RU2811855C1 - Adaptive method for detecting cryptojacker in user's computer device - Google Patents

Abstract

FIELD: computer technology.

SUBSTANCE: method for detecting a cryptojacker in a user's computer device contains stages at which statistics are generated on the amount of load on the processor system, the volume of external network traffic and the intensity of calls to crypto libraries, respectively, by cryptojackers and "legitimate" computing processes on the user's computer device and, on this basis, the adapted threshold values of the corresponding parameters are determined, excesses of which are considered as signs for classifying the analyzed computing processes as processes of cryptojacker programs.

EFFECT: ensuring the detection of browser and file cryptojackers without a significant decrease in performance and while adapting detection parameters to the characteristics of user computing processes.

3 cl, 3 dwg

Description

Field of technology to which the invention relates

The invention relates to the field of countering cryptojacking - the extraction of cryptocurrencies using users' computer devices without the consent of the owners, and more specifically to systems and methods for detecting computing processes in users' computer devices that are cryptojackers, i.e. implementing computational procedures for the extraction of cryptocurrencies without the consent (without the knowledge) of users.

State of the art

Cryptojacking is an ever-growing criminal industry with 51 million attacks detected in the first half of 2021 alone.

Cryptojackers, with a certain degree of convention, can be divided into browser-based and file-based.

Browser cryptojackers arose as a criminal offshoot in the development of official cryptomining, implemented through the functionality of specialized sites that provide services to users to include their computer devices in the process of generating cryptocurrencies for a fee. Accordingly, the launch and operation of cryptomining programs on the user’s computer device is carried out through web browsers. Unscrupulous website owners, without warning or informing users, can secretly, within the framework of the background functioning of the browser, run cryptomining programs on the user’s computer device, transmitting the results of their work to the attacker’s website.

The principle of infection and operation of file cryptojackers is similar to conventional viral malware and, most often, is carried out on the basis of social engineering technologies, in particular phishing. Unknown to the user, malware in the form of a cryptomining program (cryptojacker) is installed and operates on his computer device, transmitting the results of its work to the attacker’s address.

The process of mining cryptocurrencies consists of the interactive execution of special computational procedures by the processor of a computer device, transferring their results to the cryptomining server and receiving subsequent instructions from it for further computational procedures. At the same time, a feature of the noted special computing procedures is the calling and execution of crypto libraries on a user computer device. As a result, the mandatory and characteristic features of the cryptomining process are significant load on the processor (processor system), constant external network traffic and constant calls to the crypto libraries of the user’s computer device.

The technical problem of detecting the operation of cryptojackers based on the signs noted above is that “legitimate” computing processes on the user’s computer device can also significantly load the processor, including causing significant volumes of external network traffic (for example, when downloading videos from the network, network computer games) and use (call and execute) crypto libraries. At the same time, the simultaneous presence of all three noted signs, in particular, constant (with a certain intensity) calls to crypto libraries, for “legitimate” computing processes on a user computer device is a rare (unlikely) event.

However, the statistical characteristics of processor load processes, the amount of external network traffic, and the intensity of calling crypto libraries significantly depend on the type of computer device (home computer, smartphone, office workstation, network server, etc.) and the user’s “predilections” (viewing on a home computer or smartphone video from the network, network games, communication on a social network, etc.). As a result, to detect the operation of cryptojackers based on the noted signs, it is necessary to analyze and take into account the statistics of the relevant parameters of both the cryptojackers themselves and the computing processes of a specific user computer device.

There is a known “Method for identifying uncoordinated use of resources of a user’s computing device” (RF patent No. 2757330, G06K 9/00 (2006.01), G06F 21/00 (2013.01), publ.: 10.13.2021 Bulletin No. 29), in which: analyze the work browser process and detect the operation of the script running in the browser; intercept messages transmitted from the script to the server and from the server to the script when the script interacts with the server; analyze the script and intercepted messages for signs of inconsistent use of resources of the user's computing device; detecting inconsistent use of resources of the user's computing device if at least one sign of inconsistent use of resources of the user's computing device is detected. At the same time, the key feature on which the identification of signs of uncoordinated use of resources on a user’s computer device, including cryptomining, is based is the use of WebSocket/WebSocketSecured (WS/WSS) protocols by cryptojackers to ensure interaction between the script on the client and the server in the process of mining cryptocurrencies.

However, the existing solution does not provide detection of file cryptojackers and, in addition, requires significant computing resources to continuously monitor (intercept and analyze) all outgoing and incoming browser network traffic for the use of WS/WSS protocols and scripts on the user’s computer device, which inevitably leads to to a decrease in the performance of “legitimate” computing processes, in particular, those that actively use network resources.

Disclosure of the invention

The present invention is intended to detect computing processes in a user's computer device that perform the functions of a cryptojacker, i.e. implementing computational procedures for the extraction of cryptocurrencies without the consent (without the knowledge) of users.

The main problem solved by the claimed invention is the detection of both browser and file cryptojackers, without the use of a total and continuous analysis of the content of network traffic, and, accordingly, without a significant decrease in the performance of the user's computer device when adapting detection parameters to the characteristics of the processor load, the size of the created external network traffic and the intensity of calls to crypto libraries by computing processes on the user’s computer device.

The technical result of the present invention lies in the implementation of the stated task.

The technical result is achieved by the fact that in the adaptive method of detecting a cryptojacker in the user's computer device:

- experimentally form or obtain by subscription histograms of the frequency distribution of the value of the load on the processor system of the user's computer devices by cryptojackers (the first parameter), the amount of external network traffic caused by the operation of the cryptojackers (the second parameter), the intensity of calls by cryptojackers to crypto libraries on the user's computer device (the third parameter); histograms are considered as distributions of conditional probabilities of the values of the corresponding parameters when diagnosing “the process is a cryptojacker”, while the values of the first, second and third parameters are considered not to be “instant” values, but averaged over certain time intervals, which are set depending on the dynamics of changes in the corresponding parameters for smoothing the so-called “outliers” of “instantaneous” values;

- analyze the statistics of the same parameters for “legitimate” computing processes running on the user’s computer device in order to generate histograms of the frequency distribution of values, which are considered as conditional probability distributions of the corresponding parameters when diagnosing “the process is not a cryptojacker”;

- according to the criterion of maximizing the statistical distance of random variables based on the minimum of the Bhattacharya coefficient between the distribution histograms of each parameter for the diagnoses “the process is a cryptojacker” and “the process is not a cryptojacker”, respectively, thresholds are determined for the first, second and third parameters, adaptive to the features of computing processes user's computer device;

- analyze the current value of the processor system load averaged over the corresponding time interval by the next analyzed process of the user’s computer device and, if the threshold for the first parameter is exceeded, accept the preliminary diagnosis “the process is a cryptojacker”, otherwise accept the diagnosis “the process is not a cryptojacker” and proceed to the analysis of the next one process;

- when accepting a preliminary diagnosis “the process is a cryptojacker”, the current averaged value over the corresponding time interval of the external network traffic caused by the analyzed computing process is analyzed, and if the threshold for the second parameter is exceeded, the preliminary diagnosis “the process is a cryptojacker” is saved; otherwise, the preliminary diagnosis “the process is a cryptojacker” is rejected, the diagnosis “the process is not a cryptojacker” is accepted and the value of the first parameter is sent to recalculate the histogram of the frequency distribution of the load value of the processor system by “legitimate” computing processes of the user’s computer device;

- when saving the preliminary diagnosis “the process is a cryptojacker”, the current value of the call intensity averaged over the corresponding time interval by the corresponding computing process of cryptolibraries on the user’s computer device is analyzed and, if the threshold for the third parameter is exceeded, the final diagnosis “the process is a cryptojacker” is accepted; otherwise, the preliminary diagnosis “the process is a cryptojacker” is rejected, the diagnosis “the process is not a cryptojacker” is accepted and the values of the first and second parameters are sent to recalculate the frequency distribution histograms of the processor system load values and external network traffic by “legitimate” computing processes of the user’s computer device.

According to one of the private implementation options:

- at the initial stage, frequency distribution histograms of the values of the first, second and third parameters are generated or received by subscription separately for browser-based cryptojackers and separately for file-based cryptojackers;

- similarly, frequency distribution histograms of the values of the first, second and third parameters are formed or recalculated separately for “legitimate” computing processes of browsers and separately for other processes (not browsers) of the user’s computer device;

- determine the thresholds of the first, second and third parameters separately for detecting browser cryptojackers and separately the thresholds for detecting file cryptojackers;

- at the cyclic stages of analyzing the computing processes of the user’s computer device, the thresholds of the first, second and third parameters are used, depending on whether the analyzed computing process is a browser or not.

According to another private implementation option:

- separately for each “legitimate” computing process of the user’s computer device, frequency distribution histograms of the values of the first, second and third parameters are formed or recalculated, thereby forming a database of frequency distribution histograms of the values of the corresponding parameters (by the number and identifiers of computing processes launched/executed in user's computer device);

- separately for each “legitimate” computing process of the user’s computer device, individual thresholds of the first, second and third parameters are determined, which are recorded in a special database;

- at the cyclic stages of analyzing the computing processes of the user’s computer device, individual thresholds of the first, second and third parameters are used, corresponding by number (identifier) to the analyzed computing process.

Brief description of drawings

Fig. 1 shows the structure of an adaptive method for detecting a cryptojacker in a user's computer device in the form of a block diagram.

Fig. 2 displays examples of possible types of histograms of the frequency distribution of the values of the first parameter (the amount of load on the processor system of the user’s computer device).

Fig. 3 displays a graph of the Bhattacharya coefficient values calculated for various threshold values of the first parameter (the amount of processor system load) according to the distribution histograms presented in FIG. 2, thereby illustrating the mechanism for determining the threshold of the first parameter, adapted to the characteristics of the “legitimate” computing processes of the user’s computer device.

Carrying out the invention

Objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, but may be embodied in various forms. The substance set forth in the specification is nothing more than the specific details necessary to assist one skilled in the art in fully understanding the invention, and the present invention is defined within the scope of the appended claims.

The proposed method is shown schematically in the drawing (Fig. 1), where the stages of its implementation, their content, their sequence and the connections between them are clearly presented in the form of a block diagram. Blocks 110, 120, 130 display preliminary three stages of training/adaptation of an adaptive method for detecting a cryptojacker in a user's computing device. Blocks 140-190 display the cyclic part of the method for analyzing computing processes running on a user's computer device.

At the first of three preliminary stages (block 110), statistics (histograms of frequency distribution of values) are experimentally generated or obtained by subscription of the amount of load on the processor system of users' computer devices by cryptojackers (parameter x ₁ ), the amount of external network traffic caused by the operation of cryptojackers (parameter x ₂ ) and the intensity of calls by cryptojackers to crypto libraries on users' computer devices (parameter x ₃ ). Histograms are considered as distributions of conditional probabilities p(x ₁ /D ₂ ), p(x ₂ /D ₂ ), p(x ₃ /D ₂ ) values of the corresponding parameters x ₁ , x ₂ , x ₃ for the diagnosis D ₂ - “process is a cryptojacker." In this case, the parameters x ₁ , x ₂ , x ₃ are considered not “instant”, but averaged over time intervals Δt ₁ for x ₁ , Δt ₂ for x ₂ , Δt ₃ for x ₃ , which are set depending on the dynamics of changes in the corresponding parameters for smoothing the so-called. “outliers” of “instantaneous” values.

Next, at the second of three preliminary stages (block 120), the statistics of the same parameters of “legitimate” computing processes running on the user’s computer device are analyzed by generating histograms of the frequency distribution of the values of the parameters x ₁ , x ₂ , x ₃ , which are considered as distributions of conditional probabilities p(x ₁ /D ₁ ), p(x ₂ /D ₁ ), p(x ₃ /D ₁ ) with the diagnosis D ₁ - “the process is not a cryptojacker”.

The formation of frequency histograms of the values p(x ₁ /D ₁ ), p(x ₂ /D ₁ ), p(x ₃ /D ₁ ) is carried out (block 120) based on the analysis of data from the operation of built-in system utilities, for example, “Resource Monitor” for processor load parameters and network traffic volume, or special software utilities, such as “Bitmeter OS” (see, for example, https://codebox.net/pages/bitmeteros-downloads) for analyzing the volume of network traffic, and “MS Detours" (see, for example, https://www.microsoft.com/en-us/research/project/detours/) to analyze the intensity of calls to crypto libraries, or based on the use of specially developed software tools.

In one of the embodiments of the method, the interval Δx ₁ equal to 1% is taken as the value of the unit interval for counting the frequencies of the values of the parameter x ₁ , i.e. count the number of hits of the parameter value x ₁ of certain “legitimate” computing processes on the user’s computer device in the intervals 0-1%, 1%-2%, 2%-3%, 99%-100%, and, correlating the number of such hits with the total number of measurements (observations), a histogram of frequency distributions of values p(x ₁ /D ₁ ) is formed. In this case, to calculate the frequencies of the values of the parameter _x1 , not instantaneous values are used, but averaged ones (. ) on the time interval Δt ₁ . The interval t ₁ is set depending on the dynamics of changes in the parameter x ₁ of the corresponding computing process on a specific user’s computer device to smooth out the so-called “outliers” of “instantaneous” values. As a standard value Δt ₁ , as, for example, when working with the “Resource Monitor” utility, take Δt ₁ = 1 sec (another option is 1 min).

Frequencies of values x ₁ are calculated using average values on successive time intervals 0 - Δt ₁ , Δt ₁ - 2Δt ₁ , 2Δt ₁ - 3Δt ₁ , etc. during the technological period of time typical for the operation of the user’s computer device, for example, during an hour of working time (another option is during the working day). In this way, histograms of frequency distributions of values p{x ₁ /D ₁ ) are formed for each computing process of the user's computer device.

According to the initial version (according to claim 1) of the adaptive method for detecting a cryptojacker, each analyzed computing process is considered as an implementation of a certain generalized computing process of the user’s computer device. Based on this, the final formation of a histogram of the frequency distribution of values p(x ₁ /D ₁ ) is carried out by averaging the corresponding histograms over the entire ensemble (set) of computing processes of the user's computer device.

The required number N of measurements (counts) of the parameter x ₁ necessary to obtain histograms of the frequency distribution of values for a particular computational process is determined based on methods for justifying the optimal number of intervals k of partitioning the range of values of the analyzed parameter when constructing distribution histograms from empirical data (see, for example, GOST R 50.1.033-2001 Applied statistics. Rules for checking the agreement of the experimental distribution with the theoretical one. Part 1. Criteria of the chi-square type), in particular, in practical engineering applications based on the rule:

k≤N/n*,

where n* is the minimum number of hits of the value of the analyzed parameter in any of the k observed intervals (usually a value in the range from 5 to 10 hits is taken as n*), from which, for a given k, it follows that:

N≥kn*,

and, accordingly, with k equal to 100 (100 one-percent intervals for the parameter x ₁ ), with n* equal to 10, at least 1000 measurements (counts) are required.

In a similar way, frequency distribution histograms of the values p(x ₂ /D ₁ ), p(x ₃ /D ₁ ) are formed using a value equal to 1 Mbit/s as Δx ₂ , a value equal to 1 call per second as Δx ₃ , as Δt ₂ a value equal to 1 sec (another option - 1 min), as Δt ₃ a value equal to 1 min (another option - 1 hour), except that for parameters x ₂ and x ₃ , as well as, Generally speaking, for any parameter whose statistics are analyzed using distribution histograms generated from empirical data, the intervals for dividing the range of values of the corresponding parameter do not have to be equal. Based on this, in one of the implementation options of the proposed method, the intervals of values of Δx ₂ for the parameter x ₂ in the range from 0 to 10 Mbit/s are taken at 1 Mbit/s, then in the range from 10 to 100 Mbit/s at 2-10 Mbit/s /sec, and 100 Mbit/sec further, limiting the range of analysis of parameter x ₂ to a value equal to 1 Gbit/sec. For parameter x ₃ , the analysis range is limited to 10-20 calls per second.

The formation experimentally (block 110) of histograms of the distribution of parameter values x ₁ , x ₂ , x ₃ by the computational processes of cryptojackers p(x ₁ /D ₂ ), p(x ₂ /D ₂ ), p(x ₃ /D ₂ ) is carried out in a similar way thus, using collections of cryptojackers posted on specialized information resources or other sources, while striving to cover the largest number of known cryptojackers and promptly recalculating histograms when new cryptojackers appear and study.

Recalculation (block 120) of distribution histograms p(x ₁ /D ₁ ), p(x ₂ /D ₁ ) is carried out based on the rule for calculating the sample average random variable x upon receipt at time t _N of new data x(t _N ) into the sample with the previous volume of N-1 elements:

Considering the values of elements, for example, distribution histograms p(x ₁ /D ₁ ) as a sample mean number of hits values of the value x ₁ into the corresponding j-th interval of values ((j-1)%-j'%), related to the number of observations N, recalculation is carried out only for the j-th element of the histogram:

In fig. Figure 2 shows examples of the possible type of histograms of the frequency distribution of values of the processor load value by cryptojackers p{x ₁ /D ₂ ) and histograms of the frequency distribution of the value of the processor load by computing processes on user computer devices p(x ₁ /D ₁ ).

Based on histograms p(x ₁ /D ₁ ), p(x ₂ /D ₁ ), p(x ₃ /D ₁ ) and p(x ₁ /D ₂ ), p(x ₂ /D ₂ ), p( x ₃ /D ₂ ) in the third (block 130 of Fig. 1) of the preliminary stages of the adaptive method for detecting a cryptojacker, threshold values x _{1_0} , x _{2_0} , x _{3_0} are determined, the excess of which by values x ₁ , x ₂ , x ₃ is considered as classification criteria computing processes as cryptojackers. Exceeding or non-exceeding of threshold values x ₁ , x ₂ , x ₃ x _{1_0} , x _{2_0} , x _{3_0} are considered as random events that form the values of discrete (dichotomous) random variables y ₁ , y ₂ , y ₃ (equal to 0 - not exceeded , equal to 1 - exceeded).

In this case, the probabilities p(y ₁ =0/D ₁ ), p(y ₁ =1/D ₁ ) are determined from the histogram p(x ₁ /D ₁ ) based on the following relationships:

Based on similar relationships, the probabilities p(y ₁ =0/D ₂ ), p(y ₁ =1/D ₂ ) are determined:

Using similar relationships, the values p(y ₂ =0/D ₁ ), p(y ₂ =0/D ₂ ), p(y ₂ =1/D ₁ ), p{y ₂ =1/D ₂ ) and p are determined (y ₃ =0/D ₁ ), p(y ₃ =0/D ₂ ), p(y ₃ =1/D ₁ ), p(y ₃ =1/D ₂ ).

Sets of pairs of values p(y ₁ =0/D ₁ ), p(y ₁ =1/D ₁ ) and p(y ₁ =0/D ₂ ), p(y ₁ =1/D ₂ ) are considered as distributions of conditional probabilities of a discrete (dichotomous) random variable y _1, respectively, for diagnosis D ₁ and diagnosis D ₂ . Sets of pairs of values p(y ₂ =0/D ₁ ), p(y ₂ =1/D ₁ ) and p(y ₂ =0/D ₂ ), p(y ₂ =1/D ₂ ) are considered as distributions of conditional probabilities of a random variable in ₂ , respectively, for diagnosis D ₁ and diagnosis D ₂ . Sets of pairs of values p(y ₃ =0/D ₁ ), p(y ₃ =1/D ₁ ) and p(y ₃ =0/D ₂ ), p(y ₃ =1/D ₂ ) are considered as distributions of conditional probabilities of a random variable in ₃ , respectively, for diagnosis D ₁ and diagnosis D ₂ .

It is known (see, for example, K. Fukunaga. Introduction to Statistical Pattern Recognition, 2nd Edition, Academic Press, New York, 1990) that the measure of distinguishability (degree of overlap) of two distributions p(x) and q(x) of a discrete random variable x, insensitive to the type and ratio of distribution parameters, is the Bhattacharya coefficient:

where X is a set of values of a discrete random variable x.

With maximum statistical distinguishability of the distributions p(x) and q(x) (complete absence of overlap), the Bhattacharya coefficient BC(p,q)=0, with complete statistical indistinguishability (complete coincidence of p(x) and q(x)) BC(p ,q)=1.

For dichotomous random variables y ₁ , y ₂ , y ₃ , the Bhattacharya coefficient between the distributions p(y ₁ /D ₁ ) and p(y ₁ /D ₂ ), p(y ₂ /D ₁ ) and p(y ₂ /D ₂ ), p(y ₃ /D ₁ ) and p(y ₃ /D ₂ ) are determined by the following relations:

Since the Bhattacharya coefficient BC(p(y ₁ /D ₁ ), p(y ₁ /D ₂ )) is a function (functional) of the value (threshold) x _{1_0} , then its values are sequentially calculated for x _{1_0} , taking all possible values from range of change of parameter x ₁ , i.e. from x _{1_0} equal to 1% to x _{1_0} equal to 100%, thereby forming a series of values BC(p(y ₁ /D ₁ ), p(y ₁ /D ₂ ) for x _{1_0} in the range from 1% to 100 % (see Fig. 3).

As the threshold x _{1_0} for the value x ₁ , select the value x _{1_0} from the range 1 - 100%, at which the Bhattacharya coefficient is minimal, thereby ensuring maximum statistical distinguishability of cryptojackers and “legitimate” computing processes of a specific user’s computer device.

In fig. Figure 3 shows examples of a number of values BC(p)(y ₁ /D ₁ ), p(y ₁ /D ₂ )) depending on the value x _{1_0} for distribution histograms p(x ₁ / D ₁ ), p(x ₁ /D ₂ ), presented in Fig. 2, for which the threshold x _{1_0} is equal to 14% in the first option and 18% in the second option.

The thresholds x _{2_0} and x _{3_0} are determined in a similar way. The cyclic part of the adaptive method for detecting a cryptojacker begins with block 140 (Fig. 1), where the current value averaged over time Δt ₁ is considered loading the processor system with the next analyzed process of the user's computer device. If exceeded threshold x _{1_0} make a preliminary decision (block 150) on classifying the process as a cryptojacker (diagnosis D ₂ ) and calculate (block 160) the average value over time Δt ₂ the amount of external network traffic x ₂ characterizing the corresponding process of the user's computer device, otherwise (block 150) the diagnosis D ₁ is accepted (the process is not a cryptojacker) and proceeds to the analysis of the next process (block 140).

When preliminary classifying a computing process by parameter x ₁ as a cryptojacker, the average value over time Δt ₂ is analyzed amount of network traffic x ₂ (blocks 160, 170). If the value exceeds threshold x _{2_0} (block 170) save the preliminary diagnosis D ₂ (process - cryptojacker) in relation to the analyzed computing process and calculate (block 180) the average value over time Δt ₃ the intensity of the call by the corresponding computing process of the crypto libraries on the user's computer device, otherwise (block 170) the preliminary diagnosis D ₂ is rejected, the diagnosis D ₁ is accepted (the process is not a cryptojacker) and the value of the value is sent for recalculation (block 120) of the histogram of frequency distribution of values p(x ₁ /D ₁ ).

At the final stage (blocks 180, 190), the average value over time Δt ₃ is analyzed call intensity by the corresponding computing process of the cryptolibrary user's computer device and if the value exceeds threshold x _{3_0} (block 190) they finally accept the diagnosis D ₂ (the process is a cryptojacker, block 200), otherwise (block 190) they reject the preliminary diagnosis D ₂ , accept the diagnosis D ₁ (the process is not a cryptojacker) and send the values for recalculation (block 120) of distribution histograms p(x ₁ /D ₁ ), p{x ₂ /D ₁ ).

In an embodiment of the adaptive method for detecting a cryptojacker in a user's computer device according to point 2, in order to take into account differences in the statistics of parameters _x1 , _x2 , _x3 of browser and file cryptojackers, the learning-adaptation process (preliminary stages of the method, blocks 110, 120, 130 of FIG. 1) are built separately to detect browser-based and separately file cryptojackers, for which, in the first of three preliminary stages (block 110), histograms of the frequency distribution of values are experimentally built or obtained by subscription separately for browser cryptojackers and for file cryptojackers.

At the second (block 120) of the three preliminary stages, distribution histograms are also separately constructed computing processes of the user's computer device, implemented by the work of browser programs, and a histogram of the distribution of a certain generalized computing process implemented by any programs on the user's computer device that are not browser programs.

In the third (block 130) of the preliminary stages of the adaptive method for detecting a cryptojacker in the user's computer device, thresholds are separately determined for browser detection and thresholds to detect file cryptojackers in a similar way to step 1, using the corresponding distribution histograms to determine thresholds and distribution histograms And to determine thresholds

The cyclic part (blocks 140-190) of the adaptive method for detecting a cryptojacker in the user’s computer device according to claim 2 is organized in a similar way to claim 1, with the exception of the use of thresholds depending on whether the analyzed computing process is a browser or not.

In an embodiment of the adaptive method for detecting a cryptojacker in a user's computer device according to point 3 in order to take into account individual differences in the statistics of parameters x ₁ , x ₂ , x ₃ of various “legitimate” processes of the user’s computer device, the learning/adaptation process (preliminary stages, blocks 110, 120 , 130 Fig. 1) are built by analyzing the statistics of each individual computing process on the user’s computer device.

For this purpose, at the second (block 120) of the preliminary stages, separately for each computing process of the user’s computer device, histograms of the frequency distribution of values are formed or recalculated where m is the number (identifier) of the computing process, thereby forming a database of their M histograms of the frequency distribution of the values of the parameters x ₁ , x ₂ , x ₃ (by the number and identifiers of the computing processes running on the user’s computer device);

in the third (block 130) of the preliminary stages, thresholds are determined separately for each computational process m which are recorded in a special database;

at cyclic (blocks 140 -190) stages, thresholds are used corresponding by number (identifier) to the analyzed computational process.

Claims (16)

1. An adaptive method for detecting a cryptojacker in a user’s computer device, in which: a) experimentally generate or obtain by subscription histograms of the frequency distribution of the values of the load on the processor system of the user’s computer devices by cryptojackers, which is the first parameter, the amount of external network traffic caused by the work of cryptojackers, which is the second parameter, and the intensity of calls by cryptojackers to crypto libraries on the user’s computer device, which is the third parameter ; histograms are considered as distributions of conditional probabilities of the values of the corresponding parameters when diagnosing “the process is a cryptojacker”, while the values of the first, second and third parameters are considered not to be “instant” values, but averaged over certain time intervals, which are set depending on the dynamics of changes in the corresponding parameters for smoothing out so-called “outliers” of “instantaneous” values; b) analyze the statistics of the same parameters for “legitimate” computing processes running on the user’s computer device in order to generate histograms of the frequency distribution of values, which are considered as conditional probability distributions of the corresponding parameters when diagnosing “the process is not a cryptojacker”; c) according to the criterion of maximizing the statistical distance of random variables based on the minimum of the Bhattacharya coefficient between the histograms of the distribution of each parameter for the diagnoses “the process is a cryptojacker” and “the process is not a cryptojacker”, thresholds are respectively determined for the first, second and third parameters, adaptive to the peculiarities of the computing processes of the computer user devices; d) analyze the current value of the processor system load averaged over the corresponding time interval by the next analyzed process of the user’s computer device and, if the threshold for the first parameter is exceeded, accept a preliminary diagnosis “the process is a cryptojacker”, otherwise accept the diagnosis “the process is not a cryptojacker” and proceed to analysis next process; e) when accepting a preliminary diagnosis “the process is a cryptojacker”, the current averaged value over the corresponding time interval of the external network traffic caused by the analyzed computing process is analyzed, and if the threshold for the second parameter is exceeded, the preliminary diagnosis “the process is a cryptojacker” is saved; otherwise, the preliminary diagnosis “the process is a cryptojacker” is rejected, the diagnosis “the process is not a cryptojacker” is accepted and the value of the first parameter is sent to recalculate the histogram of the frequency distribution of the load value of the processor system by “legitimate” computing processes of the user’s computer device; f) while saving the preliminary diagnosis “the process is a cryptojacker”, the current value of the call intensity averaged over the corresponding time interval by the corresponding computing process of the cryptolibraries on the user’s computer device is analyzed and, if the threshold for the third parameter is exceeded, the final diagnosis “the process is a cryptojacker” is accepted; otherwise, the preliminary diagnosis “the process is a cryptojacker” is rejected, the diagnosis “the process is not a cryptojacker” is accepted, and the values of the first and second parameters are sent to recalculate the frequency distribution histograms of the load values of the processor system and external network traffic by “legitimate” computing processes of the user’s computer device. 2. An adaptive method for detecting a cryptojacker in a user’s computer device according to claim 1, in which: at stage a) form or receive by subscription histograms of the frequency distribution of the values of the first, second and third parameters separately for browser-based cryptojackers and separately for file-based cryptojackers; similarly, at step b) form or recalculate histograms of the frequency distribution of the values of the first, second and third parameters on the user’s computer device separately for “legitimate” computing processes of browsers and separately for other processes that are not browsers; at stage c) determine the thresholds of the first, second and third parameters separately for detecting browser cryptojackers and separately the thresholds for detecting file cryptojackers; at stages d), e) and f) thresholds of the first, second and third parameters are used, depending on whether the analyzed computing process is a browser or not. 3. An adaptive method for detecting a cryptojacker in a user’s computer device according to claim 1, in which: at stage b) separately for each “legitimate” computing process on the user’s computer device, frequency distribution histograms of the values of the first, second and third parameters are formed or recalculated, thereby forming a database of frequency distribution histograms of the values of the corresponding parameters, namely by the number and identifiers of computing processes launched/executed on the user’s computer device; at stage c) individual thresholds of the first, second and third parameters are determined separately for each “legitimate” computing process of the user’s computer device, which are recorded in a special database; at stages d), e) and f) use individual thresholds of the first, second and third parameters, corresponding by number, which is the identifier of the analyzed computational process.

Images