Cryptomining Makes Noise: a Machine Learning Approach for Cryptojacking Detection

TL;DR

This paper introduces Crypto-Aegis, a network-based machine learning framework that effectively detects cryptojacking activities across devices and encrypted traffic, enhancing cybersecurity defenses against illicit crypto-mining.

Contribution

It presents a novel network traffic analysis and ML approach for cryptojacking detection, effective even with encrypted traffic, and evaluates it on real-world cryptocurrency network traces.

Findings

Achieved 0.96 F1-score and 0.99 AUC in detection accuracy.

Demonstrated device and infrastructure independence of the method.

Analyzed network traces of Bitcoin, Monero, and Bytecoin.

Abstract

A new cybersecurity attack,where an adversary illicitly runs crypto-mining software over the devices of unaware users, is emerging in both the literature and in the wild . This attack, known as cryptojacking, has proved to be very effective given the simplicity of running a crypto-client into a target device. Several countermeasures have recently been proposed, with different features and performance, but all characterized by a host-based architecture. This kind of solutions, designed to protect the individual user, are not suitable for efficiently protecting a corporate network, especially against insiders. In this paper, we propose a network-based approach to detect and identify crypto-clients activities by solely relying on the network traffic, even when encrypted. First, we provide a detailed analysis of the real network traces generated by three major cryptocurrencies, Bitcoin, Monero, and Bytecoin, considering both the normal traffic and the one shaped by a VPN. Then, we propose Crypto-Aegis, a Machine Learning (ML) based framework built over the results of our investigation, aimed at detecting cryptocurrencies related activities, e.g., pool mining, solo mining, and active full nodes. Our solution achieves a striking 0.96 of F1-score and 0.99 of AUC for the ROC, while enjoying a few other properties, such as device and infrastructure independence. Given the extent and novelty of the addressed threat we believe that our approach, supported by its excellent results, pave the way for further research in this area.