Abstract
Covert cryptocurrency mining operations are causing notable losses to both cloud providers and enterprises. Increased power consumption resulting from constant CPU and GPU usage from mining, inflated cooling and electricity costs, and wastage of resources that could otherwise benefit legitimate users are some of the factors that contribute to these incurred losses. Affected organizations currently have no way of detecting these covert, and at times illegal miners and often discover the abuse when attackers have already fled and the damage is done.
In this paper, we present MineGuard, a tool that can detect mining behavior in real-time across pools of mining VMs or processes, and prevent abuse despite an active adversary trying to bypass the defenses. Our system employs hardware-assisted profiling to create discernible signatures for various mining algorithms and can accurately detect these, with negligible overhead (\({<}0.01\%\)), for both CPU and GPU-based miners. We empirically demonstrate the uniqueness of mining behavior and show the effectiveness of our mitigation approach(\({\approx }99.7\%\) detection rate). Furthermore, we characterize the noise introduced by virtualization and incorporate it into our detection mechanism making it highly robust. The design of MineGuard is both practical and usable and requires no modification to the core infrastructure of commercial clouds or enterprises.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Unless otherwise stated, all experiments perform binary classification.
References
Bitcoin Anonymizer TOR Wallet. https://torwallet.com/
CryptoNight. https://en.bitcoin.it/wiki/CryptoNight
CUDA Toolkit Documentation. https://tinyurl.com/z7bx3b3
Government employee caught mining using work supercomputer. https://tinyurl.com/mrpqffd
ABC employee caught mining for Bitcoins on company servers (2011). https://tinyurl.com/lxcujtx
Data Center Power and Cooling. CISCO White Paper (2011)
How to Get Rich on Bitcoin, By a System Administrator Who’s Secretly Growing Them On His School’s Computers (2011). https://tinyurl.com/lwx8rup
The ZeroAccess Botnet - Mining and Fraud for Massive Financial Gain (2012). https://tinyurl.com/ldgcfao
Online Thief Steals Amazon Account to Mine Litecoins in the Cloud (2013). https://tinyurl.com/mzpbype
Harvard Research Computing Resources Misused for Dogecoin Mining Operation (2014). https://tinyurl.com/n8pzvt6
How Hackers Hid a Money-Mining Botnet in the Clouds of Amazon and Others (2014). https://tinyurl.com/mowzx73
List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (2014). https://bitcointalk.org/index.php?topic=576337
Mobile Malware Mines Dogecoins and Litecoins for Bitcoin Payout (2014). https://tinyurl.com/q828blg
NAS device botnet mined $600,000 in Dogecoin over two months (2014). https://tinyurl.com/myglgoa
US Government Bans Professor for Mining Bitcoin with A Supercomputer (2014). https://tinyurl.com/k3ww4rp
Adobe Flash Player Exploit Could Be Used to Install BitCoinMiner Trojan (2015). https://tinyurl.com/lhxzloa
Cloud Mining Put to the Test- Is It Worth Your Money? (2015). https://tinyurl.com/zquylbo
Developer Hit with $6,500 AWS Bill from Visual Studio Bug (2015). https://tinyurl.com/zm3pzjq
Perf Tool Wiki (2015). https://tinyurl.com/2enxbko
Standard Performance Evaluation Corporation (2015). https://www.spec.org/benchmarks.html
Trojan, C.: A Grave Threat to BitCoin Wallets (2016). https://tinyurl.com/k73wdaq
Crypto-Currency Market Capitalizations (2016). https://coinmarketcap.com/
Kraken Bitcoin Exchange (2016). https://www.kraken.com/
Linux. Lady. 1 Trojan Infects Redis Servers and Mines for Cryptocurrency (2016). urlhttps://tinyurl.com/ka9ae4c
Randomized Decision Trees: A Fast C++ Implementation of Random Forests (2016). https://github.com/bjoern-andres/random-forest
Student uses university computers to mine Dogecoin (2016). https://tinyurl.com/lubeqct
Supplemental Terms and Conditions For Google Cloud Platform Free Trial (2017). https://tinyurl.com/ke5vs49
Akaike, H.: A new look at the statistical model identification. IEEE TAC 19 (1974)
Marosi, A.: Cryptomining malware on NAS servers (2016)
Baek, H.W., Srivastava, A., van der Merwe, J.E.: Cloudvmi: virtual machine introspection as a cloud service. In: 2014 IEEE International Conference on Cloud Engineering (2014)
Brown, G., Pocock, A.C., Zhao, M., Luján, M.: Conditional likelihood maximisation: a unifying framework for information theoretic feature selection. In: JMLR (2012)
Percival, C., Josefsson, S.: The Scrypt Password-Based Key Derivation Function. IETF (2012)
Che, S., et al.: Rodinia: A benchmark suite for heterogeneous computing. In: Proceedings of the 2009 IEEE International Symposium on Workload Characterization (2009)
Chiappetta, M., Savas, E., Yilmaz, C.: Real time detection of cache-based side-channel attacks using hardware performance counters. IACR Cryptol. ePrint Archive 2015, 1034 (2015)
Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.J.: On the feasibility of online malware detection with performance counters. In: The 40th Annual ISCA (2013)
Dinaburg, A., Royal, P., Sharif, M.I., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: ACM CCS (2008)
Ferdman, M., Adileh, A., Koçberber, Y.O., Volos, S., Alisafaee, M., Jevdjic, D., Kaynak, C., Popescu, A.D., Ailamaki, A., Falsafi, B.: Clearing the clouds: a study of emerging scale-out workloads on modern hardware. In: ASPLOS (2012)
Garcia-Serrano, A.: Anomaly detection for malware identification using hardware performance counters. CoRR (2015)
Huang, D.Y., Dharmdasani, H., Meiklejohn, S., Dave, V., Grier, C., McCoy, D., Savage, S., Weaver, N., Snoeren, A.C., Levchenko, K.: Botcoin: monetizing stolen cycles. In: NDSS (2014)
Idziorek, J., Tannian, M.: Exploiting cloud utility models for profit and ruin. In: IEEE CLOUD (2011)
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction. ACM Trans. Inf. Syst. Secur. 13(2), 12:1–12:28 (2010)
Lengyel, T.K., Neumann, J., Maresca, S., Payne, B.D., Kiayias, A.: Virtual machine introspection in a hybrid honeypot architecture. In: CSET (2012)
Mulazzani, M., Schrittwieser, S., Leithner, M., Huber, M., Weippl, E.R.: Dark clouds on the horizon: using cloud storage as attack vector and online slack space. In: 20th USENIX Security Symposium (2011)
National Science Foundation Office of Inspector General: SEMIANNUAL REPORT TO CONGRESS (2014)
Payne, B.D., Lee, W.: Secure and flexible monitoring of virtual machines. In: ACSAC (2007)
Sembrant, A.: Low Overhead Online Phase Predictor and Classifier. Master’s thesis, UPPSALA UNIVERSITET (2011)
Sokolova, M., Lapalme, G.: A systematic analysis of performance measures for classification tasks. Inf. Process. Manage. 45, 427–437 (2009)
Srinivasan, J., Wei, W., Ma, X., Yu, T.: EMFS: email-based personal cloud storage. In: NAS (2011)
Stratton, J.A., et al.: Parboil: A revised benchmark suite for scientific and commercial throughput computing. In: IMPACT Technical report (2012)
Tang, A., Sethumadhavan, S., Stolfo, S.J.: Unsupervised anomaly-based malware detection using hardware features. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 109–129. Springer, Cham (2014). doi:10.1007/978-3-319-11379-1_6
Tinedo, R.G., Artigas, M.S., López, P.G.: Cloud-as-a-gift: effectively exploiting personal cloud free accounts via REST apis. In: IEEE CLOUD (2013)
Vaquero, L.M., Rodero-Merino, L., Morán, D.: Locking the sky: a survey on IaaS cloud security. Computing 91(1), 93–118 (2011)
Wang, X., Karri, R.: Numchecker: detecting kernel control-flow modifying rootkits by using hardware performance counters. In: The 50th Annual DAC (2013)
Wang, X., Konstantinou, C., Maniatakos, M., Karri, R.: Confirm: Detecting firmware modifications in embedded systems using hardware performance counters. In: ICCAD (2015)
Yuan, L., Xing, W., Chen, H., Zang, B.: Security breaches as PMU deviation: detecting and identifying security attacks using performance counters. In: APSys (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Tahir, R. et al. (2017). Mining on Someone Else’s Dime: Mitigating Covert Mining Operations in Clouds and Enterprises. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-66332-6_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66331-9
Online ISBN: 978-3-319-66332-6
eBook Packages: Computer ScienceComputer Science (R0)