. IEEE transactions on systems, man, and cybernetics, Part C (Applications and Reviews) 31(4):497–508

    Article  Google Scholar 

  20. 20.

    Lopez MA, Lobato AGP, Duarte OCMB (2016) A performance comparison of open-source stream processing platforms. In: 2016 IEEE Global Communications Conference (GLOBECOM), pp 1–6

  21. 21.

    OpenFlow Switch Specification Version 1.3.0 (Wire Protocol 0x04). The OpenFlow Consortium, Jun. 2012. [Online]. Available:

  22. 22.

    Luengo J, Fernández A, García S, Herrera F (2011) Addressing data complexity for imbalanced data sets: analysis of smote-based oversampling and evolutionary undersampling. Soft Comput 15(10):1909–1936

    Article  Google Scholar 

  23. 23.

    Pietraszek T, Tanner A (2005) Data mining and machine learning—towards reducing false positives in intrusion detection. Inf Sec Tech Rep 10(3):169–183

    Article  Google Scholar 

Download references


We would like to acknowledge CNPq, CAPES, FAPERJ, RNP, and the ANEEL’s R&D program (PD-07130-0053/2018) for the partial funding of this research.


We would like to acknowledge CNPq, CAPES, FAPERJ, and RNP for the partial funding of this research.

Author information



Corresponding author

Correspondence to Helio N. Cunha Neto.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Neto, H.N.C., Lopez, M.A., Fernandes, N.C. et al. MineCap: super incremental learning for detecting and blocking cryptocurrency mining on software-defined networking. Ann. Telecommun. 75, 121–131 (2020).

Download citation


  • Cryptocurrency
  • Machine learning
  • SDN
  • Mining
  • Super learner
  • Incremental learning
  • Super incremental learning