Browser-Based Deep Behavioral Detection of Web Cryptomining with CoinSpy

Abstract Although the cryptocurrency hype of recent months may be seen by some as a benign social fad, to the Web community it is the center point for a series of ethically dubious ransomware attacks. Browser based cryptomining, or cryptojacking is gaining widespread attention. Cryptojacking consists of Web servers delivering cryptocurrency mining scripts to clients, and using the client resources to perform distributed coin mining. Although the Web servers defend the ethics of the operation by quoting it as a substitute for advertisement revenue, these scripts can hog massive amounts of client CPU usage and can be delivered without client consent, presenting a high potential for abuse. Regardless of how ethical these campaigns are, what remains constant is the need for their detection. We present CoinSpy, an entirely in-browser tool built using deep learning techniques for the detection of cryptomining activity within Web pages. A key challenge is that there is limited visibility into the client resource usage from within the browser sandbox. CoinSpy extracts several signals from information available from the browser and combines them using deep learning to build a robust cryptomining classifier. CoinSpy significantly outperforms existing state-of-the-art in-browser detection tools with a 97% accuracy in detecting cryptojacking.
Authors
  • Ramya Raghavendra (IBM US)
Date Feb-2019
Venue 26th Annual Network and Distributed System Security Symposium 2019