Skip to main content
SpringerLink
Log in

Mining on Someone Else’s Dime: Mitigating Covert Mining Operations in Clouds and Enterprises

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10453))

Abstract

Covert cryptocurrency mining operations are causing notable losses to both cloud providers and enterprises. Increased power consumption resulting from constant CPU and GPU usage from mining, inflated cooling and electricity costs, and wastage of resources that could otherwise benefit legitimate users are some of the factors that contribute to these incurred losses. Affected organizations currently have no way of detecting these covert, and at times illegal miners and often discover the abuse when attackers have already fled and the damage is done.

In this paper, we present MineGuard, a tool that can detect mining behavior in real-time across pools of mining VMs or processes, and prevent abuse despite an active adversary trying to bypass the defenses. Our system employs hardware-assisted profiling to create discernible signatures for various mining algorithms and can accurately detect these, with negligible overhead (\({<}0.01\%\)), for both CPU and GPU-based miners. We empirically demonstrate the uniqueness of mining behavior and show the effectiveness of our mitigation approach(\({\approx }99.7\%\) detection rate). Furthermore, we characterize the noise introduced by virtualization and incorporate it into our detection mechanism making it highly robust. The design of MineGuard is both practical and usable and requires no modification to the core infrastructure of commercial clouds or enterprises.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Unless otherwise stated, all experiments perform binary classification.

References

  1. Bitcoin Anonymizer TOR Wallet. https://torwallet.com/

  2. CryptoNight. https://en.bitcoin.it/wiki/CryptoNight

  3. CUDA Toolkit Documentation. https://tinyurl.com/z7bx3b3

  4. Government employee caught mining using work supercomputer. https://tinyurl.com/mrpqffd

  5. ABC employee caught mining for Bitcoins on company servers (2011). https://tinyurl.com/lxcujtx

  6. Data Center Power and Cooling. CISCO White Paper (2011)

    Google Scholar 

  7. How to Get Rich on Bitcoin, By a System Administrator Who’s Secretly Growing Them On His School’s Computers (2011). https://tinyurl.com/lwx8rup

  8. The ZeroAccess Botnet - Mining and Fraud for Massive Financial Gain (2012). https://tinyurl.com/ldgcfao

  9. Online Thief Steals Amazon Account to Mine Litecoins in the Cloud (2013). https://tinyurl.com/mzpbype

  10. Harvard Research Computing Resources Misused for Dogecoin Mining Operation (2014). https://tinyurl.com/n8pzvt6

  11. How Hackers Hid a Money-Mining Botnet in the Clouds of Amazon and Others (2014). https://tinyurl.com/mowzx73

  12. List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (2014). https://bitcointalk.org/index.php?topic=576337

  13. Mobile Malware Mines Dogecoins and Litecoins for Bitcoin Payout (2014). https://tinyurl.com/q828blg

  14. NAS device botnet mined $600,000 in Dogecoin over two months (2014). https://tinyurl.com/myglgoa

  15. US Government Bans Professor for Mining Bitcoin with A Supercomputer (2014). https://tinyurl.com/k3ww4rp

  16. Adobe Flash Player Exploit Could Be Used to Install BitCoinMiner Trojan (2015). https://tinyurl.com/lhxzloa

  17. Cloud Mining Put to the Test- Is It Worth Your Money? (2015). https://tinyurl.com/zquylbo

  18. Developer Hit with $6,500 AWS Bill from Visual Studio Bug (2015). https://tinyurl.com/zm3pzjq

  19. Perf Tool Wiki (2015). https://tinyurl.com/2enxbko

  20. Standard Performance Evaluation Corporation (2015). https://www.spec.org/benchmarks.html

  21. Trojan, C.: A Grave Threat to BitCoin Wallets (2016). https://tinyurl.com/k73wdaq

  22. Crypto-Currency Market Capitalizations (2016). https://coinmarketcap.com/

  23. Kraken Bitcoin Exchange (2016). https://www.kraken.com/

  24. Linux. Lady. 1 Trojan Infects Redis Servers and Mines for Cryptocurrency (2016). urlhttps://tinyurl.com/ka9ae4c

  25. Randomized Decision Trees: A Fast C++ Implementation of Random Forests (2016). https://github.com/bjoern-andres/random-forest

  26. Student uses university computers to mine Dogecoin (2016). https://tinyurl.com/lubeqct

  27. Supplemental Terms and Conditions For Google Cloud Platform Free Trial (2017). https://tinyurl.com/ke5vs49

  28. Akaike, H.: A new look at the statistical model identification. IEEE TAC 19 (1974)

    Google Scholar 

  29. Marosi, A.: Cryptomining malware on NAS servers (2016)

    Google Scholar 

  30. Baek, H.W., Srivastava, A., van der Merwe, J.E.: Cloudvmi: virtual machine introspection as a cloud service. In: 2014 IEEE International Conference on Cloud Engineering (2014)

    Google Scholar 

  31. Brown, G., Pocock, A.C., Zhao, M., Luján, M.: Conditional likelihood maximisation: a unifying framework for information theoretic feature selection. In: JMLR (2012)

    Google Scholar 

  32. Percival, C., Josefsson, S.: The Scrypt Password-Based Key Derivation Function. IETF (2012)

    Google Scholar 

  33. Che, S., et al.: Rodinia: A benchmark suite for heterogeneous computing. In: Proceedings of the 2009 IEEE International Symposium on Workload Characterization (2009)

    Google Scholar 

  34. Chiappetta, M., Savas, E., Yilmaz, C.: Real time detection of cache-based side-channel attacks using hardware performance counters. IACR Cryptol. ePrint Archive 2015, 1034 (2015)

    Google Scholar 

  35. Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.J.: On the feasibility of online malware detection with performance counters. In: The 40th Annual ISCA (2013)

    Google Scholar 

  36. Dinaburg, A., Royal, P., Sharif, M.I., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: ACM CCS (2008)

    Google Scholar 

  37. Ferdman, M., Adileh, A., Koçberber, Y.O., Volos, S., Alisafaee, M., Jevdjic, D., Kaynak, C., Popescu, A.D., Ailamaki, A., Falsafi, B.: Clearing the clouds: a study of emerging scale-out workloads on modern hardware. In: ASPLOS (2012)

    Google Scholar 

  38. Garcia-Serrano, A.: Anomaly detection for malware identification using hardware performance counters. CoRR (2015)

    Google Scholar 

  39. Huang, D.Y., Dharmdasani, H., Meiklejohn, S., Dave, V., Grier, C., McCoy, D., Savage, S., Weaver, N., Snoeren, A.C., Levchenko, K.: Botcoin: monetizing stolen cycles. In: NDSS (2014)

    Google Scholar 

  40. Idziorek, J., Tannian, M.: Exploiting cloud utility models for profit and ruin. In: IEEE CLOUD (2011)

    Google Scholar 

  41. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction. ACM Trans. Inf. Syst. Secur. 13(2), 12:1–12:28 (2010)

    Google Scholar 

  42. Lengyel, T.K., Neumann, J., Maresca, S., Payne, B.D., Kiayias, A.: Virtual machine introspection in a hybrid honeypot architecture. In: CSET (2012)

    Google Scholar 

  43. Mulazzani, M., Schrittwieser, S., Leithner, M., Huber, M., Weippl, E.R.: Dark clouds on the horizon: using cloud storage as attack vector and online slack space. In: 20th USENIX Security Symposium (2011)

    Google Scholar 

  44. National Science Foundation Office of Inspector General: SEMIANNUAL REPORT TO CONGRESS (2014)

    Google Scholar 

  45. Payne, B.D., Lee, W.: Secure and flexible monitoring of virtual machines. In: ACSAC (2007)

    Google Scholar 

  46. Sembrant, A.: Low Overhead Online Phase Predictor and Classifier. Master’s thesis, UPPSALA UNIVERSITET (2011)

    Google Scholar 

  47. Sokolova, M., Lapalme, G.: A systematic analysis of performance measures for classification tasks. Inf. Process. Manage. 45, 427–437 (2009)

    Article  Google Scholar 

  48. Srinivasan, J., Wei, W., Ma, X., Yu, T.: EMFS: email-based personal cloud storage. In: NAS (2011)

    Google Scholar 

  49. Stratton, J.A., et al.: Parboil: A revised benchmark suite for scientific and commercial throughput computing. In: IMPACT Technical report (2012)

    Google Scholar 

  50. Tang, A., Sethumadhavan, S., Stolfo, S.J.: Unsupervised anomaly-based malware detection using hardware features. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 109–129. Springer, Cham (2014). doi:10.1007/978-3-319-11379-1_6

    Google Scholar 

  51. Tinedo, R.G., Artigas, M.S., López, P.G.: Cloud-as-a-gift: effectively exploiting personal cloud free accounts via REST apis. In: IEEE CLOUD (2013)

    Google Scholar 

  52. Vaquero, L.M., Rodero-Merino, L., Morán, D.: Locking the sky: a survey on IaaS cloud security. Computing 91(1), 93–118 (2011)

    Google Scholar 

  53. Wang, X., Karri, R.: Numchecker: detecting kernel control-flow modifying rootkits by using hardware performance counters. In: The 50th Annual DAC (2013)

    Google Scholar 

  54. Wang, X., Konstantinou, C., Maniatakos, M., Karri, R.: Confirm: Detecting firmware modifications in embedded systems using hardware performance counters. In: ICCAD (2015)

    Google Scholar 

  55. Yuan, L., Xing, W., Chen, H., Zang, B.: Security breaches as PMU deviation: detecting and identifying security attacks using performance counters. In: APSys (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Illinois Urbana-Champaign, Urbana, USA

    Rashid Tahir, Muhammad Huzaifa, Mohammad Ahmad, Carl Gunter, Matthew Caesar & Nikita Borisov

  2. Carnegie Mellon University, Pittsburgh, USA

    Anupam Das

  3. Lahore University of Management Sciences, Lahore, Pakistan

    Fareed Zaffar

Authors
  1. Rashid Tahir
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Muhammad Huzaifa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anupam Das
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mohammad Ahmad
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Carl Gunter
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Fareed Zaffar
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Matthew Caesar
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Nikita Borisov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rashid Tahir .

Editor information

Editors and Affiliations

  1. Qatar Computing Research Institute, Doha, Qatar

    Marc Dacier

  2. University of Illinois at Urbana Champaign, Champaign, Illinois, USA

    Michael Bailey

  3. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  4. Georgia Institute of Technology, Georgia, USA

    Manos Antonakakis

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (txt 1 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Tahir, R. et al. (2017). Mining on Someone Else’s Dime: Mitigating Covert Mining Operations in Clouds and Enterprises. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66332-6_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66331-9

  • Online ISBN: 978-3-319-66332-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation