Method and device for detecting and analyzing encrypted mining traffic independent of ioc
By employing an IOC-independent method for detecting encrypted mining traffic, and combining machine learning and threat intelligence, a detection system based on mining traffic protocol characteristics and traffic session characteristics was designed. This solves the problem of high false positives in existing technologies and achieves efficient identification of encrypted mining traffic.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- GUANGZHOU UNIVERSITY
- Filing Date
- 2023-05-17
- Publication Date
- 2026-07-10
AI Technical Summary
Existing mining traffic identification technologies suffer from detection failures, false alarms, or missed alarms when faced with protocol variants, traffic encryption, and emerging mining software. In particular, they lack effective means to detect covert and customized mining behaviors.
A detection and analysis system based on mining traffic protocol features and traffic session features was designed by adopting an IOC-independent method for detecting encrypted mining traffic. This method involves obtaining a set of traffic to be detected, performing keyword matching and feature filtering, and using a machine learning classifier model combined with domain certificate information and threat intelligence within the traffic packets for identification.
It improves the accuracy of mining traffic identification, reduces the false alarm rate, effectively identifies encrypted mining traffic, and solves the problem of high false alarms in existing technologies.
Smart Images

Figure CN116846587B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of mining traffic identification technology, and in particular to a method and apparatus for detecting and analyzing encrypted mining traffic that does not rely on IOC. Background Technology
[0002] The development and rising value of cryptocurrencies in recent years have led some malicious attackers to use botnets or malware to control numerous victims' computers or mobile devices for covert cryptocurrency mining, thereby obtaining illegal profits. This behavior not only consumes the victims' electricity and computing resources, reducing device performance and lifespan, but also may cause information leaks and security risks. Therefore, mining traffic identification technology is of great significance for protecting the cybersecurity of users and businesses.
[0003] Mining traffic identification technology is used to detect and analyze the presence of cryptocurrency mining activities on a network. It primarily extracts and matches features from network traffic to determine if there are traffic patterns consistent with known mining protocols or commands. This technology can effectively prevent malicious mining activities from impacting network resources and security. Currently, there are several research and applications of network traffic-based mining behavior detection and identification technologies both domestically and internationally. Examples include: protocol-based methods: analyzing common mining pool protocols such as Stratum and Getwork to extract command features, such as subscription, authorization, and submission, and judging based on their frequency, order, and content; traffic-based methods: statistically analyzing network traffic to extract traffic features, such as packet size, quantity, and intervals, and judging based on differences from normal or known malicious traffic; and fingerprint-based methods: decrypting or estimating encrypted information contained in network traffic to extract fingerprint features, such as mining software model, mining pool currency, and mining account, and matching them with known databases or blacklists. However, facing continuous protocol variations and advancements in traffic encryption technology, current mining traffic identification technologies have several shortcomings: Protocol feature-based methods are highly dependent on protocol format and content; if the mining pool protocol changes or uses encryption or obfuscation techniques, detection and identification will fail. Traffic feature-based methods have high requirements for the quality and quantity of traffic data; incomplete or noisy traffic data will affect the detection and identification results. Fingerprint-based methods require the establishment and maintenance of a large fingerprint database or blacklist; if unknown or newly emerging mining software, mining pools, or cryptocurrencies are encountered, false negatives or missed detections will occur, and it will be difficult to extract valid fingerprint patterns. Furthermore, effective detection and identification methods are still lacking for some covert, mutated, or customized mining behaviors. Summary of the Invention
[0004] The main objective of this invention is to overcome the shortcomings and deficiencies of the prior art and provide a method and apparatus for detecting and analyzing encrypted mining traffic that does not rely on IOC. Based on the characteristics of mining traffic protocols and traffic session characteristics, a machine learning classifier model is constructed and designed for identification. Combined with the information memory of domain name certificates and threat intelligence within the traffic packets, the accuracy of mining traffic identification is effectively improved, and the problem of high false alarms in mining traffic identification is solved.
[0005] To achieve the above objectives, the present invention adopts the following technical solution:
[0006] In a first aspect, the present invention provides a method for detecting and analyzing cryptographic mining traffic that does not rely on IOC, comprising the following steps:
[0007] Obtain the traffic set to be detected, first perform keyword rule matching on the traffic set to be detected to match unencrypted plaintext mining traffic, and then filter out most of the normal traffic based on the statistical characteristics of mining traffic to obtain the filtered encrypted traffic detection set.
[0008] The filtered encrypted traffic detection set is used to extract traffic features of multiple dimensions using a feature extraction tool. The traffic features of multiple dimensions are normalized and completely identical features are removed to obtain an encrypted mining traffic feature set. The encrypted mining traffic feature set is then predicted using a pre-trained classification model to obtain suspicious encrypted mining traffic.
[0009] The suspicious encrypted traffic is excluded, and an attempt is made to request the certificate corresponding to the "external IP:external IP port" of the flow. An automated script is written to initiate an HTTPS request. If the certificate cannot be obtained or the certificate has a suspicious commonName, it is highly suspicious. Similarly, if the HTTPS request fails, it is also highly suspicious. The flow with high suspicion is audited first. The domain certificate information memory in the traffic packet is audited to check whether the flow's traffic packet contains information memory of a suspected certificate with a commonName. Combined with threat intelligence, traffic of normal domains is excluded to obtain the encrypted mining traffic analysis results.
[0010] As a preferred technical solution, in the step of obtaining the traffic set to be detected, for unencrypted mining traffic, the mining protocol used is mainly Stratum and its related variants, which have significant characteristic keywords "method" and "params". Therefore, the mining keywords are designed to be one or more of jsonrpc, method, params, nonce, job_id, and mining.
[0011] As a preferred technical solution, the filtering based on statistical mining traffic characteristics specifically includes:
[0012] Calculated from the traffic packets after the 5th TLS packet after the last "Change CIPher Spec", whether it is from the mining pool to the miner or from the miner to the mining pool, no more than 4 packets will be sent continuously on one side.
[0013] Calculating from the traffic packets after the 5th TLS packet following the last "Change CIPher Spec", whether it is all packets or TLS packets, at least 80% of the packet size values are distributed among the 5 packet size values;
[0014] Calculating from the traffic packets after the 5th TLS packet after the last "Change CIPher Spec", the TLS packet from the miner to the mining pool will be followed by multiple TLS packets from the mining pool to the miner. It is extremely rare for there to be 3 consecutive TLS packets from the miner to the mining pool.
[0015] The packet size is calculated from the 5th TLS packet after the last "Change CIPher Spec" packet, and the packet size does not exceed 500.
[0016] In a TCP stream, packets identified as TLS protocols account for half of all packets, with a difference of no more than 3 packets.
[0017] The flow lasts for a relatively long time, more than 5 seconds.
[0018] As a preferred technical solution, the feature extraction tool uses CICFlowMeter, and the extracted features include: Fwd Seg Size Min, Active Mean, Active Std, Active Max, Idle Mean, and Idle Std.
[0019] As a preferred technical solution, a pre-trained classification model is used to predict the feature set of crypto mining traffic to obtain suspicious crypto mining traffic, specifically:
[0020] The isolated forest algorithm with a single classifier was used to detect the encrypted traffic set to be tested. The mining traffic of several cryptocurrencies such as ETH, ETC, AE, BEAM, CONFLUX, and ERGO based on the stratum+SSL communication protocol was collected in the early stage as the training set, and the encrypted traffic set to be tested was used as the test set. In order to avoid missing suspicious IPs, the taint rate was set to a relatively large 0.2, and the random seed random_state was set to 30 to obtain suspicious mining traffic.
[0021] As a preferred technical solution, when inspecting the detected flow, only the (IP, port) tuples classified as abnormal traffic packets in the classification model are checked.
[0022] As a preferred technical solution, the step of writing an automated script to initiate an HTTPS request specifically involves:
[0023] The suspicious mining traffic is iterated through, and an automated script is written to repeatedly initiate HTTPS requests to the IP address and port. The status code of the request is obtained. If the request is successful, the certificate information is obtained. If the certificate cannot be obtained or the certificate has a suspicious commonName, it is highly suspicious. Similarly, if the HTTPS request fails or times out, it is also highly suspicious.
[0024] Secondly, the present invention provides an IOC-independent crypto mining traffic detection and analysis system, which is applied to the IOC-independent crypto mining traffic detection and analysis method, including a traffic processing module, a model training module, and a traffic analysis module.
[0025] The traffic processing module first performs keyword rule matching on the traffic set to be detected to match unencrypted plaintext mining traffic, and then filters out most of the normal traffic based on the statistical characteristics of mining traffic to obtain the filtered encrypted traffic detection set.
[0026] The model training module is used to extract multiple dimensions of traffic features from the filtered encrypted traffic using a feature extraction tool, perform feature normalization on the multiple dimensions of traffic features, remove identical features, obtain an encrypted mining traffic feature set, and use a pre-trained classification model to predict the encrypted mining traffic feature set to obtain suspicious encrypted mining traffic.
[0027] The traffic analysis module is used to exclude suspicious encrypted traffic, attempt to request the certificate corresponding to the "external IP:external IP port" of the flow, write an automated script to initiate an HTTPS request, and if the certificate cannot be obtained or the certificate has a suspicious commonName, it is highly suspicious. If the HTTPS request fails, it is also highly suspicious. Flows with high suspicion are audited first, and the domain certificate information memory in the traffic packet is audited to check whether the traffic packet of the flow contains information memory of a suspected certificate with a commonName. Combined with threat intelligence, traffic of normal domains is excluded to obtain the encrypted mining traffic analysis results.
[0028] Thirdly, the present invention provides an electronic device, the electronic device comprising:
[0029] At least one processor; and,
[0030] A memory communicatively connected to the at least one processor; wherein,
[0031] The memory stores computer program instructions that can be executed by the at least one processor, which enables the at least one processor to perform the IOC-independent cryptographic mining traffic detection and analysis method.
[0032] Fourthly, the present invention provides a computer-readable storage medium storing a program, which, when executed by a processor, implements the aforementioned method for detecting and analyzing encrypted mining traffic that is independent of IOC.
[0033] Compared with the prior art, the present invention has the following advantages and beneficial effects:
[0034] 1. This invention analyzes and statistically identifies multiple dimensions of mining traffic that are significantly different from normal traffic. Based on this, rules are designed to filter and narrow down the scope of detection. Then, a machine learning classifier model is combined for classification, effectively identifying mining traffic.
[0035] 2. This invention addresses the lack of effective detection and identification methods for encrypted mining traffic by proposing a method that actively initiates requests to obtain more information. By combining the information stored in the domain certificate within the traffic packet with threat intelligence, the accuracy of mining traffic identification is improved, and the problem of high false positives in mining traffic identification is solved. Attached Figure Description
[0036] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0037] Figure 1 This is a flowchart of an embodiment of the encrypted mining traffic detection and analysis method that does not rely on IOC;
[0038] Figure 2 This is a logical framework diagram of the encryption mining traffic detection and analysis method that does not rely on IOC according to the embodiments of the present invention;
[0039] Figure 3 This is a schematic diagram of the structure of the encryption mining traffic detection and analysis system that does not rely on IOC according to an embodiment of the present invention;
[0040] Figure 4 This is a structural diagram of an electronic device according to an embodiment of the present invention. Detailed Implementation
[0041] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are merely some embodiments of the present application, and not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present application without creative effort are within the scope of protection of the present application.
[0042] In this application, the reference to "embodiment" means that a specific feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of this application. The appearance of this phrase in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a mutually exclusive, independent, or alternative embodiment. It will be explicitly and implicitly understood by those skilled in the art that the embodiments described in this application can be combined with other embodiments.
[0043] IOC (Indicators of Compromise) is a commonly used concept in threat intelligence. It refers to evidence that a victim host has been compromised, including malicious file hashes, characteristics of malware, and passively identified beacons such as malicious IP addresses, URLs, and domain names.
[0044] This invention proposes a method for detecting and analyzing cryptographic mining traffic that does not rely on IOC. This method is based on mining traffic protocol characteristics and traffic session characteristics, and constructs and designs a machine learning classifier model for identification. Combined with manual auditing and threat intelligence, it effectively improves the accuracy of mining traffic identification and solves the problem of high false positives in mining traffic identification.
[0045] See Figure 1 The flowchart of the method of the present invention shown is as follows: Figure 2 The logical framework diagram of this invention shown below indicates that this invention is mainly divided into three modules:
[0046] S1: Obtain the traffic set to be detected, determine whether the traffic set is encrypted, perform mining keyword matching on the unencrypted traffic to obtain the unencrypted mining traffic; perform rule filtering based on the characteristics of encrypted mining traffic to narrow down the dataset to be detected.
[0047] S2: Use the CICFlowMeter feature extraction tool to extract multiple dimensions of traffic features from the encrypted traffic set to be detected, perform feature selection processing, and obtain the mining traffic feature set. Use the simple machine learning classifier Isolation Forest as the basic model, and predict the training set samples based on the trained basic model to obtain suspicious mining traffic.
[0048] S3: Write an automated script to request the certificate corresponding to the "external IP:external IP port" of the HTTPS request stream. If the certificate cannot be obtained or the certificate has a suspicious commonName, it is highly suspicious. Similarly, if the HTTPS request fails, it is also highly suspicious. Prioritize auditing streams with high suspicion. Manually audit the domain certificate information in the traffic packets to check if the traffic packets contain information with a suspected commonName. Combine this with threat intelligence to exclude traffic from normal domains and obtain the mining traffic analysis results.
[0049] See Figure 2 This embodiment illustrates an encryption mining traffic detection and analysis method that does not rely on IOC, comprising: in step S1, keyword rule matching is first performed on the traffic set to be detected to match unencrypted plaintext mining traffic, and then filtering is performed according to the statistical mining traffic characteristics to filter out most of the normal traffic, thereby obtaining the filtered encryption traffic detection set; and the detection dataset is narrowed down.
[0050] In one embodiment, step S1 further includes the following steps:
[0051] Mining keyword matching for unencrypted traffic, specifically including:
[0052] Matching keywords include jsonrpc, method, params, nonce, job_id, and mining, and new keywords can be added continuously as the protocol changes.
[0053] In one implementation, the rules for filtering mining traffic detection include the following:
[0054] (1) There are obvious heartbeat characteristics during communication. Calculated from the traffic packet after the 5th TLS packet after the last "Change CIPher Spec", whether it is from the mining pool to the miner or from the miner to the mining pool, no more than 4 packets will be sent continuously on one side.
[0055] (2) Calculate the traffic packets after the 5th TLS packet after the last "Change CIPher Spec". Whether it is all packets or TLS packets, at least 80% of the packet size values are distributed among the 5 packet size values.
[0056] (3) Calculate from the traffic packet after the 5th TLS packet after the last "Change CIPher Spec". The TLS packet from the miner to the mining pool will be followed by multiple TLS packets from the mining pool to the miner. It is very rare for there to be 3 consecutive TLS packets from the miner to the mining pool.
[0057] (4) The packet size is generally no more than 500 packets, calculated from the 5th TLS packet after the last "Change CIPher Spec" packet.
[0058] (5) In a TCP stream, packets identified as TLS protocol account for half of all packets, with a difference of no more than 3 packets;
[0059] (6) Mining requires being online for a long time, which results in a relatively long duration of the stream, generally more than 5 seconds.
[0060] Although the specific values vary across different protocols and mining farms, they all share the same distribution characteristics, including alternating packet transmission and relatively fixed packet sizes. This can be used to filter out most normal traffic, facilitating subsequent machine learning model training and improving the accuracy of model recognition.
[0061] Furthermore, in step S2, the CICFlowMeter feature extraction tool is used to extract multiple dimensions of traffic features from the encrypted traffic set to be detected, and feature selection processing is performed to obtain the mining traffic feature set. The isolated forest, a simple machine learning classifier, is used as the basic model. Based on the trained basic model, the training set samples are predicted to obtain suspicious mining traffic.
[0062] In one embodiment, step S2 includes:
[0063] The open-source tool CICFlowMeter was used to extract a series of features from the traffic packet stream, as shown in Table 1, which contains the traffic packet features.
[0064] Table 1
[0065]
[0066]
[0067]
[0068]
[0069] In one implementation, for the processed data, a machine learning single-classification model—isolation forest—is used as the base model for training. To avoid missing suspicious traffic packets, a relatively high taint rate of 0.2 is set. During subsequent flow inspection, only (IP, port) tuples that are classified as abnormal traffic packets by the model are checked.
[0070] Furthermore, in step S3, an automated script is written to initiate the certificate for the "external IP:external IP port" corresponding to the HTTPS request stream. If the certificate cannot be obtained or the certificate has a suspicious commonName, it is highly suspicious. Similarly, if the HTTPS request fails, it is also highly suspicious. Streams with high suspicion are prioritized for auditing. The domain certificate information within the traffic packets is manually audited to check if the traffic packets contain information with a suspected commonName. Combined with threat intelligence, traffic from normal domains is excluded, resulting in the mining traffic analysis results. By proactively initiating requests to obtain more information, combined with manual auditing and threat intelligence, the accuracy of mining traffic identification is improved, and the problem of high false positives in mining traffic identification is solved.
[0071] The encryption mining traffic detection and analysis method proposed based on the above embodiments of the present invention, which does not rely on IOC, has achieved the following beneficial effects:
[0072] This invention addresses the problem of cryptographic mining traffic being difficult to identify by its covert nature. It innovatively proposes a machine learning classifier model based on mining traffic protocol characteristics and traffic session characteristics for identification. Combined with manual auditing and threat intelligence, this effectively solves the problems of insufficient training datasets and low identification accuracy of machine learning models, improves the accuracy of mining traffic identification, and solves the problem of high false positives in mining traffic identification, providing a new and feasible approach.
[0073] It should be noted that, for the sake of simplicity, the aforementioned method embodiments are all described as a series of actions. However, those skilled in the art should understand that the present invention is not limited to the described order of actions, because according to the present invention, some steps can be performed in other orders or simultaneously.
[0074] Based on the same idea as the IOC-independent crypto mining traffic detection and analysis method in the above embodiments, the present invention also provides an IOC-independent crypto mining traffic detection and analysis system, which can be used to execute the above-described IOC-independent crypto mining traffic detection and analysis method. For ease of explanation, the structural diagram of the IOC-independent crypto mining traffic detection and analysis system embodiment only shows the parts related to the embodiments of the present invention. Those skilled in the art will understand that the illustrated structure does not constitute a limitation on the device, and may include more or fewer components than illustrated, or combine certain components, or have different component arrangements.
[0075] Please see Figure 3 In another embodiment of this application, a cryptographic mining traffic detection and analysis system 100 that does not rely on IOC is provided. The system includes a traffic processing module, a model training module, and a traffic analysis module.
[0076] The traffic processing module is used to acquire a set of traffic to be detected, first perform keyword rule matching on the set of traffic to be detected to match unencrypted plaintext mining traffic, and then filter out most of the normal traffic based on the statistical characteristics of mining traffic to obtain a set of encrypted traffic to be detected.
[0077] The model training module is used to extract multiple dimensions of traffic features from the filtered encrypted traffic using a feature extraction tool, perform feature normalization on the multiple dimensions of traffic features, remove identical features, obtain an encrypted mining traffic feature set, and use a pre-trained classification model to predict the encrypted mining traffic feature set to obtain suspicious encrypted mining traffic.
[0078] The traffic analysis module is used to exclude suspicious encrypted traffic, attempt to request the certificate corresponding to the "external IP:external IP port" of the flow, write an automated script to initiate an HTTPS request, and if the certificate cannot be obtained or the certificate has a suspicious commonName, it is highly suspicious. If the HTTPS request fails, it is also highly suspicious. Flows with high suspicion are audited first, and the domain certificate information memory in the traffic packet is audited to check whether the traffic packet of the flow contains information memory of a suspected certificate with a commonName. Combined with threat intelligence, traffic of normal domains is excluded to obtain the encrypted mining traffic analysis results.
[0079] It should be noted that the encryption mining traffic detection and analysis system that does not rely on IOC of the present invention corresponds one-to-one with the encryption mining traffic detection and analysis method that does not rely on IOC of the present invention. The technical features and beneficial effects described in the embodiments of the encryption mining traffic detection and analysis method that does not rely on IOC are applicable to the embodiments of the encryption mining traffic detection and analysis system that does not rely on IOC. For details, please refer to the description in the embodiments of the method of the present invention, which will not be repeated here.
[0080] Furthermore, in the implementation of the IOC-independent crypto mining traffic detection and analysis system in the above embodiments, the logical division of each program module is only an example. In actual applications, the above functions can be assigned to different program modules as needed, for example, for the configuration requirements of the corresponding hardware or for the convenience of software implementation. That is, the internal structure of the IOC-independent crypto mining traffic detection and analysis system is divided into different program modules to complete all or part of the functions described above.
[0081] Please see Figure 4In one embodiment, an electronic device is provided for implementing an IOC-independent cryptographic mining traffic detection and analysis method. The electronic device 200 may include a first processor 201, a first memory 202 and a bus, and may also include a computer program, such as a cryptographic mining traffic detection and analysis program 203, stored in the first memory 202 and executable on the first processor 201.
[0082] The first memory 202 includes at least one type of readable storage medium, including flash memory, portable hard drive, multimedia card, card-type memory (e.g., SD or DX memory), magnetic memory, magnetic disk, optical disk, etc. In some embodiments, the first memory 202 can be an internal storage unit of the electronic device 200, such as the portable hard drive of the electronic device 200. In other embodiments, the first memory 202 can also be an external storage device of the electronic device 200, such as a plug-in portable hard drive, smart media card (SMC), secure digital card (SD), flash card, etc., equipped on the electronic device 200. Furthermore, the first memory 202 can include both internal storage units and external storage devices of the electronic device 200. The first memory 202 can be used not only to store application software and various types of data installed on the electronic device 200, such as the code of the encrypted mining traffic detection and analysis program 203, but also to temporarily store data that has been output or will be output.
[0083] In some embodiments, the first processor 201 may be composed of integrated circuits, such as a single packaged integrated circuit or multiple integrated circuits with the same or different functions, including combinations of one or more central processing units (CPUs), microprocessors, digital processing chips, graphics processors, and various control chips. The first processor 201 is the control unit of the electronic device, connecting various components of the entire electronic device through various interfaces and lines. It executes programs or modules stored in the first memory 202 and calls data stored in the first memory 202 to perform various functions of the electronic device 200 and process data.
[0084] Figure 4 Only electronic devices with components are shown; it will be understood by those skilled in the art that... Figure 3 The structure shown does not constitute a limitation on the electronic device 200, and may include fewer or more components than shown, or combine certain components, or have different component arrangements.
[0085] The encrypted mining traffic detection and analysis program 203 stored in the first memory 202 of the electronic device 200 is a combination of multiple instructions. When run in the first processor 201, it can achieve the following:
[0086] Obtain a set of traffic to be detected, which includes unencrypted traffic and encrypted traffic; perform mining keyword matching on the unencrypted traffic to obtain unencrypted mining traffic; filter the encrypted traffic according to the characteristics of encrypted mining traffic to obtain filtered encrypted traffic.
[0087] The filtered encrypted traffic is used to extract traffic features from multiple dimensions using a feature extraction tool. Feature normalization is then performed, and identical features are removed, such as 21 features including Fwd, Seg, Size, Min, Active Mean, Active Std, Active Max, Idle Mean, and Idle Std, to obtain a set of encrypted mining traffic features. A pre-trained classification model is then used to predict the encrypted mining traffic feature set to obtain suspicious encrypted mining traffic.
[0088] The suspicious encrypted traffic is excluded, and an attempt is made to request the certificate corresponding to the "external IP:external IP port" of the flow. An automated script is written to initiate an HTTPS request. If the certificate cannot be obtained or the certificate has a suspicious commonName, it is highly suspicious. Similarly, if the HTTPS request fails, it is also highly suspicious. The flow with high suspicion is audited first. The domain certificate information memory in the traffic packet is audited to check whether the flow's traffic packet contains information memory of a suspected certificate with a commonName. Combined with threat intelligence, traffic of normal domains is excluded to obtain the encrypted mining traffic analysis results.
[0089] Furthermore, if the modules / units integrated in the electronic device 200 are implemented as software functional units and sold or used as independent products, they can be stored in a non-volatile computer-readable storage medium. The computer-readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a USB flash drive, a portable hard drive, a magnetic disk, an optical disk, a computer memory, or a read-only memory (ROM).
[0090] Those skilled in the art will understand that all or part of the processes in the above embodiments can be implemented by a computer program instructing related hardware. The program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments described above. Any references to memory, storage, databases, or other media used in the embodiments provided in this application can include non-volatile and / or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link DRAM (SLDRAM), RAMbus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and RAMbus dynamic RAM (RDRAM), etc.
[0091] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0092] The above embodiments are preferred embodiments of the present invention, but the embodiments of the present invention are not limited to the above embodiments. Any changes, modifications, substitutions, combinations, or simplifications made without departing from the spirit and principle of the present invention shall be considered equivalent substitutions and shall be included within the protection scope of the present invention.
Claims
1. A method for detecting and analyzing cryptographic mining traffic that does not rely on IOC, characterized in that, Includes the following steps: Obtain the traffic set to be detected. First, perform keyword rule matching on the traffic set to be detected to match unencrypted plaintext mining traffic. Then, filter out most of the normal traffic based on the statistical characteristics of mining traffic to obtain the filtered encrypted traffic detection set. The filtering based on statistical mining traffic characteristics specifically includes: Calculated from the traffic packets after the 5th TLS packet after the last "Change CIPher Spec", whether it is from the mining pool to the miner or from the miner to the mining pool, no more than 4 packets will be sent continuously on one side. Calculating from the traffic packets after the 5th TLS packet following the last "Change CIPher Spec", whether it is all packets or TLS packets, at least 80% of the packet size values are distributed among the 5 packet size values; Calculating from the traffic packets after the 5th TLS packet after the last "Change CIPher Spec", the TLS packet from the miner to the mining pool will be followed by multiple TLS packets from the mining pool to the miner. It is extremely rare for there to be 3 consecutive TLS packets from the miner to the mining pool. The packet size is calculated from the 5th TLS packet after the last "Change CIPher Spec" packet, and the packet size does not exceed 500. In a TCP stream, packets identified as TLS protocols account for half of all packets, with a difference of no more than 3 packets. The flow lasts for a relatively long time, more than 5 seconds; The filtered encrypted traffic detection set is used to extract traffic features of multiple dimensions using a feature extraction tool. The traffic features of multiple dimensions are normalized and completely identical features are removed to obtain an encrypted mining traffic feature set. The encrypted mining traffic feature set is then predicted using a pre-trained classification model to obtain suspicious encrypted mining traffic. The process of using a pre-trained classification model to predict the feature set of crypto mining traffic to obtain suspicious crypto mining traffic is as follows: The isolated forest algorithm with a single classifier was used to detect the encrypted traffic set to be tested. The mining traffic of several cryptocurrencies, including ETH, ETC, AE, BEAM, CONFLUX, and ERGO, which were collected in the early stage based on the stratum+SSL communication protocol, was used as the training set, and the encrypted traffic set to be tested was used as the test set. In order to avoid missing suspicious IPs, the taint rate was set to a relatively large 0.2, and the random seed random_state was set to 30 to obtain suspicious mining traffic. The suspicious encrypted traffic is excluded, and an attempt is made to request the certificate corresponding to the "external IP:external IP port" of the flow. An automated script is written to initiate an HTTPS request. If the certificate cannot be obtained or the certificate has a suspicious commonName, it is highly suspicious. Similarly, if the HTTPS request fails, it is also highly suspicious. The flow with high suspicion is audited first. The domain certificate information memory in the traffic packet is audited to check whether the flow's traffic packet contains information memory of a suspected certificate with a commonName. Combined with threat intelligence, traffic of normal domains is excluded to obtain the encrypted mining traffic analysis results.
2. The method for detecting and analyzing cryptographic mining traffic that does not rely on IOC as described in claim 1, characterized in that, In the step of obtaining the set of traffic to be detected, for unencrypted mining traffic, the mining protocol used is mainly Stratum and its related variants, which have significant characteristic keywords "method" and "params". Therefore, the mining keywords are designed to be one or more of jsonrpc, method, params, nonce, job_id, and mining.
3. The method for detecting and analyzing cryptographic mining traffic that does not rely on IOC according to claim 1, characterized in that, The feature extraction tool used is CICFlowMeter, and the extracted features include: Fwd Seg Size Min, Active Mean, Active Std, Active Max, Idle Mean, and Idle Std.
4. The method for detecting and analyzing cryptographic mining traffic that does not rely on IOC according to claim 1, characterized in that, Among the detected packets, when inspecting the flow, only the (IP, port) tuples classified as abnormal traffic packets in the classification model are checked.
5. The method for detecting and analyzing cryptographic mining traffic that does not rely on IOC according to claim 1, characterized in that, The process of writing an automated script to initiate HTTPS requests is as follows: The suspicious mining traffic is iterated through, and an automated script is written to repeatedly initiate HTTPS requests to the IP address and port. The status code of the request is obtained. If the request is successful, the certificate information is obtained. If the certificate cannot be obtained or the certificate has a suspicious commonName, it is highly suspicious. Similarly, if the HTTPS request fails or times out, it is also highly suspicious.
6. A cryptographic mining traffic detection and analysis system that does not rely on IOC, characterized in that, The method for detecting and analyzing cryptographic mining traffic that does not rely on IOC, as described in any one of claims 1-5, includes a traffic processing module, a model training module, and a traffic analysis module. The traffic processing module first performs keyword rule matching on the traffic set to be detected to match unencrypted plaintext mining traffic, and then filters out most of the normal traffic based on the statistical characteristics of mining traffic to obtain the filtered encrypted traffic detection set. The model training module is used to extract multiple dimensions of traffic features from the filtered encrypted traffic using a feature extraction tool, perform feature normalization on the multiple dimensions of traffic features, remove identical features, obtain an encrypted mining traffic feature set, and use a pre-trained classification model to predict the encrypted mining traffic feature set to obtain suspicious encrypted mining traffic. The traffic analysis module is used to exclude suspicious encrypted traffic, attempt to request the certificate corresponding to the "external IP:external IP port" of the flow, write an automated script to initiate an HTTPS request, and if the certificate cannot be obtained or the certificate has a suspicious commonName, it is highly suspicious. If the HTTPS request fails, it is also highly suspicious. Flows with high suspicion are audited first, and the domain certificate information memory in the traffic packet is audited to check whether the traffic packet of the flow contains information memory of a suspected certificate with a commonName. Combined with threat intelligence, traffic of normal domains is excluded to obtain the encrypted mining traffic analysis results.
7. An electronic device, characterized in that, The electronic device includes: At least one processor; and, A memory communicatively connected to the at least one processor; wherein, The memory stores computer program instructions that can be executed by the at least one processor, which enables the at least one processor to perform the IOC-independent cryptographic mining traffic detection and analysis method as described in any one of claims 1-5.
8. A computer-readable storage medium storing a program, characterized in that, When the program is executed by the processor, it implements the encryption mining traffic detection and analysis method that does not rely on IOC as described in any one of claims 1-5.