Detection And Prevention Of Malicious Cryptocurrency Mining Applications

In recent years,with the rise of cryptocurrencies,malicious mining attacks have become increasingly rampant.This kind of attack is not authorized by the user,and uses the computer resources of the victims including CPU,GPU,storage and network to carry out malicious mining and dig digital currency,bringing serious economic losses and security threats to the user.In order to deal with this threat,researchers in the industry have put forward a variety of protection schemes against malicious mining attacks.However,these existing schemes have obvious shortcomings,mainly in the following aspects: first,existing mining attack detection systems and mining software run in the same operating system,and are easy to be attacked or bypassed by mining software;Second,the existing schemes mainly detect the mining behavior on the web,while the protection against the binary mining software attack is insufficient.To this end,this paper proposes a malicious mining software detection and defense method based on Virtual Machine Introspection(VMI).Compared with the existing solutions,the method proposed in this paper has two obvious advantages: first,it USES the virtual machine introspection technology to monitor and protect the malicious behaviors of binary mining software in the client in the hypervisor layer,so it is difficult to be attacked or bypassed by malicious mining software;Secondly,based on the behavior characteristics of malicious mining software,keyword retrieval for reading and writing contents of malicious mining process files,network operation pattern matching and system register value discrete coefficient determination are used to realize detection and defense of malicious mining software with higher accuracy.The method proposed in this paper is based on the following observations: first,during the operation of the mining software,it will read the configuration file information related to mining and generate the log file related to mining information.In these files,there are keywords closely related to mining behavior.Secondly,in the process of mining activities,the miner needs to communicate with the mining pool continuously,and these communication activities have a specific mode.Thirdly,the mining software will generate a large number of pseudorandom Numbers in the mining process and store these values in the register,which is obviously different from the normal values in the register.Therefore,the method in this paper first reads the file reading and writing content,network traffic information and related register values during the operation of 100 known malicious mining software,and extracts keywords that are closely related to mining behavior,the network operation mode and determines the threshold of the discrete coefficients of the relevant registers in the mining process,and formulates the matching rules and security strategies of malicious mining software based on this.Then,during the operation of malicious mining software,the method of this paper overcomes the semantic gap of VMI monitoring,captures files and network system calls generated by internal processes of the client at the hypervisor layer,and analyzes parameters and restores the process context to them to obtain file and network activity monitoring information;at the same time,the method of this paper also uses VMI technology to capture and read the value of system-related registers to obtain the monitoring information of the registers.Furthermore,the relevant monitoring information is sent to a specific attack detection module,and the attack detection module completes the detection and defense of malicious cryptocurrency mining software according to predetermined matching rules and security policies.Finally,this paper implements a prototype system based on the KVM hypervisor and Windows 7 client,and collects 439 mainstream mining software and 320 other types of software samples to test the prototype system.The test results show that the false positve rate detected by the method in this paper is 0.At the same time,the performance test results show that the performance loss caused by this method is small,and the average performance loss of file and network operations is 5.75% and 1.70% respectively.