Masaryk University Faculty of Informatics

Detection of cryptominers and mining botnets

Bachelor’s Thesis

Samuel Obuch

Brno, Spring 2019

Masaryk University Faculty of Informatics

Detection of cryptominers and mining botnets

Bachelor’s Thesis

Samuel Obuch

Brno, Spring 2019

This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document.

Declaration

Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.

Samuel Obuch

Advisor: RNDr. Martin Laštovička

i

Acknowledgements

I would like to thank my advisor RNDr. Martin Laštovička for his help and advice during the preparation of this thesis and for his guidance and feedback during my writing.

iii Abstract

Cryptocurrencies got very popular recently, and this popularity also resulted in an increase in related malicious activities. The goal of this thesis is to study these activities and to implement a method for their detection based on their network characteristics obtained from network flows. Evaluation of the method proposed in this thesis against a reference method based on a blocklist showed, that the proposed method has high accuracy and precision. A comparison made against another method implemented by Flowmon showed that our method generates a far lower rate of false positives. Therefore it is more suitable for use in a highly automated environment.

iv Keywords , cryptomining, detection, mining pools, Stratum, IP- FIX, network flows

v

Contents

Glossary 1

Introduction 3

1 Cryptocurrency Mining 5 1.1 Solo Mining ...... 5 1.2 Pool Mining ...... 6 1.2.1 Pools ...... 6 1.2.2 Pool Mining Protocols ...... 7

2 Mining Detection 13 2.1 Mining Activities ...... 13 2.1.1 Malicious Mining ...... 13 2.1.2 Intentional Mining ...... 14 2.2 Indicators of Compromise ...... 15 2.2.1 Endpoint Detection ...... 15 2.2.2 Network Detection ...... 16

3 Experiments 21 3.1 Packet Inspection ...... 21 3.2 Flow Observation ...... 24 3.2.1 Reference Data ...... 26 3.2.2 Flow Characteristics ...... 26 3.2.3 Detection Method Implementation ...... 29

4 Results 33

5 Conclusions 37

Bibliography 39

vii

List of Tables

4.1 Custom pattern results 33 4.2 CryptoMalware pattern results 34 4.3 Method results 34 4.4 Results: hit rate and false positive rate 34 4.5 Results: method metrics 35

ix

List of Figures

3.1 Example of captured traffic in Wireshark 22 3.2 Miner receiving a job 23 3.3 Miner sending the found solution 23 3.4 Pool sending acknowledgment about the received share 23 3.5 Exported flow information 25 4.1 Ratio for outgoing flows not selected by the method 35 4.2 Ratio for incoming flows not selected by the method 36

xi

Glossary

This glossary is intended to help the reader with understanding com- mon cryptocurrency terms used in the thesis.

altcoin Alternative to .

block Digital record, containing information about transactions performed. block reward Amount of coins that come with every mined block, consists of newly created coins and transaction fees. Who gets the re- ward is specified within the block. There- fore, the miner who created the block typ- ically takes it. Chain of digital records, blocks, to which new transactions are added, never to be removed.

coin One unit of cryptocurrency. cryptocurrency . cryptocurrency mining Performing effort on behalf of the cryp- tocurrency network, which results in adding new blocks to