Comment
Author: Admin | 2025-04-28
A widely utilized network protocolanalyzer, to capture network traffic generated during thecryptomining and cryptojacking operations. We then cleanedthe obtained network traffic capture files by removing theunnecessary connections, leaving only the mining ones. Table IIreports the number of TCP flows per category.TABLE IIDATA S ET C O M P OS I T I ON .TY P E FL OW Sbenign (browser traffic) 140343XMR-Stak, (encrypted) Stratum over TLS 6011XMR-Stak, (plain) Stratum over TCP 1159MadoMiner 701Coinhive 634total 148848Finally, we usedtstat[14], a network analysis tool, toextract various traffic statistics. In particular, we used all the32 TCP statistics listed in Table III. The features marked with2The adopted dataset is available on Kaggle at: https://www.kaggle.com/datasets/danielecanavese/cryptomining-data-set/, last visited on April 30, 2024.3https://www.raspberrypi.com/products/raspberry-pi-4- model-b/, last visitedon March 2, 2024. ‘both directions’ are available from both endpoints’ points ofview; for instance, we have at our disposal both the numberof packets sent by the client (e.g., XMR-Stak) and by theserver (e.g., the mining pool servers). To comply with GDPRregulations, we refrained from inspecting payload data andfocused solely on analyzing TCP/IP header data. This approachensures user privacy as no user data is processed in any way(the application layer and its payloads are not involved at all).TABLE IIITCP FE AT U R ES .FE AT U R E UN I T# packets (both directions) packets# packets with payload (both directions) packets# retransmitted packets (both directions) packets# out of sequence packets (both directions) packets# packets with ACK set (both directions) packets# packets with ACK set and no payload (both directions) packets# packets with FIN set (both directions) pack ets# packets with RST set (both directions) packets# packets with SYN set (both directions) packets# payload bytes excluding retransmissions (both directions) bytes# payload bytes including retransmissions (both directions) bytes# retransmitted bytes (both directions) bytesflow duration msrelative time of first payload packet (both directions) msrelative time of last payload packet (both directions) msrelative time of first ACK packet (both directions) msTCP connection correctly terminated booleanIV. EX P E R I M E N TA L RE S U LT SThis section details our findings about distinguishing a crypto-mining or crypto-jacking flow w.r.t. to some benign traffic. Allour model training and testing experiments were conductedusing the platform whose specifications are listed in Table I.We tested different ML models for classification: decisiontrees, random forests, gaussian SVMs, and kNN. We thentested three different binary classification scenarios to be ableto distinguish benign (web) traffic against the crypto-miningflows produced by XMR-Stak, MadoMiner [26], and Coinhive.We randomly selected 70% of the flows for the trainingphase, while the remaining 30% were used for testing ourmodels. The hyperparameter search was conducted using asimple grid search algorithm with 5-fold cross-validation sincethe training phase was fast enough to allow it.A. XMR-Stak trafficTable IV reports our four
Add Comment