Mining on Someone Else's Dime: Mitigating Covert Mining Operations in Clouds and Enterprises

@inproceedings{Tahir2017MiningOS,
  title={Mining on Someone Else's Dime: Mitigating Covert Mining Operations in Clouds and Enterprises},
  author={Rashid Tahir and Muhammad Huzaifa and Anupam Das and Mohammad Ahmad and Carl A. Gunter and Fareed Zaffar and Matthew C. Caesar and Nikita Borisov},
  booktitle={RAID},
  year={2017}
}
Covert cryptocurrency mining operations are causing notable losses to both cloud providers and enterprises. Increased power consumption resulting from constant CPU and GPU usage from mining, inflated cooling and electricity costs, and wastage of resources that could otherwise benefit legitimate users are some of the factors that contribute to these incurred losses. Affected organizations currently have no way of detecting these covert, and at times illegal miners and often discover the abuse… 

MineCap: super incremental learning for detecting and blocking cryptocurrency mining on software-defined networking

MineCap is proposed, a dynamic online mechanism for detecting and blocking covert cryptocurrency mining flows, using machine learning on software-defined networking and a learning technique called super incremental learning, a variant of the super learner applied to online learning.

Cryptomining Detection in Container Clouds Using System Calls and Explainable Machine Learning

The design and implementation of an ML-based detection system of anomalous pods in a Kubernetes cluster by monitoring Linux-kernel system calls (syscalls) and seven evaluation metrics are used to compare and contrast the explainable models of the proposed ML cryptomining detection engine.

Miners in the Cloud: Measuring and Analyzing Cryptocurrency Mining in Public Clouds

The mining pools presented in this dataset are predominantly used for mining Metaverse currencies, highlighting a shift in cryptocurrency use, and demonstrating the prevalence of mining using public clouds.

Detection of illicit cryptomining using network metadata

XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records is proposed, which demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries.

MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense

A comprehensive analysis on Alexa's Top 1 Million websites to shed light on the prevalence and profitability of drive-by mining, and presents MineSweeper, a novel detection technique that is based on the intrinsic characteristics of cryptomining code, and, thus, is resilient to obfuscation.

Malicious cryptocurrency miners: Status and Outlook

The evolution of the cryptocurrency market with many new cryptocurrencies that are still CPU minable and offer better privacy to criminals and have contributed to making mining malware attractive again -- with attackers generating a continuous stream of profit that in some cases may reach in the millions.

MinerRay: Semantics-Aware Analysis for Ever-Evolving Cryptojacking Detection

MinerRay is a generic scheme to detect malicious in-browser cryptominers and infers the essence of cryptomining behaviors that differentiate mining from common browser activities in both WebAssembly and JavaScript contexts, yielding more true positives, and fewer errors.

A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth

The largest measurement of crypto-mining malware to date is conducted, analyzing approximately 4.5 million malware samples over a period of twelve years from 2007 to 2019, showing that a high proportion of this ecosystem is supported by underground economies such as Pay-Per-Install services.

Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms

A systematic study on real-world illicit cryptomining on public CI platforms, using a novel technique, called Cijitter, to strategically inject delays to the execution of a CI workflow to disproportionally penalize the mining jobs that need to work on a series of tasks under time constraints.

Detecting Covert Cryptomining using HPC

This paper presents a novel and efficient approach to detect covert cryptomining, which focuses on the core mining algorithms and utilizes Hardware Performance Counters (HPC) to create clean signatures that grasp the execution pattern of these algorithms on a processor.

References

SHOWING 1-10 OF 28 REFERENCES

Exploiting Cloud Utility Models for Profit and Ruin

An attack on the cloud computing model by which an attacker subtly exploits a fundamental vulnerability of current utility compute models over a sustained period of time is discussed.

Botcoin: Monetizing Stolen Cycles

This work conducts the first comprehensive study of Bitcoin mining malware, and deduces the amount of money a number of mining botnets have made by carefully reconstructing the Bitcoin transaction records.

Locking the sky: a survey on IaaS cloud security

The security risks that multitenancy induces to the most established clouds, Infrastructure as a service clouds, are analyzed and the literature available is reviewed to present the most relevant threats, state of the art of solutions that address some of the associated risks.

Security breaches as PMU deviation: detecting and identifying security attacks using performance counters

A prototype system called Eunomia is implemented, which is the first non-intrusive system that can detect emerging attacks based on return-oriented programming without any changes to applications (either source or binary code) or special-purpose hardware.

Anomaly Detection for malware identification using Hardware Performance Counters

An anomaly based method using the hardware performance counters (HPC) available in almost any modern computer architecture to detect new malware and APTs even if they are unknown.

Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space

It is shown that Dropbox is used to store copyright-protected files from a popular filesharing network and Dropbox can be exploited to hide files in the cloud with unlimited storage capacity, defined as online slack space.

Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction

The design, implementation, and evaluation of VMwatcher are presented—an “out-of-the-box” approach that overcomes the semantic gap challenge and identifies three unique malware detection and monitoring capabilities.

Cloud-as-a-Gift: Effectively Exploiting Personal Cloud Free Accounts via REST APIs

How easy it is to implement a file-sharing application able to distribute digital content by abusing Personal Clouds is shown, which demonstrates that free accounts can be easily exploited to obtain a practical Cloud storage service, and therefore the potential impact of storage leeching.

Clearing the clouds: a study of emerging scale-out workloads on modern hardware

This work identifies the key micro-architectural needs of scale-out workloads, calling for a change in the trajectory of server processors that would lead to improved computational density and power efficiency in data centers.

Unsupervised Anomaly-Based Malware Detection Using Hardware Features

This work uses unsupervised machine learning to build profiles of normal program execution based on data from performance counters, and uses these profiles to detect significant deviations in program behavior that occur as a result of malware exploitation.