RegisterSign in
ViewPDF
- Access throughyour institution
Article preview
- Abstract
- Introduction
- Section snippets
- References (50)
- Cited by (9)
- Recommended articles (6)
Digital Investigation
Volume 31,
December 2019
, 100884
Author links open overlay panel
Abstract
Cryptocurrencies set a new trend for a financial interaction between people. In order to successfully meet this use-case, cryptocurrencies combine various advanced information technologies (e.g., blockchain as a replicated database, asymmetrical ciphers and hashes guaranteeing integrity properties, peer-to-peer networking providing fault-tolerant service). Mining process not only introduces new cryptocurrency units, but it has become a business how to generate revenue in real life. This paper aims at different approaches how to detect cryptocurrency mining within corporate networks (where it should not be present). Mining activity is often a sign of malware presence or unauthorized exploitation of company resources. The article provides an in-depth overview of pooled mining process including deployment and operational details. Two detection methods and their implementations are available for network administrators, law enforcement agents and the general public interested in cryptocurrency mining forensics.
Introduction
The motivation behind cryptocurrency is to introduce an alternative currency that is not controlled by a government (e.g., the central bank). Trustworthiness of such electronic cryptocurrency lies in the utilization of cryptographical algorithms to verify transactions and fair emission of new units into circulation. Dark web marketplaces utilize cryptocurrencies for their: a) nearly instant and free-of-charge payments; b) easily obtainable and changeable addresses; c) hard to trace transactions (thanks to their peer-to-peer nature). Several studies (Raeesi, 2015) (Grinberg, 2012), (Johnson, 2014) investigate Bitcoin as the key component of any digital black marketplace because cryptocurrencies generally allow criminals to circumvent law enforcement agencies (LEAs) and regulators.
Of all cryptocurrencies, Bitcoin (Nakamoto, 2008), (Bitcoin.org, 2018) had become popular when it gained momentum at the end of 2013 after its exchange price skyrocketed. The current (at the July 2019) total number of Bitcoins (approx. 17.8 million) accounts for more than 202 billion USD (CoinMarketCap.com, 2017). Bitcoin is a peer-to-peer network with the distributed infrastructure of users and miners. A miner verifies ongoing transactions for a reward (either transaction fee or newly emitted Bitcoins). The reward is paid to the first miner who proves transaction by spending its computation power on this process. Other proof-of-work1 cryptocurrencies also adopted the same mining concept. Anyone can join the solo mining process but the probability of earning a reward is low and the risk of wasted computational power without any profit too high. Therefore, miners form so-called mining pools. When the pool earns a reward, it is distributed by the pool operator among miners according to their contribution.
Apart from alternatives to Bitcoin (e.g., Litecoin, Ethereum, generally referred as altcoins), the cryptocurrency universe also contains tokens. Tokens (comparing to coins) represent digital asset or utility that leverages another's coin blockchain for being accounted. New tokens are generally not mined but distributed by their authors/owners. In the frame of this paper, we will focus only on the mining process behind coins and refer to them as “cryptocurrencies” interchangeably.
Any organization should be aware of running mining software on its hardware in its network due to at least two reasons: a) the mining activity is often caused by malware, therefore, the mining activity is an indicator of a compromise; b) the energy (e.g., electricity, cooling, CPU and GPU power) spent on mining is paid by the hosting organization, but the recipient of the reward is a malicious actor. Ali etal. (2015a) informs about various types of cryptocurrency malware dedicated to undercover mining on devices, desktops, and servers but also platforms like webcams, smartphones or network attached storages. Universities (Hern, 2014) or technological centers (Nield, 2018), (BBC.com, 2018) are typical examples of energy exploitation because they offer free computational resources (i.e., servers, network) to academics, researchers and students. Nevertheless, it is possible to start a mining operation in any organization (e.g., subsidized accommodation for Czech members of parliament, see (Frouzová and Zelenka, 2018)).
The malicious actor might exploit these assets resulting in an increased energy bill, depleted resources, endangered work processes, services and other users. For instance, Bitcoin mining has a severe impact on electricity comparable to the energy consumption of Ireland (O'Dwyer and Malone, 2014) in 2014. Another report (de Vries, 2018) provides a more in-depth analysis of how to estimate Bitcoin's hunger for energy concluding that it may reach 7.67GW (comparable with Austria) during 2018.
In this paper, we focus on the detection of devices participating in the mining pools. Cryptocurrency mining is the only option how users may obtain freshly minted currency units. Moreover, mining is still the prevailing form of how to earn cryptorcurrencies with the existing equipment.
We propose two approaches for cryptocurrency miners detection in the network:
- •
The first approach employs a mix of passive and active traffic monitoring. The passive monitoring is based on the analysis of IP flow records, while the active monitoring is based on probing. The detection method as a whole slowly learns a list of mining servers which subsequently reduces the need for the active monitoring. Since anyone can set up own mining pool or even mining server, the resulting list of publicly known mining servers cannot be considered complete. However, it may be employed as a baseline for miner detection by any network operator.
- •
The second approach can be described as a catalog of mining pools. We have created a publicly available web application that stores metadata about existing mining pools. Any user may query our system to check whether a given FQDN,2 IP address or port number is a part of known pool configuration.
Fig.1 illustrates a stake-holder (i.e., administrator or LEA operative as network analyst) and modus operandi of above-mentioned approaches (i.e., NetFlow probe capable of cryptocurrency miners detection+the pool catalog validating existing mining servers and optionally feeding probe).
The contribution of this article involves: a) an overview of the current cryptocurrency mining technology; b) two detection methods to detect network traffic related with cryptocurrency mining; c) open-access data samples; and d) publicly available service cataloging mining servers.
The rest of the paper is organized as follows. Section 2 informs about related work on cryptocurrency mining. Section 3 brings details about currently used mining architecture and involved protocols. Section 4 describes passive/active traffic monitoring (the first approach how to detect miners), which also includes its validation and verification. Section 5 explains the implementation and operation of the mining server catalog (the second approach). The article is summarized in Section 6, which also outlines our future work.
Section snippets
Related work
This section summarizes knowledge from the selected articles relevant to cryptocurrency mining. We try to motivate miners detection in a frame of known cryptocurrency issues and research of others.
We consider Courtois etal. (Courtois etal., 1310) work as a great introductory source explaining Bitcoin mining. Despite focusing on Bitcoin mining process improvement, authors provide theoretical background explaining bindings between employed cryptography and cryptocurrency mining. Moreover, this
Mining background
This section provides a theoretical background (mostly based on Bitcoin use-case). However, explanation of the whole mining process for all cryptocurrencies is far beyond the scope of this article. Hence, only parts relevant to the miner detection are described. The first subsection lays out the basic theory for any cryptocurrency operation. The second subsection familiarizes the reader with the state-of-the-art of cryptocurrency mining software and hardware. The third subsection provides a
Traffic monitoring
Network traffic monitoring provides data for network management, accounting as well as security. In our work, we assume basic network monitoring based on flows. The flow is a set of packets sharing the same key (in most cases, source and destination IP address, source and destination port, protocol). The flows are measured at the observation points and the measured data per each flow are exported to the collector by a flow export protocol (e.g., NetFlow v5). For further details on flow
Catalog of mining pools
We were also looking for a more lightweight solution suitable even for small corporate networks lacking capacities to install dedicated probes performing our active/passive traffic monitoring employing machine learning. We want to offer conclusive detection results with a minimum set of input information.
Network administrator and law enforcement agent (i.e., our main actors for mining detection use-case) shall have basic NetFlow records of investigated device/network segment. These records
Conclusion
In this paper, we provided an in-depth analysis of cryptocurrency mining operation. We designed and implemented passive-active flow monitoring and sMaSheD catalog to detect mining devices within the network. We tested the feasibility of these approaches on real-life data as well as published data-sets utilized in this article under open access policy. We conclude that catalog and passive-active approach are complementary - catalog is more focused on maintaining current information about mining
Acknowledgement
This article has been supported by the Ministry of Education, Youth and Sports from the National Programme of Sustainability (NPU II) project IT4Innovations excellence in science (no. LQ1602). Authors also want to acknowledge work done by Jakub Kelečeni, Erik Šabík, and Martin Cagaš, the students of Brno University of Technology.
References (50)
- A. de VriesBitcoin's growing energy problem
Joule
(2018)
- S.T. Ali et al.
Bitcoin: perils of an unregulated global p2p currency
- S.T. Ali et al.
Zombiecoin: powering next-generation botnets with bitcoin
- BBC.com
Russian nuclear scientists arrested for ’bitcoin mining plot’
- Bitcoinorg
Bitcoin - open source P2P money
- Blockchaininfo
Hashrate Distribution an Estimation of Hashrate Distribution Amongst the Largest Mining Pools
(2018)
- Btccom
Bitfury - Pool - btc.Com
(2018)
- Carbon Black
Cryptocurrency Gold Rush on the Dark Web
(June 2018)
- T. Cejka et al.
Nemea: a framework for network traffic analysis
- B. Claise
Cisco Systems NetFlow Services Export Version 9, RFC 3954
(October 2004)
Specification of the IP Flow Information Export (IPFIX) Protocol, RFC 7011
(September 2013)
Bitcoin (BTC) — CryptoCurrency Market Capitalizations
(2017)
Getblocktemplate - Fundamentals, BIP 22, Bitcoin Project
(February 2012)
Getblocktemplate - Pooled Mining, BIP 23, Bitcoin Project
(February 2012)
Detecting Crypto Currency Mining in Corporate
(2015)
Ethereum top 25 miners by blocks
Majority is not enough: bitcoin mining is vulnerable
Pirát Ve Služebním Bytě Těžil Kryptoměny, Sněmovnu Zaskočil Účet Za Elektřinu. Byla Mi Zima, Hájí Se!
(2018)
Bitcoin: an innovative alternative digital currency
Hastings Sci. Technol. Law J.
(2012)
The Rise of Cryptocurrency Miners
(2018)
Ransomware: emergence of the cyber-extortion menace
Student Uses University Computers to Mine Dogecoin
(2014)
Flow monitoring explained: from packet capture to data analysis with netflow and ipfix
IEEE Commun. Surv. Tutorials
(2014)
Botcoin: monetizing stolen cycles
Cited by (9)
- Crafting performance-based cryptocurrency mining strategies using a hybrid analytics approach
2021, Decision Support Systems
Crafting and executing the best cryptocurrency mining strategy is vital to succeeding in cryptocurrency market investments. This study aims to identify the best cryptocurrency mining strategy based on service providers' performance for cryptocurrency mining using a hybrid analytics approach, which integrates the Analytic Hierarchy Process (AHP) and Fuzzy-TOPSIS techniques, along with sensitivity analysis. The results show that hosted mining is the overall best cryptocurrency mining strategy, followed by home mining and cloud mining, based on both total cost of operations and cryptocurrency payout criteria. The empirical findings also suggest that the critical features of the highest performing service providers (i.e., hosted mining strategies and cloud mining) were their flexibility of contracts and the superior efficiency in terms of the daily payout. Finally, of the three location alternatives for home mining, Turkey ranks first compared to the U.S. and Europe.
A TOU-IBT Pricing Strategy to Manage the Cryptocurrency Micro-Miners
2022, IEEE Transactions on Smart Grid
Do Dark Web andCryptocurrencies Empower Cybercriminals?
2022, Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Detection of illicit cryptomining using network metadata
2021, Eurasip Journal on Information Security
Synergy of blockchain technology and data mining techniques for anomaly detection
2021, Applied Sciences (Switzerland)
Recommended articles (6)
Research article
PRNU-based source device attribution for YouTube videosDigital Investigation, Volume 29, 2019, pp. 91-100
Photo Response Non-Uniformity (PRNU) is a camera imaging sensor imperfection which has earned a great interest for source device attribution of digital videos. A majority of recent researches about PRNU-based source device attribution for digital videos do not take into consideration the effects of video compression on the PRNU noise in video frames, but rather consider video frames as isolated images of equal importance. As a result, these methods perform poorly on re-compressed or low bit-rate videos. This paper proposes a novel method for PRNU fingerprint estimation from video frames taking into account the effects of video compression on the PRNU noise in these frames. With this method, we aim to determine whether two videos from unknown sources originate from the same device or not. Experimental results on a large set of videos show that the method we propose is more effective than existing frame-based methods that use either only I frames or all (I-B-P) frames, especially on YouTube videos.
Research article
Worldwide analysis of crimes by the traces of their online media coverage: The case of jewellery store robberiesDigital Investigation, Volume 31, 2019, Article 200889
This empirical study aims to determine whether online media coverage can be used to gather intelligence on specific crimes worldwide. The quality of online news is evaluated as an indicator of the worldwide distribution of jewelry store robberies. This phenomenon was selected because evaluating the risk of criminal events at the global level is a challenge for private companies, who need to settle and prioritize protection strategies to determine the actual risk within each country. Online media coverage is thus scrutinized for its ability to reveal spatiotemporal trends of this phenomenon. Based upon a dataset of online news gathered between 2015 and 2017 from the news aggregator website EMM (Europa Media Monitor – NewsBrief), the results show that online news may be a cost-effective method to analyze risks worldwide — though a cross-check with different data sources is still necessary to validate its accuracy. The developed approach shows that (1) while a multilingual approach is required, (2) cases can be detected and automatically classified with good accuracy; (3) moreover, dates and countries of published news articles are generally reliable indicators of the actual times and places of the events, which reduce the need for complex text analysis methods. This study demonstrates how a simple monitoring approach can be used to support the worldwide spatiotemporal analysis of serious crimes such as jewelry store robberies.
Research article
Panoramic perspective of Digital InvestigationDigital Investigation, Volume 30, 2019, p. 173
Research article
Digital behavioral-fingerprint for user attribution in digital forensics: Are we there yet?Digital Investigation, Volume 30, 2019, pp. 73-89
the need for a reliable and complementary identifier mechanism in a digital forensic analysis is the focus of this study. Mouse dynamics have been applied in information security studies, particularly, continuous authentication and authorization. However, the method applied in security is void of specific behavioral signature of a user, which inhibits its applicability in digital forensic science. This study investigated the likelihood of the observation of a unique signature from mouse dynamics of a computer user. An initial mouse path model was developed using non-finite automata. Thereafter, a set-theory based adaptive two-stage hash function and a multi-stage rule-based semantic algorithm were developed to observe the feasibility of a unique signature for forensic usage. An experimental process which comprises three existing mouse dynamics datasets were used to evaluate the applicability of the developed mechanism. The result showed a low likelihood of extracting unique behavioral signature which can be used in a user attribution process. Whilst digital forensic readiness mechanism could be a potential approach that can be used to achieve a reliable behavioral biometrics modality, the lack of unique signature presents a limitation. In addition, the result supports the logic that the current state of behavioral biometric modality, particularly mouse dynamics, is not suitable for forensic usage. Hence, the study concluded that whilst mouse dynamics-based behavioral biometrics may be a complementary modality in security studies, more will be required to adopt it as a forensic modality in litigation. Furthermore, the result from this study finds relevance in other human attributional studies such as user identification in recommender systems, e-commerce, and online profiling systems, where the degree of accuracy is not relatively high.
Research article
Trust in digital evidenceDigital Investigation, Volume 31, 2019, Article 200898
Research article
Digital forensic artifacts of the Your Phone application in Windows 10Digital Investigation, Volume 30, 2019, pp. 32-42
Your Phone is a Microsoft system that comprises two applications: a smartphone app for Android 7+smartphones and a desktop application for Windows 10/18.03+. It allows users to access their most recent smartphone-stored photos/screenshots and send/receive short message service (SMS) and multimedia messaging service (MMS) within their Your Phone-linked Windows 10 personal computers. In this paper, we analyze the digital forensic artifacts created at Windows 10 personal computers whose users have the Your Phone system installed and activated. Our results show that besides the most recent 25 photos/screenshots and the content of the last 30-day of sent/received SMS/MMS, the contact database of the linked smartphone(s) is available in a accessible SQLite3 database kept at the Windows 10 system. This way, when the linked smartphone cannot be forensically analyzed, data gathered through the Your Phone artifacts may constitute a valuable digital forensic asset. Furthermore, to explore and export the main data of the Your Phone database as well as recoverable deleted data, a set of python scripts – Your Phone Analyzer (YPA) – is presented. YPA is available wrapped within an Autopsy module to assist digital practitioners to extract the main artifacts from the Your Phone system.
© 2019 Elsevier Ltd. All rights reserved.