As cryptocurrencies have become prominent in the last decade, so has unauthorized cryptocurrency-mining activity in corporate environments, both by legitimate insiders and by malware. Unauthorized mining has been detected on national supercomputers, networks of enterprise workstations, and even a biometric access server in an empty office.
It is also becoming increasingly difficult to detect. For instance, some types of cryptocurrency-mining malware encrypt communications to their command-and-control centers, and these communications then become hard-to-find needles in the haystack of legitimate traffic seen on a corporate network.
We have developed an automated two-part system to detect connections associated with mining cryptocurrency. The first part uses a supervised machine learning method to determine the probability that the connections are legitimate. It does so by considering whether and how often a network device has encountered a similar connection, and when the destination endpoint first connected to the corporate network. The second part uses n-gram statistical theory and a classifier trained on a large set of hostnames associated with mining cryptocurrency to establish whether the external endpoint is also associated with mining.
The system identifies with high precision devices associated with new and unexpected cryptocurrency-mining activity by analyzing both unencrypted and encrypted connections that use mining protocols. Additionally, the system can potentially send an alert the first time a corporate device produces such a connection.