Browse > Article
http://dx.doi.org/10.13089/JKIISC.2021.31.6.1105

Behavior and Script Similarity-Based Cryptojacking Detection Framework Using Machine Learning  

Lim, EunJi (Yonsei University)
Lee, EunYoung (Sungshin Women's University)
Lee, IlGu (Sungshin Women's University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.31, no.6, 2021 , pp. 1105-1114 More about this Journal
Abstract
Due to the recent surge in popularity of cryptocurrency, the threat of cryptojacking, a malicious code for mining cryptocurrencies, is increasing. In particular, web-based cryptojacking is easy to attack because the victim can mine cryptocurrencies using the victim's PC resources just by accessing the website and simply adding mining scripts. The cryptojacking attack causes poor performance and malfunction. It can also cause hardware failure due to overheating and aging caused by mining. Cryptojacking is difficult for victims to recognize the damage, so research is needed to efficiently detect and block cryptojacking. In this work, we take representative distinct symptoms of cryptojacking as an indicator and propose a new architecture. We utilized the K-Nearst Neighbors(KNN) model, which trained computer performance indicators as behavior-based dynamic analysis techniques. In addition, a K-means model, which trained the frequency of malicious script words for script similarity-based static analysis techniques, was utilized. The KNN model had 99.6% accuracy, and the K-means model had a silhouette coefficient of 0.61 for normal clusters.
Keywords
Malware Detection; Machine Learning; Dynamic Analysis; Static Analysis; Cyber Security;
Citations & Related Records
연도 인용수 순위
  • Reference
1 ZDNet, "Coinhive cryptojacking service to shut down in March 2019", https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/coinhive-browser-cryptominingservice-dead/, accessed Jul.13,2021, 2019
2 PublicWWW, "PublicWWW", https://publicwww.com/, accessed Jul.13,2021
3 Hugo L.J. Bijmans, Tim M. Booij, and Christian Doerr, "Inadvertently Making Cyber Criminals Rich:A Comprehensive Study of Cryptojacking Campaigns at Internet Scale", 28th USENIX Security Symposium, pp.1627-1644, Aug. 2019
4 Forsenergy, "Windows Performance Mo nitor Overview", https://forsenergy.com/ko-kr/perfmon/html/44daefa4-407d-4763-b42f-b613a261da54.htm, accessed Jul.13,2021
5 SRILAB, "150k Javascript Dataset", https://www.sri.inf.ethz.ch/js150, accessed Jul.13,2021
6 T. He, R.M. Aronce, L. Dampanaboina, J. Jose, M. King and E.C. Cohen, "2021 SonicWall Cyber Threat Report," Sonicwall, 2021.
7 R. Julian, S. Sebastian, D. Tobias, L. Rober, B. Damjan , P. Gerhar and K. Hyoungshick , "The Other Side of the Coin: A Framework for Detecting and Analyzing Web-based Cryptocurrency Mining Campaigns," In International Conference on Availability, Reliability and Security, no. 18, pp 01-10, Aug. 2018
8 Wenhao Wang, Benjamin Ferrell, Xiaoyang Xu, W. Kevin, Hamlen and Shuang Hao, "SEISMIC: SEcure in-lined script monitors for interrupting cryptojacks", In European Symposium on Research in Computer Security, pp. 122-142, Sep. 2018
9 Geng Hong, Zhemin Yang, Sen Yang, Lei Zhang, Yuhong Nan, Zhibo Zhang, Min Yang, Yuan Zhang, Zhiyun Qian and Haixin Duan, "How you get shot in the back: A systematical study about cryptojacking in the real world," In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp 1701-1713, Oct. 2018
10 antiminer, "AntiMiner", https://github.com/unkn0wn404/MinerBlocker, accessed Jul.13,2021, 2017
11 minerblock, "MinerBlock", https://github.com/xd4rker/MinerBlock], accessed Jul.13,2021, 2019
12 Malwarebytes, "Cryptojacking in the post-Coinhive era," https://blog.malwarebytes.com/cybercrime/2019/05/cryptojacking-in-the-post-coinhive-era/, accessed Jul.13,2021, 2019
13 Tanana and Dmitry, "Behavior-based detection of cryptojacking malware" 2020 Ural Symposium on Biomedical Engineering, Radioelectronics and Information Technology (USBEREIT). pp. 0543-0545, May. 2020
14 Petrov, Ivan, Luca Invernizzi and Elie Bursztein, "Coinpolice: Detecting hidden cryptojacking attacks with neural networks," arXiv preprint arXiv:2006.10861, June. 2020
15 nocoin, "NoCoin", https://github.com/keraf/NoCoin/blob/master/src/blacklist.txt, accessed Jul.13,2021, 2018
16 Binance Academy, "CryptoJacking Des cription", https://academy.binance.com/ko/articles/what-is-cryptojacking, accessed Jul.13,2021
17 The Irish Times, "Q&A: What is the story with Coinhive?", https://www.irishtimes.com/business/technology/q-awhat-is-the-story-with-coinhive-1.3389706, accessed Jul.13,2021
18 J. Burgess (Creator), "CryptoJacking Data (including raw HTML/JS files)," Queen's University Belfast, CryptoJacking_AlexaTop1m_July2018(.zip), 10.17034/ea782cda-b3ac-4fc3-b78b-c81324453280, accessed Jul.13,2021, Feb 2020
19 Said Varlioglu, Bilal Gonen, Murat Ozer, Mehmet F. Bastug, "Is Cryptojacking Dead after Coinhive Shutdown?", 2020 3rd International Conference on Information and Computer Technologies (ICICT), pp.385-389, Mar. 2020
20 Muhammad Saad, Aminollah Khormali and Aziz Mohaisen, "End-to-end analysis of in-browser cryptojacking," In arXiv preprint arXiv:1809.02152, Sep. 2018
21 Daily Today, "Cryptojacking to enslave your PC", http://www.digitaltoday.co.kr/news/articleView.html?idxno=202302, accessed Jul.13,2021
22 KrebsonSecurity, "Who and What Is Coinhive?,"https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/, accessed Jul.13,2021
23 Pandasecurity, "Coinhive, the Monero mining service, is closing down", https://www.pandasecurity.com/en/mediacenter/news/coinhive-mining-closes/, accessed Jul.13,2021
24 Radhesh Krishnan Konoth, Emanuele Vineti, Veelasha Moonsamy, Martina Lindorfer, Christopher Kruegel, Herbert Bos and Giovanni Vigna, 2018, "Minesweeper: An in-depth look into drive-by cryptocurrency mining and its defense," In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1714-1730, Oct. 2018