面向行为多样期的挖矿恶意软件早期检测方法

曹传博; 郭春; 申国伟; 崔允贺; 平源

doi:10.12263/DZXB.20220926

您当前的位置：

首页 >

文章列表页 >

面向行为多样期的挖矿恶意软件早期检测方法

学术论文 | 更新时间：2025-12-08

- 面向行为多样期的挖矿恶意软件早期检测方法
- Cryptomining Malware Early Detection Method in Behavioral Diversity Period
- 电子学报 2023年51卷第7期页码：1850-1858
- 作者机构：
  
  1.贵州大学计算机科学与技术学院公共大数据国家重点实验室，贵州贵阳 550025
  2.许昌学院信息工程学院，河南许昌 461000
- 作者简介：
  
  [ "曹传博男，1998年生，湖北孝感人.贵州大学计算机科学与技术学院硕士研究生.主要研究方向为计算机网络与信息安全. E-mail: cbcao3842@163.com" ]
  [ "郭春（通讯作者）男，1986年生，贵州贵阳人.博士，贵州大学计算机科学与技术学院教授.主要研究领域为恶意代码检测、入侵检测." ]
- 基金信息：
  
  国家自然科学基金(62162009);贵州省科技支撑计划（No.黔科合支撑［2022］一般071）;河南省重点研发与推广专项(212102210084)
- DOI：10.12263/DZXB.20220926
  中图分类号： TP309
- 收稿：2022-08-05，
  
  修回：2023-03-09，
  
  纸质出版：2023-07-25
- 稿件说明：
移动端阅览
曹传博,郭春,申国伟等.面向行为多样期的挖矿恶意软件早期检测方法[J].电子学报,2023,51(07):1850-1858.

CAO Chuan-bo,GUO Chun,SHEN Guo-wei,et al.Cryptomining Malware Early Detection Method in Behavioral Diversity Period[J].ACTA ELECTRONICA SINICA,2023,51(07):1850-1858.
曹传博,郭春,申国伟等.面向行为多样期的挖矿恶意软件早期检测方法[J].电子学报,2023,51(07):1850-1858. DOI： 10.12263/DZXB.20220926.

CAO Chuan-bo,GUO Chun,SHEN Guo-wei,et al.Cryptomining Malware Early Detection Method in Behavioral Diversity Period[J].ACTA ELECTRONICA SINICA,2023,51(07):1850-1858. DOI： 10.12263/DZXB.20220926.

摘要

挖矿恶意软件是一种隐匿在受害主机中，在未经用户许可的情况下使用系统资源挖掘加密货币的恶意软件，其不仅影响计算机系统的正常运行也会危害系统安全.目前基于动态分析的挖矿恶意软件检测方法主要以挖矿恶意软件的工作量证明行为为检测对象，难以实现对此类软件的及时检测.针对上述问题，通过分析挖矿恶意软件的运行过程，发现挖矿恶意软件在建立网络连接前行为多样，由此提出“挖矿软件行为多样期（Behavioral Diversity Period of Cryptominer，BDP）”的概念并进一步提出面向行为多样期的挖矿恶意软件早期检测方法（Cryptomining Malware Early Detection Method in Behavioral Diversity Period，CEDMB）.CEDMB使用

-gram模型和TF-IDF（Term Frequency-Inverse Document Frequency）算法从BDP内的API（Application Programming Interface）序列中提取特征以训练检测模型.实验结果显示，CEDMB使用随机森林算法时可以在软件开始运行后10 s内以96.55%的F1-score值判别其是良性软件还是挖矿恶意软件.

Abstract

Hiding in victim hosts

cryptomining malware utilizes system resources to mine cryptocurrencies without permission. It not only affects the normal operations of computer systems but also endangers system security. The existing dynamic analysis based cryptomining malware detection methods mainly focus on proof-of-work behaviors as the detection object

which can hardly prevent mining and other malicious behaviors from damaging the system in time. To tackle this issue

by analyzing the running process of cryptomining malware

we find that the cryptomining malware performs diverse behaviors before establishing a network connection. Based on this

we give a concept of behavioral diversity period of cryptominer (BDP) and then propose a cryptomining malware early detection method in behavioral diversity period (CEDMB). CEDMB trains the detection model with features extracted from application programming interface sequences following

-gram and TF-IDF.Experimental results show that when a random forest algorithm is adopted

the proposed CEDMB can determine whether a sample is a cryptomining malware sample in 10 seconds with an F1-score of 96.55%.

关键词

Keywords

references

BIJMANS H L J , BOOIJ T M , DOERR C . Inadvertently making cyber criminals rich: A comprehensive study of cryptojacking campaigns at Internet scale [C]// Proceedings of the 28th USENIX Conference on Security Symposium . New York : ACM , 2019 : 1627 - 1644 .

TEKINER E , ACAR A , ULUAGAC A S , et al . SoK: cryptojacking malware [C]// 2021 IEEE European Symposium on Security and Privacy (EuroS&P) . Piscataway : IEEE , 2021 : 120 - 139 .

郭春 , 罗迪 , 申国伟 , 等 . 一种基于诱导机制的间谍软件检测方法 [J]. 电子学报 , 2022 , 50 ( 4 ): 1014 - 1024 .

GUO C , LUO D , SHEN G W , et al . A spyware detection method based on inducement mechanism [J]. Acta Electronica Sinica , 2022 , 50 ( 4 ): 1014 - 1024 . (in Chinese)

Nttsecurity . 2021 global threat intelligence report [EB/OL]. ( 2021-08-19 )[ 2022-08-05 ]. https://services.global.ntt/en-gb/insights/2021-global-threat-intelligence-report https://services.global.ntt/en-gb/insights/2021-global-threat-intelligence-report .

CAVNAR W B , TRENKLE J M . N-gram-based text categorization [C]// Proceedings of 3rd Annual Symposium on Document Analysis and Information Retrieval , 1994 : 14 .

ZHANG W , YOSHIDA T , TANG X J . A comparative study of TF*IDF, LSI and multi-words for text classification [J]. Expert Systems with Applications , 2011 , 38 ( 3 ): 2758 - 2765 .

DARABIAN H , HOMAYOUNOOT S , DEHGHANTANHA A , et al . Detecting cryptomining malware: A deep learning approach for static and dynamic analysis [J]. Journal of Grid Computing , 2020 , 18 ( 2 ): 293 - 303 .

YAZDINEJAD A , HADDADPAJOUH H , DEHGHANTANHA A , et al . Cryptocurrency malware hunting: A deep recurrent neural network approach [J]. Applied Soft Computing , 2020 , 96 : 106630 .

NASEEM F , ARIS A , BABUN L , et al . MINOS: A lightweight real-time cryptojacking detection system [C]// Proceedings 2021 Network and Distributed System Security Symposium . Reston, VA : Internet Society , 2021 : 21 - 25 .

郑锐 , 汪秋云 , 林卓庞 , 等 . 一种基于威胁情报层次特征集成的挖矿恶意软件检测方法 [J]. 电子学报 , 2022 , 50 ( 11 ): 2707 - 2715 .

ZHENG R , WANG Q Y , LIN Z P , et al . Cryptojacking malware hunting: A method based on ensemble learning of hierarchical threat intelligence feature [J]. Acta Electronica Sinica , 2022 , 50 ( 11 ): 2707 - 2715 . (in Chinese)

CHOUDHARY S P , VIDYARTHI M D . A simple method for detection of metamorphic malware using dynamic analysis and text mining [J]. Procedia Computer Science , 2015 , 54 : 265 - 270 .

NING R , WANG C , XIN C S , et al . CapJack: Capture in-browser crypto-jacking by deep capsule network through behavioral analysis [C]// IEEE INFOCOM 2019-IEEE Conference on Computer Communications . Piscataway : IEEE , 2019 : 1873 - 1881 .

MANI G , PASUMARTI V , BHARGAVA B , et al . DeCrypto pro: Deep learning based cryptomining malware detection using performance counters [C]// 2020 IEEE International Conference on Autonomic Computing and Self-Organizing Systems (ACSOS) . Piscataway : IEEE , 2020 : 109 - 118 .

KARN R R , KUDVA P , HUANG H , et al . Cryptomining detection in container clouds using system calls and explainable machine learning [J]. IEEE Transactions on Parallel and Distributed Systems , 2020 , 32 ( 3 ): 674 - 691 .

BERECZ G , CZIBULA I G . Hunting traits for cryptojackers [C]// Proceedings of the 16th International Joint Conference on e-Business and Telecommunications . Setubal : SCITEPRESS , 2019 : 386 - 393 .

PASTOR A , MOZO A , VAKARUK S , et al . Detection of encrypted cryptomining malware connections with machine and deep learning [J]. IEEE Access , 2020 , 8 : 158036 - 158055 .

ZHANG S Z , WANG Z L , YANG J H , et al . MineHunter: A practical cryptomining traffic detection algorithm based on time series tracking [C]// ACSAC'21: Annual Computer Security Applications Conference . New York : ACM , 2021 : 1051 - 1063 .

SUN P F , LYU M D , LI H , et al . An early stage convolutional feature extracting method using for mining traffic detection [J]. Computer Communications , 2022 , 193 : 346 - 354 .

LI Z , LIU W J , CHEN H B , et al . Robbery on DevOps: Understanding and mitigating illicit cryptomining on continuous integration service platforms [C]// 2022 IEEE Symposium on Security and Privacy (SP) . Piscataway : IEEE , 2022 : 2397 - 2412 .

PEKTAŞ A , ACARMAN T . Malware classification based on API calls and behaviour analysis [J]. IET Information Security , 2018 , 12 ( 2 ): 107 - 117 .

Systems Braiins . Stratum V2 | The next generation protocol for pooled mining [EB/OL]. ( 2020-01-23 )[ 2022-08-05 ]. https://stratump-rotocol.org https://stratump-rotocol.org .

RUSSO M , ŠRNDIĆ N , LASKOV P . Detection of illicit cryptomining using network metadata [J]. EURASIP Journal on Information Security , 2021 , 2021( 1 ): 1 - 20 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于API潜在语义的勒索软件早期检测方法

基于改进随机森林的工业互联网安全态势评估方法

基于集成学习的全双工中继系统安全中继选择方案研究

一种基于推断-验证模式的内核数据竞争检测方法