CryptoGuard: Lightweight Hybrid Detection and Response to Host-based Cryptojackers in Linux Cloud Environments

TL;DR

CryptoGuard is a lightweight, hybrid detection and remediation system for host-based cryptojackers in Linux cloud environments, combining efficient syscall monitoring, deep learning, and eBPF-based actions to achieve high accuracy with minimal overhead.

Contribution

CryptoGuard introduces a scalable, hybrid approach that integrates deep learning and eBPF-based remediation to effectively detect and counter cryptojackers with low false positives and overhead.

Findings

Achieves average F1-scores of 96.12% and 92.26% in detection phases.

Outperforms state-of-the-art baselines in detection accuracy.

Incurs only 0.06% CPU overhead per host.

Abstract

Host-based cryptomining malware, commonly known as cryptojackers, have gained notoriety for their stealth and the significant financial losses they cause in Linux-based cloud environments. Existing solutions often struggle with scalability due to high monitoring overhead, low detection accuracy against obfuscated behavior, and lack of integrated remediation. We present CryptoGuard, a lightweight hybrid solution that combines detection and remediation strategies to counter cryptojackers. To ensure scalability, CryptoGuard uses sketch- and sliding window-based syscall monitoring to collect behavior patterns with minimal overhead. It decomposes the classification task into a two-phase process, leveraging deep learning models to identify suspicious activity with high precision. To counter evasion techniques such as entry point poisoning and PID manipulation, CryptoGuard integrates targeted remediation mechanisms based on eBPF, a modern Linux kernel feature deployable on any compatible host. Evaluated on 123 real-world cryptojacker samples, it achieves average F1-scores of 96.12% and 92.26% across the two phases, and outperforms state-of-the-art baselines in terms of true and false positive rates, while incurring only 0.06% CPU overhead per host.