Masaryk University Faculty of Informatics
Detection of cryptominers and mining botnets
Bachelor’s Thesis
Samuel Obuch
Brno, Spring 2019
Masaryk University Faculty of Informatics
Detection of cryptominers and mining botnets
Bachelor’s Thesis
Samuel Obuch
Brno, Spring 2019
This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document.
Declaration
Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.
Samuel Obuch
Advisor: RNDr. Martin Laštovička
i
Acknowledgements
I would like to thank my advisor RNDr. Martin Laštovička for his help and advice during the preparation of this thesis and for his guidance and feedback during my writing.
iii Abstract
Cryptocurrencies got very popular recently, and this popularity also resulted in an increase in related malicious activities. The goal of this thesis is to study these activities and to implement a method for their detection based on their network characteristics obtained from network flows. Evaluation of the method proposed in this thesis against a reference method based on a blocklist showed, that the proposed method has high accuracy and precision. A comparison made against another method implemented by Flowmon showed that our method generates a far lower rate of false positives. Therefore it is more suitable for use in a highly automated environment.
iv Keywords cryptocurrency, cryptomining, detection, mining pools, Stratum, IP- FIX, network flows
v
Contents
Glossary 1
Introduction 3
1 Cryptocurrency Mining 5 1.1 Solo Mining ...... 5 1.2 Pool Mining ...... 6 1.2.1 Pools ...... 6 1.2.2 Pool Mining Protocols ...... 7
2 Mining Detection 13 2.1 Mining Activities ...... 13 2.1.1 Malicious Mining ...... 13 2.1.2 Intentional Mining ...... 14 2.2 Indicators of Compromise ...... 15 2.2.1 Endpoint Detection ...... 15 2.2.2 Network Detection ...... 16
3 Experiments 21 3.1 Packet Inspection ...... 21 3.2 Flow Observation ...... 24 3.2.1 Reference Data ...... 26 3.2.2 Flow Characteristics ...... 26 3.2.3 Detection Method Implementation ...... 29
4 Results 33
5 Conclusions 37
Bibliography 39
vii
List of Tables
4.1 Custom pattern results 33 4.2 CryptoMalware pattern results 34 4.3 Method results 34 4.4 Results: hit rate and false positive rate 34 4.5 Results: method metrics 35
ix
List of Figures
3.1 Example of captured traffic in Wireshark 22 3.2 Miner receiving a job 23 3.3 Miner sending the found solution 23 3.4 Pool sending acknowledgment about the received share 23 3.5 Exported flow information 25 4.1 Ratio for outgoing flows not selected by the method 35 4.2 Ratio for incoming flows not selected by the method 36
xi
Glossary
This glossary is intended to help the reader with understanding com- mon cryptocurrency terms used in the thesis.
altcoin Alternative to Bitcoin.
block Digital record, containing information about transactions performed. block reward Amount of coins that come with every mined block, consists of newly created coins and transaction fees. Who gets the re- ward is specified within the block. There- fore, the miner who created the block typ- ically takes it. blockchain Chain of digital records, blocks, to which new transactions are added, never to be removed.
coin One unit of cryptocurrency. cryptocurrency Digital currency. cryptocurrency mining Performing effort on behalf of the cryp- tocurrency network, which results in adding new blocks to