DNS based In-Browser Cryptojacking Detection

TL;DR

This paper presents a machine learning-based approach to detect in-browser cryptojacking using domain name metadata, temporal, and graph features, achieving moderate detection performance and highlighting the need for improved features.

Contribution

It introduces a novel feature set combining temporal, graph, and string-based features for cryptojacking detection and evaluates their effectiveness with ML algorithms.

Findings

DecisionTree achieved 59.5% recall in detection.

K-Means clustering with K=2 performed best among unsupervised methods.

Minimal divergence found between cryptojacking and known malicious DNs.

Abstract

The metadata aspect of Domain Names (DNs) enables us to perform a behavioral study of DNs and detect if a DN is involved in in-browser cryptojacking. Thus, we are motivated to study different temporal and behavioral aspects of DNs involved in cryptojacking. We use temporal features such as query frequency and query burst along with graph-based features such as degree and diameter, and non-temporal features such as the string-based to detect if a DNs is suspect to be involved in the in-browser cryptojacking. Then, we use them to train the Machine Learning (ML) algorithms over different temporal granularities such as 2 hours datasets and complete dataset. Our results show DecisionTrees classifier performs the best with 59.5% Recall on cryptojacked DN, while for unsupervised learning, K-Means with K=2 perform the best. Similarity analysis of the features reveals a minimal divergence between the cryptojacking DNs and other already known malicious DNs. It also reveals the need for improvements in the feature set of state-of-the-art methods to improve their accuracy in detecting in-browser cryptojacking. As added analysis, our signature-based analysis identifies that none-of-the Indian Government websites were involved in cryptojacking during October-December 2021. However, based on the resource utilization, we identify 10 DNs with different properties than others.