Research And Implementation Of Real-time Detection And Defense Mechanism For Cryptomining

With the advancement and development of network technology,cryptomining in browser has become a website profit model that may replace online advertising.However,these services are used to launch large-scale cryptomining attacks.attackers misuse users’ computer resources to mine cryptocurrencies without consent.This causes a great threat to network security.Thus it’s of great practical significance to detect cryptomining in browser.However,existing detection methods have problems of low accuracy,high overhead,non-universal language,easy confusion and interference in detecting the latest popular samples.This thesis studies the detection and defense mechanism of cryptomining in browser,focusing on the diversity of scripts program languages,instruction block-level analysis,and real-time detection and defense mechanism.The following results were achieved:● Cryptomining detection method based on intermediate semantic.Now variants of popular cryptomining based on CryptoNight’s derived algorithms have emerged and can be implemented in a variety of programming languages.In existing detection methods,the detection accuracy is greatly reduced,or even cannot be detected.This thesis proposes an intermediate semantic cryptomining detection method,which extracts intermediate semantics to identify cryptomining.This method isn’t affected by programming languages and can identify semantics from the essence of cryptomining,although it brings a certain amount of memory overhead,but the detection ability is significantly improved.Especially for evolutionary samples,the detection accuracy far exceeds other methods,reaching 96%.When conducting large-scale detection,each website takes an average of 3.95 seconds,the average memory consumption is 30.58MB,the accuracy rate reaches 98.04%,and the false negative rate does not exceed 2%.● Cryptomining detection method based on core instruction block.Semantic signatures detection method for instruction-level analysis needs four additional instructions to count one instruction,and is susceptible to the confusion of injecting invalid instructions.There may be operations to calculate hash values in benign programs,it’s impossible to distinguish cryptomining from normal programs based on hash instruction block identification alone.To solve these problems,this thesis proposes a method for detecting cryptomining by using instruction blocks to measure cryptomining speed.The method uses the size and number of the hash instruction block to calculate the cryptomining speed,and finally matches the result with benchmark value:the average speed of cryptomining.False positive rate and false negative rate are about 1%,average time is 3.47 seconds.Compared with the method based on semantic signature,the method is about doubled at the highest and 28.53%at least.● Real-time detection and defense mechanism for cryptomining in the browser.At present,existing research has stayed at the detection level,which cann’t limit cryptomining activities,and alleviating the impact of mining.Therefore,this thesis proposes a real-time detection and defense mechanism for cryptomining in browser.Based on detection algorithms in this thesis,the mechanism can detect and defend cryptomining in browser in real time.When cryptomining is discovered,relevant threads will be suspended to release CPU resources.This mechanism can limit the operation of cryptomining,and has no impact on the operation of normal applications.Under different sleep time settings,more than 88.96%of the CPU resources occupied by malicious users are released.