into drive by cryptocurrency
play

into Drive-by Cryptocurrency Mining and Its Defense RAJSHAKHAR PAUL - PowerPoint PPT Presentation

Oct 14, 2023 •380 likes •717 views

MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense RAJSHAKHAR PAUL Outlines Introduction Motivation Background Threat Model Data Analysis Conclusion Outlines Introduction Motivation

  1. MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense RAJSHAKHAR PAUL

  2. Outlines  Introduction  Motivation  Background  Threat Model  Data Analysis  Conclusion

  3. Outlines  Introduction  Motivation  Background  Threat Model  Data Analysis  Conclusion

  4. Intro  Cryptocurrency - A digital asset - Work as a medium of exchange that uses strong cryptography to secure financial transactions, control the creation of additional units, and verify the transfer of assets - Use blockchain method - Example: Bitcoin  Drive-by mining - A web-based attack, in which an infected website secretly executes JavaScript code and/or a WebAssebly module in user's browser to mine cryptocurrencies without the consent of the user - Also known as Cryptojacking

  5. Intro  Cryptocurrency Mining - A process in which transactions for various forms of cryptocurrency are verified and added to the blockchain digital ledger - Each time a cryptocurrency transaction is made, a cryptocurrency miner is responsible for ensuring the authenticity of information and updating the blockchain with the transaction - The mining process need a lot of computational power - The first cryptocurrency miner to crack the code is rewarded by being able to authorize the transaction

  6. Cryptojacking Attack  Using cryptomining service like Coinhive  By compromising web servers  Taking advantage of misconfiguration and installing JavaScript based miners  Distributing miners through online advertisements  Compromising third party libraries  By using pop-under window  By playing online video streaming

  7. Outlines  Introduction  Motivation  Background  Threat Model  Data Analysis  Conclusion

  8. Motivation  Dedicated browser extensions and ad blockers use blacklists.  Maintaining a complete blacklist is not scalable and prone to false negative.  Easily defeated by URL randomization and domain general algorithms  Some detection technique look for high CPU usage as an indicator of cryptocurrency mining.  Causes both false positive and false negative as one program may take high CPU usage and on the other hand cryptocurrency miners have started to throttle their CPU usage to evade detection.

  9. Proposed Method  Focus on Wasm-based mining, the most efficient and widespread technique for drive-by mining attacks  Identify the intrinsic characteristics of the mining itself: the hashing function.  Two level approaces. - First, perform static analysis on the Wasm code and identify the hashing code based on cyptographic operations it performs. - Second, monitor CPU cache events at run time to identify cryptominers based on their memory access patterns.

  10. Contributions  Perform the first in-depth assessment of drive-by mining  Discuss why current defense based on blacklisting and CPU usage are ineffective  Propose a novel detection approach based on the identification of cryptographic functions through static analysis and monitoring of cache events during run time

  11. Outlines  Introduction  Motivation  Background  Threat Model  Data Analysis  Conclusion

  12. Existing Defenses against Drive-by Mining  CoinBlockerList - Maintain a blacklist of mining pools and proxy servers that is manually collected from reports on security blogs and twitter  Dr. Mine - Attempts to block drive-by mining by means of explicitly blacklisted URLs Both approaches suffer from high false negative

  13. Outlines  Introduction  Motivation  Background  Threat Model  Data Analysis  Conclusion

  14. Threat Model

  15. When a user visits a drive-by mining website, the website (1) serves the orchestrator script, which checks the host environment to fnd out how many CPU cores are available

  16. (2) downloads the highly-optimized cryptomining payload (as either Wasm or asm.js) from the website or an external server

  17. (3) instantiates a number of web workers i.e., spawns separate threads, with the mining payload, depending on how many CPU cores are available

  18. (4) sets up the connection with the mining pool server through a WebSocket proxy server

  19. (5) fnally, fetches work from the mining pool and submits the hashes to the mining pool through the WebSocket proxy server

  20. Outlines  Introduction  Motivation  Background  Threat Model  Data Analysis  Conclusion

  21. Data Collection  Build web crawler for visiting Alexa’s top 1 million websites  The crawler stays for four seconds on each visited page  Collect data related to drive-by mining  Identify Orchestrator and Mining Payload with the help of key word based search and Wasm module respectively

  22. Data Analysis Three different artifacts produced by the data collection system 1. Cryptomining Code - Authors identified 13 well known cryptomining services using keywords listed below. - 866 websites are using these 13 servides without obfuscating the orchestrator

  23. Data Analysis Three different artifacts produced by the data collection system 2. CPU Load as a Side Effect - Not used to detect drive-by mining

  24. Data Analysis Three different artifacts produced by the data collection system 3. Mining Pool Communication - Authors identified 1,008 websites that are communicating with mining pool servers using the Stratum protocol based on the keywords

  25. Data Correlation Using Cryptomining Code and Mining Pool Communication authors identify: - There are 402 websites that don’t need user consent. - Other 464 websites wait for user’s consent.

  26. Results Three evasion techniques have been identified: - Code Obfuscation - Obfuscated Stratum Communication - Anti-debugging Tricks

  27. Modus Operandi of Attack Three ways 1. Miners inject through third-party services 2. Miners inject through advertisement networks 3. Miners inject by compromising vulnerable websites

  28. Common Drive-by Mining Characteristics Three characteristics: 1. All services use CryptoNight-based cryptomining implementations. 2. All identified websites use a highly-optimized Wasm implementation of the CryptoNight algorithm to execute the mining code. 3. All drive-by mining websites use WebSockets to communicate with the mining pool through a WebSocket proxy server

  29. How MineSweeper Works? Takes the URL of website as input Detection Based on Primitive Identification Generic Cryptographic Function Detection Detection Based on CPU Cache Events

  30. Deployment MineSweeper Can be integrated into browswers easily. - Will overcome the limitations of Blacklists based system.

  31. Limitations  It only spends 4 seconds on each webpage. Could miss websites that wait for more time.  Not capable to capture the mining pool communication for websites that implement mining delays.

  32. Thank You

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

QTIC - Cryptocurrency Team Content 01 The basics of cryptocurrency 02 Cryptocurrency &

QTIC - Cryptocurrency Team Content 01 The basics of cryptocurrency 02 Cryptocurrency &

QTIC - Cryptocurrency Team Content 01 The basics of cryptocurrency 02 Cryptocurrency & Tourism 03 Blockchain 04 Project deliverables The basics of cryptocurrency What is cryptocurrency? Key terms to remember: Decentralised system : not

524 views • 27 slides
CRYPTOCURRENCY C r y p t o i s m o n e y 2 . 0 , a h u g e h u g e h u g e d e a l .

CRYPTOCURRENCY C r y p t o i s m o n e y 2 . 0 , a h u g e h u g e h u g e d e a l .

CRYPTOCURRENCY C r y p t o i s m o n e y 2 . 0 , a h u g e h u g e h u g e d e a l . WHAT IS CRYPTOCURRENCY? \ A cryptocurrency (or crypto currency) is a digital asset designed to work as a medium of exchange using

454 views • 10 slides
Should cryptocurrency replace American dollars? By Isaiah Hanson What is Cryptocurrency?

Should cryptocurrency replace American dollars? By Isaiah Hanson What is Cryptocurrency?

Should cryptocurrency replace American dollars? By Isaiah Hanson What is Cryptocurrency? Digital money held in a digital wallet Started by Satoshi Nakamoto in 2008 with Bitcoin Decentralized currency Holds value

360 views • 14 slides
Layer 2 Cryptocurrency Networks Cryptocurrency transaction rates are slow. How can we build

Layer 2 Cryptocurrency Networks Cryptocurrency transaction rates are slow. How can we build

Continuous Credit Networks and Layer 2 Blockchains Ashish Goel and Geoffrey Ramseyer , Stanford University Layer 2 Cryptocurrency Networks Cryptocurrency transaction rates are slow. How can we build trusted relationships in an untrusted

454 views • 4 slides
Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government Scrutiny of

Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government Scrutiny of

Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government Scrutiny of Cryptocurrency Transactions May 16, 2018 Speakers Basil Godellas Lawrence Hill Rachel Ingwer Partner and Co-Chair, Disruptive Partner and Chair,

1.1k views • 64 slides
Cryptocurrency Q o d e n Te c h n o l o g i e s L L C Exchange Engine Qoden Technologies LLC

Cryptocurrency Q o d e n Te c h n o l o g i e s L L C Exchange Engine Qoden Technologies LLC

Cryptocurrency Q o d e n Te c h n o l o g i e s L L C Exchange Engine Qoden Technologies LLC 2 What is Qodex When you integrate the Qodex platform, you get: A white labelled cryptocurrency exchange engine including all relevant source

408 views • 10 slides
1. Introduction AFRO was created in December 2016 by a group of economists, cryptocurrency

1. Introduction AFRO was created in December 2016 by a group of economists, cryptocurrency

AFRO The first cryptocurrency, dedicated to economic and societal development of Africa. Fondation AFRO 8, rue Neuve-du-Molard Genve 1204, Suisse 1. Introduction AFRO was created in December 2016 by a group of economists, cryptocurrency

514 views • 13 slides
We are AroundB We are working for the further development of cryptocurrency, Blockchain and

We are AroundB We are working for the further development of cryptocurrency, Blockchain and

We are AroundB We are working for the further development of cryptocurrency, Blockchain and innovative technologies. We organize professional events around the world and help cutting-edge companies and start-ups grow their businesses. It`s a

335 views • 9 slides
Google Drive: Share V0 18 Apr 2020 V0 1 V0 2 2020 Google Drive: Share 2020 Google Drive:

Google Drive: Share V0 18 Apr 2020 V0 1 V0 2 2020 Google Drive: Share 2020 Google Drive:

Google Drive: Share V0 18 Apr 2020 V0 1 V0 2 2020 Google Drive: Share 2020 Google Drive: Share Windows Explorer: Google Drive: Share Open MyDrive . Milo Schield Editor of www.StatLit.org Fellow, American Statistical Association

256 views • 7 slides
BIT COIN Reference Bitcoin and Cryptocurrency Technologies By Arvind Narayanan, Joseph Bonneau,

BIT COIN Reference Bitcoin and Cryptocurrency Technologies By Arvind Narayanan, Joseph Bonneau,

BIT COIN Reference Bitcoin and Cryptocurrency Technologies By Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, Steven Goldfeder References Main reference: Bitcoin and Cryptocurrency Technologies, By Arvind Narayanan, Joseph

1.46k views • 77 slides
BIT COIN Reference Bitcoin and Cryptocurrency Technologies By Arvind Narayanan, Joseph Bonneau,

BIT COIN Reference Bitcoin and Cryptocurrency Technologies By Arvind Narayanan, Joseph Bonneau,

BIT COIN Reference Bitcoin and Cryptocurrency Technologies By Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, Steven Goldfeder References Main reference: Bitcoin and Cryptocurrency Technologies, By Arvind Narayanan, Joseph

873 views • 69 slides
Bitcoin and the Brave New World of Cryptocurrency AFP Arizona Bryce A. Suzuki Bryan Cave LLP

Bitcoin and the Brave New World of Cryptocurrency AFP Arizona Bryce A. Suzuki Bryan Cave LLP

Bitcoin and the Brave New World of Cryptocurrency AFP Arizona Bryce A. Suzuki Bryan Cave LLP Phoenix, Arizona bryce.suzuki@bryancave.com What is bitcoin? Bitcoin is a cryptocurrency that was created in 2009 by an unknown person or

273 views • 26 slides
Remember When: Westmoreland Countys Drive -In Theaters Pennsylvanias Place in Drive -In

Remember When: Westmoreland Countys Drive -In Theaters Pennsylvanias Place in Drive -In

Remember When: Westmoreland Countys Drive -In Theaters Pennsylvanias Place in Drive -In History April 15, 1934: Shankweilers Auto Park in Orefield, Pennsylvania opened as the second drive-in theater in the United States.

566 views • 20 slides
Deanonymization and linkability of transactions based on network analysis cryptocurrency

Deanonymization and linkability of transactions based on network analysis cryptocurrency

Deanonymization and linkability of cryptocurrency Deanonymization and linkability of transactions based on network analysis cryptocurrency transactions based on Biryukov, Tikhomirov network analysis Introduction Tx clustering Parallel

735 views • 39 slides
Cryptocurrency Regulation in the EU AML Regime: the path towards effective harmonization? 2nd

Cryptocurrency Regulation in the EU AML Regime: the path towards effective harmonization? 2nd

EDUARDO SILVA DE FREITAS Cryptocurrency Regulation in the EU AML Regime: the path towards effective harmonization? 2nd Crypto Asset Lab Conference CONTEXT AND Financial Accountant , UK, 2019 RESEARCH " EU members adopt tougher crypto

597 views • 16 slides
How Tax Authorities Are Responding To Cryptocurrency By Mark Rush, Claiborne Porter, Joseph Valenti

How Tax Authorities Are Responding To Cryptocurrency By Mark Rush, Claiborne Porter, Joseph Valenti

Portfolio Media. Inc. | 111 West 19 th Street, 5th Floor | New York, NY 10011 | www.law360.com Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | customerservice@law360.com How Tax Authorities Are Responding To Cryptocurrency By Mark Rush, Claiborne

279 views • 7 slides
TOWARDS A UNIFIED TELEMETRY SERVICE FRAMEWORK FOR HPC ENVIRONMENTS Ole Weidner Adam Barker

TOWARDS A UNIFIED TELEMETRY SERVICE FRAMEWORK FOR HPC ENVIRONMENTS Ole Weidner Adam Barker

TOWARDS A UNIFIED TELEMETRY SERVICE FRAMEWORK FOR HPC ENVIRONMENTS Ole Weidner Adam Barker Malcolm Atkinson School of Informatics School of Computer Science School of Informatics University of Edinburgh University of St Andrews University

443 views • 26 slides
This time Continuing with Web Security Cookies XSS & CSRF Required reading for this

This time Continuing with Web Security Cookies XSS & CSRF Required reading for this

This time Continuing with Web Security Cookies XSS & CSRF Required reading for this lecture: Web Security: Are You Part Of The Problem? Cross Site Request Forgery: An Introduction HTTP GET requests Contain headers.

1.77k views • 148 slides
Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can

Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can

Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can Win AdKDD2017 Yeming Shi, Claudia Perlich, Ori Stitelman yshi, claudia, ostitelman@dstillery.com Dstillery, Inc. Outline Introduction

635 views • 17 slides
S GX E LIDE : Enabling Enclave Code Secrecy via Self-Modification Erick Bauman 1 , Huibo Wang 1 ,

S GX E LIDE : Enabling Enclave Code Secrecy via Self-Modification Erick Bauman 1 , Huibo Wang 1 ,

S GX E LIDE : Enabling Enclave Code Secrecy via Self-Modification Erick Bauman 1 , Huibo Wang 1 , Mingwei Zhang 2 , Zhiqiang Lin 1 , 3 1 University of Texas at Dallas 2 Intel Labs 3 The Ohio State University CGO 2018 Introduction Background and

1.08k views • 74 slides
SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . . Lecture 16 Page 1

646 views • 21 slides
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter

CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter

CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP connection, he can often see the

555 views • 29 slides
Detecting Hardware Trojans: A Tale of Two Techniques Sharad Malik sharad@princeton.edu FMCAD

Detecting Hardware Trojans: A Tale of Two Techniques Sharad Malik sharad@princeton.edu FMCAD

Detecting Hardware Trojans: A Tale of Two Techniques Sharad Malik sharad@princeton.edu FMCAD 2015 Hardware Security and Hardware Trojans User apps Each layer trusts all layers below it Kernel Hypervisor More privilege Widely

706 views • 49 slides
Classification of URL Bitstreams using Bag of Bytes Keiichi Shima & Hiroshi Abe (IIJ

Classification of URL Bitstreams using Bag of Bytes Keiichi Shima & Hiroshi Abe (IIJ

361 views • 17 slides

More recommend