Mining on Someone Else’s Dime: Mitigating Covert Mining Operations in Clouds and Enterprises

  • Rashid TahirEmail author
  • Muhammad Huzaifa
  • Anupam Das
  • Mohammad Ahmad
  • Carl Gunter
  • Fareed Zaffar
  • Matthew Caesar
  • Nikita Borisov
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10453)


Covert cryptocurrency mining operations are causing notable losses to both cloud providers and enterprises. Increased power consumption resulting from constant CPU and GPU usage from mining, inflated cooling and electricity costs, and wastage of resources that could otherwise benefit legitimate users are some of the factors that contribute to these incurred losses. Affected organizations currently have no way of detecting these covert, and at times illegal miners and often discover the abuse when attackers have already fled and the damage is done.

In this paper, we present MineGuard, a tool that can detect mining behavior in real-time across pools of mining VMs or processes, and prevent abuse despite an active adversary trying to bypass the defenses. Our system employs hardware-assisted profiling to create discernible signatures for various mining algorithms and can accurately detect these, with negligible overhead (\({<}0.01\%\)), for both CPU and GPU-based miners. We empirically demonstrate the uniqueness of mining behavior and show the effectiveness of our mitigation approach(\({\approx }99.7\%\) detection rate). Furthermore, we characterize the noise introduced by virtualization and incorporate it into our detection mechanism making it highly robust. The design of MineGuard is both practical and usable and requires no modification to the core infrastructure of commercial clouds or enterprises.


Cryptocurrency Cloud abuse Hardware Performance Counters 

Supplementary material

440190_1_En_13_MOESM1_ESM.txt (1 kb)
Supplementary material 1 (txt 1 KB)


  1. 1.
    Bitcoin Anonymizer TOR Wallet.
  2. 2.
  3. 3.
    CUDA Toolkit Documentation.
  4. 4.
    Government employee caught mining using work supercomputer.
  5. 5.
    ABC employee caught mining for Bitcoins on company servers (2011).
  6. 6.
    Data Center Power and Cooling. CISCO White Paper (2011)Google Scholar
  7. 7.
    How to Get Rich on Bitcoin, By a System Administrator Who’s Secretly Growing Them On His School’s Computers (2011).
  8. 8.
    The ZeroAccess Botnet - Mining and Fraud for Massive Financial Gain (2012).
  9. 9.
    Online Thief Steals Amazon Account to Mine Litecoins in the Cloud (2013).
  10. 10.
    Harvard Research Computing Resources Misused for Dogecoin Mining Operation (2014).
  11. 11.
    How Hackers Hid a Money-Mining Botnet in the Clouds of Amazon and Others (2014).
  12. 12.
    List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (2014).
  13. 13.
    Mobile Malware Mines Dogecoins and Litecoins for Bitcoin Payout (2014).
  14. 14.
    NAS device botnet mined $600,000 in Dogecoin over two months (2014).
  15. 15.
    US Government Bans Professor for Mining Bitcoin with A Supercomputer (2014).
  16. 16.
    Adobe Flash Player Exploit Could Be Used to Install BitCoinMiner Trojan (2015).
  17. 17.
    Cloud Mining Put to the Test- Is It Worth Your Money? (2015).
  18. 18.
    Developer Hit with $6,500 AWS Bill from Visual Studio Bug (2015).
  19. 19.
    Perf Tool Wiki (2015).
  20. 20.
    Standard Performance Evaluation Corporation (2015).
  21. 21.
    Trojan, C.: A Grave Threat to BitCoin Wallets (2016).
  22. 22.
    Crypto-Currency Market Capitalizations (2016).
  23. 23.
    Kraken Bitcoin Exchange (2016).
  24. 24.
    Linux. Lady. 1 Trojan Infects Redis Servers and Mines for Cryptocurrency (2016). url
  25. 25.
    Randomized Decision Trees: A Fast C++ Implementation of Random Forests (2016).
  26. 26.
    Student uses university computers to mine Dogecoin (2016).
  27. 27.
    Supplemental Terms and Conditions For Google Cloud Platform Free Trial (2017).
  28. 28.
    Akaike, H.: A new look at the statistical model identification. IEEE TAC 19 (1974)Google Scholar
  29. 29.
    Marosi, A.: Cryptomining malware on NAS servers (2016)Google Scholar
  30. 30.
    Baek, H.W., Srivastava, A., van der Merwe, J.E.: Cloudvmi: virtual machine introspection as a cloud service. In: 2014 IEEE International Conference on Cloud Engineering (2014)Google Scholar
  31. 31.
    Brown, G., Pocock, A.C., Zhao, M., Luján, M.: Conditional likelihood maximisation: a unifying framework for information theoretic feature selection. In: JMLR (2012)Google Scholar
  32. 32.
    Percival, C., Josefsson, S.: The Scrypt Password-Based Key Derivation Function. IETF (2012)Google Scholar
  33. 33.
    Che, S., et al.: Rodinia: A benchmark suite for heterogeneous computing. In: Proceedings of the 2009 IEEE International Symposium on Workload Characterization (2009)Google Scholar
  34. 34.
    Chiappetta, M., Savas, E., Yilmaz, C.: Real time detection of cache-based side-channel attacks using hardware performance counters. IACR Cryptol. ePrint Archive 2015, 1034 (2015)Google Scholar
  35. 35.
    Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.J.: On the feasibility of online malware detection with performance counters. In: The 40th Annual ISCA (2013)Google Scholar
  36. 36.
    Dinaburg, A., Royal, P., Sharif, M.I., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: ACM CCS (2008)Google Scholar
  37. 37.
    Ferdman, M., Adileh, A., Koçberber, Y.O., Volos, S., Alisafaee, M., Jevdjic, D., Kaynak, C., Popescu, A.D., Ailamaki, A., Falsafi, B.: Clearing the clouds: a study of emerging scale-out workloads on modern hardware. In: ASPLOS (2012)Google Scholar
  38. 38.
    Garcia-Serrano, A.: Anomaly detection for malware identification using hardware performance counters. CoRR (2015)Google Scholar
  39. 39.
    Huang, D.Y., Dharmdasani, H., Meiklejohn, S., Dave, V., Grier, C., McCoy, D., Savage, S., Weaver, N., Snoeren, A.C., Levchenko, K.: Botcoin: monetizing stolen cycles. In: NDSS (2014)Google Scholar
  40. 40.
    Idziorek, J., Tannian, M.: Exploiting cloud utility models for profit and ruin. In: IEEE CLOUD (2011)Google Scholar
  41. 41.
    Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction. ACM Trans. Inf. Syst. Secur. 13(2), 12:1–12:28 (2010)Google Scholar
  42. 42.
    Lengyel, T.K., Neumann, J., Maresca, S., Payne, B.D., Kiayias, A.: Virtual machine introspection in a hybrid honeypot architecture. In: CSET (2012)Google Scholar
  43. 43.
    Mulazzani, M., Schrittwieser, S., Leithner, M., Huber, M., Weippl, E.R.: Dark clouds on the horizon: using cloud storage as attack vector and online slack space. In: 20th USENIX Security Symposium (2011)Google Scholar
  44. 44.
    National Science Foundation Office of Inspector General: SEMIANNUAL REPORT TO CONGRESS (2014)Google Scholar
  45. 45.
    Payne, B.D., Lee, W.: Secure and flexible monitoring of virtual machines. In: ACSAC (2007)Google Scholar
  46. 46.
    Sembrant, A.: Low Overhead Online Phase Predictor and Classifier. Master’s thesis, UPPSALA UNIVERSITET (2011)Google Scholar
  47. 47.
    Sokolova, M., Lapalme, G.: A systematic analysis of performance measures for classification tasks. Inf. Process. Manage. 45, 427–437 (2009)CrossRefGoogle Scholar
  48. 48.
    Srinivasan, J., Wei, W., Ma, X., Yu, T.: EMFS: email-based personal cloud storage. In: NAS (2011)Google Scholar
  49. 49.
    Stratton, J.A., et al.: Parboil: A revised benchmark suite for scientific and commercial throughput computing. In: IMPACT Technical report (2012)Google Scholar
  50. 50.
    Tang, A., Sethumadhavan, S., Stolfo, S.J.: Unsupervised anomaly-based malware detection using hardware features. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 109–129. Springer, Cham (2014). doi: 10.1007/978-3-319-11379-1_6 Google Scholar
  51. 51.
    Tinedo, R.G., Artigas, M.S., López, P.G.: Cloud-as-a-gift: effectively exploiting personal cloud free accounts via REST apis. In: IEEE CLOUD (2013)Google Scholar
  52. 52.
    Vaquero, L.M., Rodero-Merino, L., Morán, D.: Locking the sky: a survey on IaaS cloud security. Computing 91(1), 93–118 (2011)Google Scholar
  53. 53.
    Wang, X., Karri, R.: Numchecker: detecting kernel control-flow modifying rootkits by using hardware performance counters. In: The 50th Annual DAC (2013)Google Scholar
  54. 54.
    Wang, X., Konstantinou, C., Maniatakos, M., Karri, R.: Confirm: Detecting firmware modifications in embedded systems using hardware performance counters. In: ICCAD (2015)Google Scholar
  55. 55.
    Yuan, L., Xing, W., Chen, H., Zang, B.: Security breaches as PMU deviation: detecting and identifying security attacks using performance counters. In: APSys (2011)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Rashid Tahir
    • 1
    Email author
  • Muhammad Huzaifa
    • 1
  • Anupam Das
    • 2
  • Mohammad Ahmad
    • 1
  • Carl Gunter
    • 1
  • Fareed Zaffar
    • 3
  • Matthew Caesar
    • 1
  • Nikita Borisov
    • 1
  1. 1.University of Illinois Urbana-ChampaignUrbanaUSA
  2. 2.Carnegie Mellon UniversityPittsburghUSA
  3. 3.Lahore University of Management SciencesLahorePakistan

Personalised recommendations