| With the development of Web technology,many website owners use web pages to mine cryptocurrency for profits.However,this form of income is quickly exploited by cyber attackers.In order to mine cryptocurrency to create grey income,attackers hijack the computational resources of website visitors by embedding mining code in web pages without the consent of the site owner.Since 2017,cryptojacking attacks have appeared on a large scale around the world,and large and small websites have become the targets of attacks.However,most of the existing cryptojacking behavior recognition technology is implemented through blacklist and keyword matching technology,so it is not possible to detect mining attacks based on CPU threshold,code obfuscation,and code hiding techniques.For this reason,how to effectively and accurately identify the cryptojacking has become crucial.Considering the shortcomings of the existing detection methods,this paper has deeply explored and analyzed the features of mining pages from the aspects of code logic,mining behavior and communication mechanism,and combines machine learning algorithm to identify web page mining behavior.The main work and innovation of this paper are as follows:(1)Aiming at the problems of high false alarm rate and high alarm failure rate in traditional mining script recognition based on keyword matching,a rule-based mining script recognition model named FRSM is proposed in this paper.First,the Java Script code in the web source code and the Java Script file that references the local server and the remote server are defined as valid web source code,which is used as the detection object.Secondly,the mining scripts of 13 different mining families are deeply analyzed to formulate the mining function rule set.Finally,the mining function rule set is used to match the valid source code of the page to identify the mining scripts that may exist in the webpage and the mining family to which it belongs.The experimental results show that the model can recognize mining scripts of 13 mining families with the accuracy of 99.85%.(2)In view of the single feature dimension of current mining behavior recognition methods and static analysis technology can not effectively detect the confused mining scripts,amining behavior recognition model named Mul-RF is proposed in this paper.This model extracts five characteristics of hash function proportion sequence,number of threads,number of Wasm modules,number of Web Sockets connections,and the maximum frequency of subsequence of function call from the three dimensions of mining algorithm,running behavior and network behavior and trains the classification model combining with random forest algorithm.Finally,the model was evaluated by simulation and comparison experiments.The model showed 98.23% accuracy and 3.56% false positives.(3)Considering the fact that existing tools can only detect mining web pages and do not have defensive functions or can only prevent web pages from being accessed,a real-time detection tool for web mining named No Miner is developed in this paper.Firstly,the mining thread recognition model is trained by extracting the mining thread feature combined with the support vector machine algorithm.Secondly,the rule-based web mining script recognition model,the web mining behavior recognition model based on dynamic analysis,and the web mining thread recognition model are deployed into the No Miner through Tensorflow.js to realize the real-time detection and defense of cryptojacking.When No Miner identifies a cryptojacking,it will automatically remove the mining script for that page and deactivates mining threads to ensure that users can still access the page normally without cryptojacking attacks.When the tool is installed in the Chrome browser,the actual results show that the tool can effectively identify and defend against cryptojacking attacks. |
PDF Full Text Request