Research On In-Browser Cryptomining Detection Method Based On Static Keyword And Graph Neural Network

In recent years,in-browser cryptomining has become a new way of website profit.Taking advantage of its convenience,criminals inject cryptomining scripts into other people’s or their own websites.Once visitors visit these sites,malicious cryptomining scripts will run in the background by default.These malicious cryptomining scripts use various evasion technologies to bypass security detection,occupy the computing resources of visitors for a long time and obtain illegal benefits.In order to deal with this attack called cryptojacking,researchers have proposed various detection methods around the static features and dynamic features of websites.Although these methods perform well in the known data sets,there are still some problems in the real scene,such as insufficient recall and low precision.Therefore,this thesis proposes two different in-browser cryptomining detection methods from the static and dynamic perspectives.The main work and contributions of this thesis are as follows:(1)Aiming at the problem that the existing in-browser cryptomining script detection methods are difficult to resist evasion technology and the recall of them is low,a cryptomining script detection method based on static keywords is proposed.This method takes the trace file as the input,extracts the resource request and service connection request of the websites,and finds the cryptomining script by regular matching with the cryptomining service keyword list.This method can effectively resist domain altering and code obfuscation,and find known cryptomining scripts in time.(2)Aiming at the problem that the existing in-browser cryptomining behavior detection methods can not understand the essence of cryptomining and the precision of them is low,this thesis deeply analyzes the dynamic features of in-browser cryptomining,and constructs a multilateral relationship graph structure according to the behavior of the website.Based on the multilateral relationship graph,a cryptomining behavior detection method based on graph neural network is proposed.This method can accurately extract the runtime behavior of the website and find the cryptomining website running in real time.Due to the accurate expression of the essential features of cryptomining by the multilateral relationship graph,our method has higher precision for the detection of unknown website behavior in the real scene.(3)Combining the above dynamic and static detection methods,this thesis implements Miner Lamp,a prototype of in-browser cryptomining detection system.We collected 21923 pieces of data from the real environment to carry out empirical research,and compared Miner Lamp with six existing detection tools in terms of precision,recall,F1-score and performance.Finally,Miner Lamp reached 100% precision and 99.68% recall in the cryptomining script detection experiment,and 100% F1-score in the cryptomining behavior detection experiment.The results of these experiments show that the combination of static keywords based method and graph neural network based method can effectively improve the precision and recall of in-browser cryptomining detection system.