Detecting cryptocurrency miners with NetFlow/IPFIX network measurements

In the last few years, cryptocurrency mining has become more and more important on the Internet activity and nowadays is even having a noticeable impact on the global economy. This has motivated the emergence of a new malicious activity called cryptojacking, which consists of compromising other machines connected to the Internet and leverage their resources to mine cryptocurrencies. In this context, it is of particular interest for network administrators to detect possible cryptocurrency miners using network resources without permission. Currently, it is possible to detect them using IP address lists from known mining pools, processing information from DNS traffic, or directly performing Deep Packet Inspection (DPI) over all the traffic. However, all these methods are still ineffective to detect miners using unknown mining servers or result too expensive to be deployed in real-world networks with large traffic volume. In this paper, we present a machine learning-based method able to detect cryptocurrency miners using NetFlow/IPFIX network measurements. Our method does not require to inspect the packets' payload; as a result, it achieves cost-efficient miner detection with similar accuracy than DPI-based techniques.This work has been supported by the Spanish MINECO under contract TEC2017-90034-C2-1-R (ALLIANCE).Peer ReviewedPostprint (author's final draft

Analisis Rules Intrusion Detection Prevention System (IDPS) Suricata untuk Mendeteksi dan Menangkal Aktivitas Crypto Mining pada Jaringan

Perkembangan teknologi informasi sangat pesat khususnya perkembangan pada sektor finansial dalam hal ini adalah mata uang kripto. Salah satu cara untuk mendapatkan aset mata uang kripto adalah dengan melakukan penambangan mata uang kripto. Hal tersebut dapat memicu penyerang untuk membuat suatu aplikasi berbahaya yang disisipkan pada server perusahaan atau instansi, dan membuat aplikasi tersebut melakukan aktivitas penambangan mata uang kripto. Oleh karena itu sistem keamanan jaringan pada suatu instansi atau perusahaan harus menerapkan pengamanan tambahan dalam hal ini adalah Intrusion Detection Prevention System (IDPS) yang digunakan sebagai sistem pendeteksi serta penangkalan aktivitas berbahaya pada jaringan, salah satunya adalah penambangan mata uang kripto. Adapun aplikasi IDPS yang dapat diimplementasikan pada jaringan instansi atau perusahaan adalah Suricata. Penelitian ini melakukan analisis rules IDPS Suricata dalam mendeteksi dan menangkal aktivitas penambangan mata uang kripto pada jaringan. Terdapat 2 jenis simulasi yang dilakukan yaitu dengan membandingkan default rules dengan custom rules yang dibuat untuk mendeteksi dan menangkal aktivitas penambangan 10 jenis mata uang kripto diantaranya Ethereum (ETH), Conflux (CFX), Bitcoin Gold (BTG), Ethereum Classic (ETC), Monero (XMR), TON, AION, Zcash (ZEC), FLUX dan Raven (RVN). Analisis yang dilakukan meliputi perhitungan nilai accuracy, precision, recall, dan f-measure. Hasil yang didapat menunjukkan bahwa custom rules yang dibuat dan diimplementasikan untuk mendeteksi dan menangkal aktivitas penambangan mata uang kripto memiliki peningkatan nilai accuracy sebesar 0,2%, nilai recall sebesar 48,94%, dan nilai f-measure sebesar 32,39% dari default rules Suricata

Detection of cryptocurrency mining malware from network measurements

Currently cryptocurrencies play an important role in our society. Their popularity has increased hugely in recent years and, consequently, they have attracted the attention of an important segment of the population, which frequently finds in the mining of these cryptographic currencies a new opportunity to earn money. However, this has brought a new scenario where some people use hijacked resources to mine for their own profit. In this context, it is crucial to detect when a host is infected by malware that mines cryptocurrency without permission. Nowadays, there are some approaches to solve this problem: checking the content of each packet (DPI), blocking connections to known pools, analysing the memory consumption or installing anti malware software. Nevertheless, these previous solutions may be quite expensive in terms of resources and money. Additionally, they may require a significant modification of the network or they may be inaccurate in several cases. For this reason, in this project I suggest a system based on three different machine learning algorithms, where each one explores a specific feature of this kind of malware in order to detect it. The first one uses Netflow measurements, the second one uses the DNS queries to detect connections to pools, and the last one uses again the DNS queries but in order to detect connections to malicious domains that ma