CN116208356B - A virtual currency mining traffic detection method based on deep learning - Google Patents

Abstract

The invention discloses a virtual currency mining traffic detection method based on deep learning, which includes: (1) Pre-capturing mining traffic and normal traffic. Each captured data stream contains several data packets, and each captured data stream is extracted. and save the relevant information of each data packet; (2) Build a detection model based on neural network, and use the packet length, timestamp, and destination address information of each data packet to process the data stream of each network connection into several detection inputs , and then use the detection input to train the detection model; among them, the structure of the detection model includes two convolutional layers, two pooling layers and three fully connected layers; (3) Build a real-time detection system and use The trained detection model detects the real-time data flow and determines whether it is mining traffic. The invention has the advantages of high detection accuracy, strong real-time detection, convenient deployment and transplantation, and is suitable for encrypted network environments.

Description

A virtual currency mining traffic detection method based on deep learning

Technical field

The invention relates to the field of blockchain and network security, and in particular to a virtual currency mining traffic detection method based on deep learning.

Background technique

Virtual currencies refer to digital currencies generated using blockchain, represented by Bitcoin, Ethereum, Monero, etc. These currencies are not controlled by government agencies. Blockchain is a decentralized system. The operation of the system does not rely on one or some specific network nodes. Instead, it designs a mechanism that relies on most nodes in the network to "vote" to determine the results, and the results are and information is broadcast to the entire chain, thereby achieving decentralization. However, as the market prices of various virtual currencies continue to rise, the phenomenon of mining (earning profits by mining virtual currencies) is increasing day by day. This has also brought about some security issues. In order to save resources, criminals on the network have used mining attack technology to use other people's equipment to mine virtual currencies, seriously infringing on the interests of others.

The harm of mining attacks (Cryptojacking) is very serious. This is because mining utilizes the central processing unit (CPU) and graphics processing unit (GPU) of the computer, allowing them to run under extremely high loads, which will have a negative impact on the victim's health. Devices suffer huge performance losses. In addition, mining attackers may use Trojans to perform the following operations on the victim's host: uninstall security software, add startup items, add administrators, and close the protection wall. These behaviors can seriously endanger the security of the victim's host. In addition, mining activities will bring a large amount of electricity expenditure. Surveys show that electricity expenditure accounts for more than 90% of the total cost of virtual currency mining. Therefore, effective detection of mining activities is necessary.

Current mining attacks are mainly divided into two types. The first is where attackers invade popular network servers and embed malicious mining code into websites. When users browse the website, they will passively mine virtual currency (referred to as browsing). Server mining behavior); another type of attack means that the attacker controls the user's computer through malware and directly uses the user's host to mine (referred to as host mining behavior).

However, in the existing literature, no practical mining detection method has yet been proposed. Most of the existing methods have obvious flaws: poor real-time performance or difficulty in deployment. These methods can be mainly divided into three categories: The first category is for the detection of mining scripts, such as Geng Hong et al. (How you get shot in the back: Asystematic study about cryptojacking in the real world, 2018) and Konoth et al. The detection method proposed by Minesweeper: An in-depth look into drive-by cryptocurrency mining and its defense, 2018). The second category is for the detection of mining software, such as Soviany et al. (Android malware detection and crypto-mining recognition methodology with machine learning, 2018) and Gangwal et al. (Cryptomining cannot change its spots: Detecting covert cryptomining using magnetic side-channel, 2019) proposed detection method. The third category is detection for mining traffic analysis, such as Shize Zhang et al. (MineHunter: A PracticalCryptomining Traffic Detection Algorithm Based on Time Series Tracking, 2021) and Caprolu et al. (Cryptomining makes noise: a machine learning approach for cryptojacking detection, 2019 ) detection method proposed.

The first type of detection is for mining scripts. This type of detection method is oriented towards browser mining behavior. Mining scripts are detected based on the fact that they often involve a large number of hash calculations. The most time-effective method at present involves taking advantage of certain inherent characteristics of virtual currency mining scripts and designing a set of analyzers based on runtime behavior, considering that the core function of mining work is a proof-of-work system, usually most workloads They are all calculations of hash values, and ordinary web pages spend less time on hash functions. Therefore, it can be analyzed by calculating the cumulative time spent by web pages on common accessible hash library interfaces. If a web page is in a hash function, If the time spent on hash value calculation exceeds 10% of the total time, the analyzer will suspect that it has executed a mining script. In addition, during the execution of the mining script, there are certain regularities in its stack depth and call chain. , and normal web pages rarely call the same stack repeatedly, which is also one of the basis for analysis; by analyzing the JavaScript code from common network mining tools (such as NFWebMiner, coinhive, etc.) and the wasm module containing various encryption operations (XOR , shift, rotation) functions, design a set of detection strategies, and in the bytecode of the wasm module used by the web page to be tested, combine each function with the five types that must be used by the mining algorithm to calculate the hash value. The fingerprints of encryption primitives (Keccak, AES, BLAKE-256, Groestl-256, Skein-256) are matched. If enough encryption primitives are completely matched, the webpage is considered to contain a mining script. In addition, they will also suspect that the webpage contains a mining script based on the number of encryption operations in the loop of each function in the wasm module used on the webpage. If the value exceeds a certain threshold, they will also suspect that the webpage contains a mining script. This type of method of identifying mining behavior based on certain characteristics of mining scripts often requires obtaining the plain text content of the entire web page. In this case, if a load obfuscation strategy is adopted during network transmission, it can significantly affect the performance of these tasks. efficiency.

The second type is for the detection of mining software. This type of method is oriented to the mining behavior of the host, and detects and monitors the mining software on the host as malware. Common practices include using information about various functions or operations of various software related devices and their operating systems as original features. This information involves permissions, mobile application settings, device attributes, protocol-related information, operating system-related attributes, and then based on relevant Some derived features are extracted from the statistical information of malware events that occur on the device and operating system, and the original features and derived features are used for feature fusion and feature extraction. Finally, a support vector machine (SVM) is used to train and classify the final generated features. This enables the identification of malicious mining software; the magnetic side channel is used to identify mining behavior. The theoretical basis is that when the CPU performs mining operations, its current load will be too high, which may cause the magnetic field intensity around it to produce a higher Dramatic changes, by using a 10HZ probe magnetic sensor to measure and record the magnetic field intensity sequence around the CPU when performing different operations within a time period (100 samples), and use the K-nearest neighbor algorithm to train the magnetic field intensity sequence Learning, and ultimately realizing the detection of mining behavior. Problems with this type of method include a small detection range, the inability to identify unknown software, and the need for physical proximity of the examiner, magnetic sensors, and devices under test, making them difficult to deploy in large enterprises.

The third type of detection is based on mining traffic analysis. This type of method is oriented to both browser mining and host mining, and uses the network transmission characteristics during the mining process to detect them. The present invention belongs to this type of detection method. Recently, with the strengthening of network defense against mining activities, for example, operators cut off network transmission between victim hosts and mining pools through mining pool IP blocking, domain name pollution, etc., making the network activities of new mining attacks more covert. For example, mining Trojans can use proxy tools (such as VPN) to encrypt communication content and confuse characteristics such as packet length, number of packets, and packet intervals during traffic transmission; they can connect to mining pools through proxy hosts, thereby easily bypassing Current network detection methods based on IP address and data packet content. The most time-sensitive detection method for new mining attacks includes utilizing the correlation between blockchain block production and mining traffic packets, and designing a set of identification strategies based on timing tracking: collect traffic at the gateway entrance, and based on IP The tuples of source and destination distinguish flows, and record the timestamp of each packet for each flow; in each local specific time period, calculate the timestamp sequence recorded for each flow and the virtual value in the corresponding time period. Local correlation between the currency's block generation time series, and finally evaluate the possibility of the flow being mining traffic based on the global correlation of each flow; use packet time interval and data packet size and their derived characteristics as training random forest The characteristics are evaluated using the k-fold cross-validation method. However, these methods have poor performance in identifying encrypted traffic of unknown (untrained) proxy tools, require manual design and screening of traffic characteristics, have high requirements for the balance of the training set, and have a long detection and confirmation time window (need to wait for multiple blocks to be generated). And other issues.

Contents of the invention

The present invention provides a virtual currency mining traffic detection method based on deep learning, which has the advantages of high detection accuracy, strong real-time detection, convenient deployment and transplantation, suitable for unbalanced scale data sets, and suitable for encrypted network environments. .

A virtual currency mining traffic detection method based on deep learning, including the following steps:

(1) Pre-capture mining traffic and normal traffic. Each captured data stream contains several data packets. Extract the relevant information of each data packet and save it. The saving format is <timestamp, packet length, source Address ip, source address port number, destination address ip, destination address port number > tuple sequence;

(2) Build a detection model based on neural networks, and use the packet length, timestamp, and target address information of each data packet to process the data stream of each network connection into several detection inputs, and then use the detection inputs to perform the detection model train;

Among them, the structure of the detection model includes two convolutional layers, two pooling layers and three fully connected layers;

(3) Build a real-time detection system. In the real-time detection system, use the trained detection model to detect the real-time data flow to determine whether it is mining traffic.

In step (1), the mining traffic comes from the virtual currency. The tool Wireshark is used to capture the data flow of the network connection during each mining process. Each network connection lasts for 1 hour; normal traffic comes from daily network use, and the data The scale is 8-15 times that of mining traffic.

In step (2), the format of the detection input is as follows:

[T _in ,T _out ,S _in ,S _out ]

Among them, T represents the timing difference between the current packet and the previous data packet in the same direction, S represents the packet length of the data packet; in and out represent the incoming and outgoing traffic respectively, and are judged based on the source address and destination address of each data packet.

During the training process of the detection model, for a data stream, each set of detection inputs takes N data packets in order on each feature in each direction, so that each detection input follows a 4×N two-dimensional matrix format, Insufficient features are filled with 0; each feature of the next set of detection inputs starts from the next position adjacent to the last data of each feature currently input, until any feature is consumed by the detection model.

In step (2), the structure of the detection model specifically includes a first convolution layer, a first pooling layer, a second convolution layer, a second pooling layer, a first fully connected layer, and a second fully connected layer that are connected in sequence. and the third fully connected layer;

Among them, the number of convolution kernels in the first convolution layer is 20, the convolution kernel size is 2×20, and the step size is 2×1; the number of convolution kernels in the second convolution layer is 100, and the convolution kernel size is 2 ×20, the step size is 2×1; the window size of the first pooling layer and the second pooling layer is 1×5, the step size is 1×1; the number of hidden layers of the first fully connected layer is 1200, and the number of hidden layers of the second fully connected layer is 1200. The number of hidden layers of the fully connected layer is 500, and the number of hidden layers of the third fully connected layer is 100.

The detection process of the detection model is: the detection input first enters the convolution layer, and the convolution kernel performs a convolution operation with each area of the input to extract features from the input. These feature values are input to the activation function, and are obtained from the activation function. The output enters the pooling layer; the function of the pooling layer is to reduce the size of the feature matrix, thereby reducing the number of parameters and reducing the calculation amount of the training process;

After all the convolutional layers and pooling layers, the high-level derived features of each set of detection inputs are obtained; then, these high-level derived features are passed to the fully connected layer, and these features are used to classify the input. At the same time, dropout is combined to prevent overfitting. ;

The final network output is used to represent the correlation coefficient between relevant network connections and mining traffic. The larger the value, the higher the probability that the data flow is mining traffic. When the network output is greater than the detection threshold, the group of inputs is considered to be detected. The result belongs to mining traffic.

During the training process of the detection model, for each input sample in the training set, if it belongs to mining traffic, use a label with a value of 1 to identify it, otherwise if it is normal behavior traffic, use a label with a value of 0;

The categorical cross-entropy function is then used to estimate the loss value. Before calculating the loss, the sigmoid function needs to be used to map the output obtained by each input in the detection model to the interval of (0, 1); the training process for minimizing the loss function uses Adam optimization. The controller optimizes network node values.

In step (3), use DPDK-17.05.2 to build a real-time detection system, in which two processes are used to obtain traffic data and detect traffic respectively;

During the detection process, relevant information of each network connection needs to be saved, including: the total number of data packets currently transmitted through the network connection, the length and timestamp of each data packet; the acquisition process is based on the number of data packets received from the network port. The field information determines its corresponding network connection, and at the same time updates the relevant information of the corresponding connection; when the number of packets of a certain network connection reaches the set scale, the relevant features of the currently saved corresponding number of data packets belonging to the connection are processed into one Groups of detection inputs are put into a cache pool; the detection process continuously consumes each group of detection inputs in the cache pool and uses the detection model to detect them.

Compared with the prior art, the present invention has the following beneficial effects:

1. The present invention uses deep neural networks to learn original encryption mining traffic communication interaction characteristics, and has a universal detection effect for cryptocurrency mining traffic using the PoW consensus mechanism; compared with traditional supervised machine learning algorithms, it can save design and the labor and time costs of screening effective traffic characteristics.

2. The present invention has better identification effect for unknown proxy tools (traffic confusion method) and is suitable for unbalanced data sets.

3. The neural network design adopted in the present invention is friendly to mainstream open source software and hardware frameworks and can support real-time traffic detection of 100G network ports.

Description of the drawings

Figure 1 is a network structure diagram of the detection model in the present invention;

Figure 2 is a framework diagram of the real-time detection system in the present invention.

Detailed ways

The present invention will be described in further detail below with reference to the accompanying drawings and examples. It should be noted that the following examples are intended to facilitate the understanding of the present invention and do not limit it in any way.

In this invention, normal traffic and mining traffic (using the Wireshark tool) are collected on a scale of 10:1. In the captured data, each data stream (pcap file) contains several data packets. The relevant information of each data packet is extracted and saved. The saved format is <timestamp, packet length, source Address ip, source address port number, destination address ip, destination address port number > tuple sequence.

Each network connection pcap file is represented as several network inputs using the packet length, timestamp, destination address and other information of each packet, which is expressed as follows:

[T _in ,T _out ,S _in ,S _out ]

Here, T represents the timing difference between the current packet and the previous packet in the same direction, S represents the packet length, in and out represent the incoming and outgoing traffic respectively (judged based on the source address and destination address of each data packet).

Since the CNN network input requires a fixed length, for a stream, each set of inputs takes N data packets in order for each feature in each direction, so that each input follows a 4×N two-dimensional matrix format, and the number of features is not enough. It will be filled with 0, and each feature of the next set of inputs starts from the next position adjacent to the last data of each feature of the current input, until any feature is consumed.

A detection model is built based on the convolutional neural network to identify the network input and output the identification results. The detection model network structure includes two convolutional layers, two pooling layers and three fully connected layers. The operations involved include: feature extraction, fully connected and preventing overfitting. The specific structure is shown in Figure 1.

In the process of feature extraction, the input first enters the convolution layer. The convolution kernel will perform a convolution operation with each area of the input to extract features from the input. More convolution kernels mean that more convolution kernels can be extracted. Features, these values are input to the activation function (we chose ReLU for the activation function). The output obtained from the activation function enters the pooling layer, whose role is to reduce the size of the feature matrix, thereby reducing the number of parameters and reducing the calculation amount of the training process. The method we use here is Max Pooling, which retains the maximum value in a specific area of the feature matrix. Here we use n ₁ convolution kernels in the first convolution layer. The size of each convolution kernel is 2×w ₁ and the step size is 2×s ₁ . It aims to find the differences between the same features in different directions. connect. The second convolutional layer uses n ₂ convolution kernels, with a size of 2×w ₂ and a stride of 2×s ₂ .

After all the convolutional layers and pooling layers, the high-level derived features of each set of inputs can be obtained. Subsequently, these features are passed to the fully connected layer, whose role is to use these features to classify the input. In addition, dropout is combined to prevent overfitting problems.

To sum up, for any set of inputs f, the output obtained in the network can be expressed as:

The network output is used to represent the correlation coefficient between the network flow where f is located and mining traffic. The larger the value, the higher the probability that the network flow corresponding to f belongs to mining traffic. Here we set the detection threshold eta. When the network input is greater than the detection threshold, we consider this group of inputs to belong to mining traffic.

During the training process of the network, for each input sample in the training set, if it belongs to mining traffic, use a label with a value of 1 to identify it. Otherwise, if it is normal behavior traffic, use a label with a value of 0. In order to estimate the loss value, using the categorical cross-entropy function, before calculating the loss, we need to use the sigmoid function to map the output obtained by each input in the network to the interval of (0, 1). The Adam optimizer was selected to optimize the network node values in the training process of loss function minimization. The parameters of each layer of the network structure are shown in Table 1.

Table 1

The present invention is run on a server (CPU: 2.8GHz Intel Core i5-8400, memory: 128GB), and a real-time detection system of network traffic is built using DPDK-17.05.2. We use two processes to obtain traffic data respectively. and traffic detection. First, you need to save relevant information about each network connection, including: the total number of data packets currently transmitted through the connection, the length of each data packet, and the timestamp; the acquisition process determines the data packet based on the field information received from the network port. The corresponding network connection, and at the same time update the relevant information of the corresponding connection. When the number of packets of a certain connection reaches a certain scale, the relevant features of the currently saved corresponding number of data packets belonging to the connection are processed into a set of detection inputs and put into a in the cache pool; the detection process continuously consumes the detection inputs in the cache pool and uses the detection model to detect them. The framework of the real-time detection system is shown in Figure 2.

Since there is currently no published mining traffic data set, the present invention uses a mixed data set constructed by itself to conduct experiments, which includes mining traffic and normal behavior traffic.

The mining traffic constructed by this invention mainly comes from Ethereum. The tool Wireshark is used to capture the traffic packets in each mining process. Each connection lasts for one hour. Data construction needs to fully consider the possible impact of various proxy tools and other factors on the traffic characteristics of mining behavior. In addition, it is also necessary to select a mining pool with high computing power and support TLS communication as much as possible. Mining machine models include RTX2060 and RTX3090*4, mainly using the NBminer mining tool. The data set covers 42 mining pools such as ethermine, flexpool, and f2pool. The mining algorithm is ethash. The mining protocols used mainly include Stratum and Ethproxy. , the mining pool connection protocol includes TCP and SSL, involving various proxy tools such as OpenVPN, V2Ray, SSR, Trojan and so on. Currently, a total of about 300 mining flows have been collected, and each flow includes an average of about 30,000 data packet information. Normal traffic mainly comes from daily network usage such as Zoom, Youtube, Webpage, etc., all from our own experimental machines. The total scale is about 10 times that of the mining traffic set, and 100,000 sets of data were obtained in the final data set.

The final experimental results show that the detection accuracy of the present invention reaches 99.9%, the recall rate reaches 99.4%, and the detection speed reaches 8.3Mpps. The above experimental data proves that the present invention is not only feasible, but also efficient and real-time, allowing practical problems to be solved.

The above-described embodiments describe in detail the technical solutions and beneficial effects of the present invention. It should be understood that the above-mentioned are only specific embodiments of the present invention and are not intended to limit the present invention. Any modifications, additions and equivalent substitutions should be included in the protection scope of the present invention.

Claims (5)

1. The method for detecting the virtual currency mining flow based on deep learning is characterized by comprising the following steps of:

(1) Each data flow grabbed in advance comprises a plurality of data packets, relevant information of each data packet is extracted and stored, and a tuple sequence with the format of < timestamp, packet length, source address ip, source address port number, destination address ip and destination address port number > is stored;

(2) Constructing a detection model based on a neural network, processing the data flow connected with each network into a plurality of detection inputs by utilizing the packet length, the time stamp and the target address information of each data packet, and then training the detection model by utilizing the detection inputs;

the structure of the detection model comprises two convolution layers, two pooling layers and three full-connection layers; the device specifically comprises a first convolution layer, a first pooling layer, a second convolution layer, a second pooling layer, a first full-connection layer, a second full-connection layer and a third full-connection layer which are sequentially connected;

wherein the number of convolution kernels of the first convolution layer is 20, the convolution kernel size is 2×20, and the step size is 2×1; the number of convolution kernels of the second convolution layer is 100, the convolution kernel size is 2×20, and the step size is 2×1; the window sizes of the first pooling layer and the second pooling layer are 1 multiplied by 5, and the step length is 1 multiplied by 1; the number of hidden layers of the first full-connection layer is 1200, the number of hidden layers of the second full-connection layer is 500, and the number of hidden layers of the third full-connection layer is 100;

the detection process of the detection model comprises the following steps: the detection input firstly enters a convolution layer, the convolution kernel and each input area are subjected to convolution operation, so that characteristics are extracted from the input, the characteristic values are input into an activation function, and the output obtained from the activation function enters a pooling layer; the pooling layer is used for reducing the scale of the feature matrix, so that the number of parameters is reduced to reduce the calculated amount of the training process;

after all the convolution layers and the pooling layers, obtaining advanced derivative characteristics of each group of detection inputs; these advanced derivative features are then passed to the fully connected layer, using these features to classify the input, while combining dropout to prevent overfitting;

the network output obtained finally is used for representing the correlation coefficient between the correlation network connection and the mining flow, the larger the numerical value is, the higher the probability that the data flow is the mining flow is, and when the network output is larger than the detection threshold value, the group of input detection results are considered to belong to the mining flow;

(3) Building a real-time detection system, wherein in the real-time detection system, a trained detection model is utilized to detect real-time data flow, and whether the real-time data flow is the mining flow is judged;

specifically, a real-time detection system is built by using DPDK-17.05.2, wherein two processes are used for respectively acquiring flow data and detecting flow;

in the detection process, relevant information of each network connection needs to be saved, including: the total number of data packets currently transmitted over the network connection, the packet length of each data packet, and the time stamp; the acquisition process judges the corresponding network connection according to the field information of the data packet received from the network port and updates the related information of the corresponding connection; when the number of packets of a certain network connection reaches a set scale, processing the relevant characteristics of the corresponding number of data packets belonging to the connection stored at present into a group of detection inputs and putting the detection inputs into a cache pool; the detection process then consumes the sets of detection inputs in the cache pool continuously, and uses the detection model to detect them.

2. The method for detecting the mining flow of the virtual currency based on deep learning according to claim 1, wherein in the step (1), the mining flow is from the virtual currency, and the data flow of the network connection in each mining process is captured through a tool Wireshark, and each network connection lasts for 1 hour; normal traffic comes from daily network usage, with data sizes 8-15 times greater than mine-mining traffic.

3. The method for detecting a flow rate of virtual currency mining based on deep learning according to claim 1, wherein in the step (2), a format of the detection input is as follows:

；

wherein, T represents the time sequence difference between the current packet and the previous data packet in the same direction, S represents the packet length of the data packet; in and out represent incoming and outgoing traffic, respectively, and are determined based on the source address and destination address of each packet.

4. A method for detecting a flow rate of virtual currency mining based on deep learning according to claim 3, wherein in training the detection model, for one data stream, each group of detection inputs sequentially takes N data packets on each feature in each direction, so that each detection input complies with a two-dimensional matrix format of 4×n, and an insufficient number of features are filled with 0; each feature of the next set of detection inputs starts from the next position adjacent to the last data currently input each feature until any feature is consumed by the detection model.

5. The method for detecting the mining flow of the virtual currency based on deep learning according to claim 1, wherein in the training process of the detection model, for each input sample in the training set, if the input sample belongs to the mining flow, a label with a value of 1 is used for identification, otherwise if the input sample belongs to the normal behavior flow, the value of the label used is 0;

then estimating a loss value using a classification cross entropy function, wherein before calculating the loss, a sigmoid function is required to map the output obtained by each input in the detection model to a section of (0, 1); the training process of loss function minimization uses Adam optimizers to optimize network node values.