Visible to the public DeCrypto Pro: Deep Learning Based Cryptomining Malware Detection Using Performance Counters

TitleDeCrypto Pro: Deep Learning Based Cryptomining Malware Detection Using Performance Counters
Publication TypeConference Paper
Year of Publication2020
AuthorsMani, G., Pasumarti, V., Bhargava, B., Vora, F. T., MacDonald, J., King, J., Kobes, J.
Conference Name2020 IEEE International Conference on Autonomic Computing and Self-Organizing Systems (ACSOS)
Keywordsadvanced persistent threat, advanced persistent threats, antivirus applications, APT, APTs, behavior profiling, benign compression, classification model, collaborative attacks, Computational modeling, computational resources, cryptographic operations, cryptography, cryptojacking, cryptomining, cyberattacks, data mining, Data models, DeCrypto Pro, DeCrypto Profiler framework, deep cryptomining profiler, Deep Learning, deep neural networks, defense mechanisms, encoding, Human Behavior, invasive software, k-nearest neighbors, Long short-term memory, LSTM, machine learning, Malware, malware detection, Metrics, mission-critical cybersystems, model selection, nearest neighbour methods, operating context profiling system, pattern classification, performance counters, Predictive models, pubcrawl, Random Forest, random forests, ransomware, recurrent neural nets, resilience, Resiliency, Scalability, system features, system functionalities, Trojan Laziok, utility function, Windows performance counters
AbstractAutonomy in cybersystems depends on their ability to be self-aware by understanding the intent of services and applications that are running on those systems. In case of mission-critical cybersystems that are deployed in dynamic and unpredictable environments, the newly integrated unknown applications or services can either be benign and essential for the mission or they can be cyberattacks. In some cases, these cyberattacks are evasive Advanced Persistent Threats (APTs) where the attackers remain undetected for reconnaissance in order to ascertain system features for an attack e.g. Trojan Laziok. In other cases, the attackers can use the system only for computing e.g. cryptomining malware. APTs such as cryptomining malware neither disrupt normal system functionalities nor trigger any warning signs because they simply perform bitwise and cryptographic operations as any other benign compression or encoding application. Thus, it is difficult for defense mechanisms such as antivirus applications to detect these attacks. In this paper, we propose an Operating Context profiling system based on deep neural networks-Long Short-Term Memory (LSTM) networks-using Windows Performance Counters data for detecting these evasive cryptomining applications. In addition, we propose Deep Cryptomining Profiler (DeCrypto Pro), a detection system with a novel model selection framework containing a utility function that can select a classification model for behavior profiling from both the light-weight machine learning models (Random Forest and k-Nearest Neighbors) and a deep learning model (LSTM), depending on available computing resources. Given data from performance counters, we show that individual models perform with high accuracy and can be trained with limited training data. We also show that the DeCrypto Profiler framework reduces the use of computational resources and accurately detects cryptomining applications by selecting an appropriate model, given the constraints such as data sample size and system configuration.
Citation Keymani_decrypto_2020