Behavior-Based Detection of GPU Cryptojacking

TL;DR

This paper presents a new detection method for GPU cryptojacking that analyzes GPU load and RAM consumption, achieving an 80% detection rate with a 20% false positive rate in controlled tests.

Contribution

It introduces a novel exposure mechanism based on GPU load and memory usage for detecting GPU cryptojacking, and develops a prototype decision tree classifier.

Findings

80% detection rate in controlled environment

20% false positive rate on legitimate GPU applications

Effective detection of browser-based and host-based cryptojacking

Abstract

With the surge in blockchain-based cryptocurrencies, illegal mining for cryptocurrency has become a popular cyberthreat. Host-based cryptojacking, where malicious actors exploit victims systems to mine cryptocurrency without their knowledge, is on the rise. Regular cryptojacking is relatively well-known and well-studied threat, however, recently attackers started switching to GPU cryptojacking, which promises greater profits due to high GPU hash rates and lower detection chance. Additionally, GPU cryptojackers can easily propagate using, for example, modified graphic card drivers. This article considers question of GPU cryptojacking detection. First, we discuss brief history and definition of GPU cryptojacking as well as previous attempts to design a detection technique for such threats. We also propose complex exposure mechanism based on GPU load by an application and graphic card RAM consumption, which can be used to detect both browser-based and host-based cryptojacking samples. Then we design a prototype decision tree detection program based on our technique. It was tested in a controlled virtual machine environment with 80% successful detection rate against selected set of GPU cryptojacking samples and 20% false positive rate against selected number of legitimate GPU-heavy applications.