Cryptomining Malware Early Detection Method Based on AECD Embedding

doi:10.3778/j.issn.1673-9418.2307023

Abstract

Abstract: Cryptomining malware can compromise system security, reduce hardware lifetime, and cause significant power consumption. Therefore, implementing cryptomining malware early detection to stop its damage in time is critical to system security. The existing dynamic analysis-based cryptomining malware early detection methods are hard to balance the timeliness and accuracy of detection. To detect cryptomining malware accurately and timely, this paper integrates a certain length of API (application programming interface) names, API operation categories and DLLs (dynamic link libraries) called by cryptomining malware in the early stage of operation to more fully describe its behavioral information in this stage, and proposes the AECD (API embedding based on category and DLL) embedding and further proposes a cryptomining malware early detection method based on AECD embedding (CEDMA). CEDMA uses the API sequence called by software in the early stage of operation as the object of detection and uses AECD embedding and TextCNN (text convolutional neural network) to build a detection model to implement cryptomining malware early detection. Experimental results show that when CEDMA takes the 3000 API sequence called for the first time after the software runs as input, it can detect the known and unknown cryptomining malware samples in the experiment with 98.21% and 96.76% accuracy values, respectively.

Key words: cryptomining malware, dynamic analysis, early detection, deep learning

摘要： 挖矿恶意软件会损害系统安全，缩减硬件寿命，以及造成大量电力消耗，实施对挖矿恶意软件的早期检测以及时阻止其损害对于维护系统安全至关重要。现有的基于动态分析的挖矿恶意软件早期检测方法未能兼顾检测的及时性和准确率。为及时且准确地检测挖矿恶意软件，将挖矿恶意软件运行初期所调用的一定长度的API（application programming interface）名称、API操作类别和调用API的DLL（dynamic link library）进行融合以更充分地描述其在运行初期的行为信息，提出AECD（API embedding based on category and DLL）词嵌入方法并进一步提出基于AECD词嵌入的挖矿恶意软件早期检测方法（CEDMA）。CEDMA以软件在运行初期所调用的一定长度的API序列为检测对象，使用AECD词嵌入和TextCNN（text convolutional neural network）建立检测模型来实施对挖矿恶意软件的早期检测。实验结果显示，CEDMA以软件运行后首次调用的长度为3 000的API序列作为输入时，可分别以98.21%、96.76%的Accuracy值检测实验中已知和未知的挖矿恶意软件样本。

关键词: 挖矿恶意软件, 动态分析, 早期检测, 深度学习

CAO Chuanbo, GUO Chun, LI Xianchao, SHEN Guowei. Cryptomining Malware Early Detection Method Based on AECD Embedding[J]. Journal of Frontiers of Computer Science and Technology, 2024, 18(4): 1083-1093.

曹传博, 郭春, 李显超, 申国伟. 基于AECD词嵌入的挖矿恶意软件早期检测方法[J]. 计算机科学与探索, 2024, 18(4): 1083-1093.

References

[1] BADAWI E, JOURDAN G V. Cryptocurrencies emerging threats and defensive mechanisms: a systematic literature review[J]. IEEE Access, 2020, 8: 200021-200037.
[2] Sonicwall. 2023 Sonicwall cyber threat report[EB/OL]. (2023-03-23) [2023-04-24]. https://www.sonicwall.com/2023-cyber-threat-report/.
[3] PASTRANA S, SUAREZ-TANGIL G. A first look at the crypto-mining malware ecosystem: a decade of unrestricted wealth[C]//Proceedings of the Internet Measurement Conference, Amsterdam, Oct 21-23, 2019. New York: Association for Computing Machinery, 2019: 73-86.
[4] BIJMANS H L J, BOOIJ T M, DOERR C. Inadvertently making cyber criminals rich: a comprehensive study of cryptojacking campaigns at internet scale[C]//Proceedings of the 28th USENIX Security Symposium, Santa Clara, Aug 16-19, 2019. Berkeley: USENIX Association, 2019: 1627-1644.
[5] MANI G, PASUMARTI V, BHARGAVA B, et al. Decrypto pro: deep learning based cryptomining malware detection using performance counters[C]//Proceedings of the 2020 IEEE International Conference on Autonomic Computing and Self-Organizing Systems, Washington, Aug 17-21, 2020. Piscataway: IEEE, 2020: 109-118.
[6] AL-RIMY B A S, MAAROF M A, ALAZAB M, et al. Redundancy coefficient gradual up-weighting-based mutual information feature selection technique for crypto-ransomware early detection[J]. Future Generation Computer Systems, 2021, 115: 641-658.
[7] KIM Y. Convolutional neural networks for sentence classification[J]. arXiv:1408.5882, 2014.
[8] BERECZ G J, CZIBULA I G. Hunting traits for cryptojackers[C]//Proceedings of the 16th International Joint Conference on e-Business and Telecommunications, Prague, Jul 26-28, 2019. Francisco: SciTePress, 2019: 386-393.
[9] KARN R R, KUDVA P, HUANG H, et al. Cryptomining detection in container clouds using system calls and explainable machine learning[J]. IEEE Transactions on Parallel and Distributed Systems, 2020, 32(3): 674-691.
[10] I MU?OZ J Z, SUáREZ-VARELA J, BARLET-ROS P. Detecting cryptocurrency miners with NetFlow/IPFIX network measurements[C]//Proceedings of the 2019 IEEE International Symposium on Measurements & Networking, Catania, Jul 8-10, 2019. Piscataway: IEEE, 2019: 1-6.
[11] CAPROLU M, RAPONI S, OLIGERI G, et al. Cryptomining makes noise: detecting cryptojacking via machine learning[J]. Computer Communications, 2021, 171: 126-139.
[12] 曹传博, 郭春, 申国伟, 等. 面向行为多样期的挖矿恶意软件早期检测方法[J]. 电子学报, 2023, 51(7): 1850-1858.
CAO C B, GUO C, SHEN G W, et al. Cryptomining malware early detection method in behavioral diversity period[J]. Acta Electronica Sinica, 2023, 51(7): 1850-1858.
[13] SUN P F, LYU M D, LI H, et al. An early stage convolutional feature extracting method using for mining traffic detection[J]. Computer Communications, 2022, 193: 346-354.
[14] YING Q, YU Y, TIAN D, et al. CJSpector: a novel cryptojacking detection method using hardware trace and deep learning[J]. Journal of Grid Computing, 2022, 20(3): 1-15.
[15] TANG M, QIAN Q. Dynamic API call sequence visualisation for malware classification[J]. IET Information Security, 2019, 13(4): 367-377.
[16] MIKOLOV T, SUTSKEVER I, CHEN K, et al. Distributed representations of words and phrases and their compositionality[C]//Advances in Neural Information Processing Systems, 2013.