Table of Contents
Fetching ...

Dynamic Graph-based Fingerprinting of In-browser Cryptomining

Tanapoom Sermchaiwong, Jiasi Shen

TL;DR

PoT addresses obfuscation-resilient cryptojacking detection by fingerprinting in-browser miners with instruction-level data-flow graphs. It introduces graph simplification to compress large data-flow graphs and a robust n-fragment inclusion score for subgraph similarity, enabling accurate detection under obfuscation. The framework is evaluated on WebAssembly miners across real-world sites, miners, and obfuscated variants, showing superior performance to prior methods. The approach generalizes beyond browsers to other platforms like servers and data centers.

Abstract

The decentralized and unregulated nature of cryptocurrencies, combined with their monetary value, has made them a vehicle for various illicit activities. One such activity is cryptojacking, an attack that uses stolen computing resources to mine cryptocurrencies without consent for profit. In-browser cryptojacking malware exploits high-performance web technologies like WebAssembly to mine cryptocurrencies directly within the browser without file downloads. Although existing methods for cryptomining detection report high accuracy and low overhead, they are often susceptible to various forms of obfuscation, and due to the limited variety of cryptomining scripts in the wild, standard code obfuscation methods present a natural and appealing solution to avoid detection. To address these limitations, we propose using instruction-level data-flow graphs to detect cryptomining behavior. Data-flow graphs offer detailed structural insights into a program's computations, making them suitable for characterizing proof-of-work algorithms, but they can be difficult to analyze due to their large size and susceptibility to noise and fragmentation under obfuscation. We present two techniques to simplify and compare data-flow graphs: (1) a graph simplification algorithm to reduce the computational burden of processing large and granular data-flow graphs while preserving local substructures; and (2) a subgraph similarity measure, the n-fragment inclusion score, based on fragment inclusion that is robust against noise and obfuscation. Using data-flow graphs as computation fingerprints, our detection framework PoT (Proof-of-Theft) was able to achieve high detection accuracy against standard obfuscations, outperforming existing detection methods. Moreover, PoT uses generic data-flow properties that can be applied to other platforms more susceptible to cryptojacking such as servers and data centers.

Dynamic Graph-based Fingerprinting of In-browser Cryptomining

TL;DR

PoT addresses obfuscation-resilient cryptojacking detection by fingerprinting in-browser miners with instruction-level data-flow graphs. It introduces graph simplification to compress large data-flow graphs and a robust n-fragment inclusion score for subgraph similarity, enabling accurate detection under obfuscation. The framework is evaluated on WebAssembly miners across real-world sites, miners, and obfuscated variants, showing superior performance to prior methods. The approach generalizes beyond browsers to other platforms like servers and data centers.

Abstract

The decentralized and unregulated nature of cryptocurrencies, combined with their monetary value, has made them a vehicle for various illicit activities. One such activity is cryptojacking, an attack that uses stolen computing resources to mine cryptocurrencies without consent for profit. In-browser cryptojacking malware exploits high-performance web technologies like WebAssembly to mine cryptocurrencies directly within the browser without file downloads. Although existing methods for cryptomining detection report high accuracy and low overhead, they are often susceptible to various forms of obfuscation, and due to the limited variety of cryptomining scripts in the wild, standard code obfuscation methods present a natural and appealing solution to avoid detection. To address these limitations, we propose using instruction-level data-flow graphs to detect cryptomining behavior. Data-flow graphs offer detailed structural insights into a program's computations, making them suitable for characterizing proof-of-work algorithms, but they can be difficult to analyze due to their large size and susceptibility to noise and fragmentation under obfuscation. We present two techniques to simplify and compare data-flow graphs: (1) a graph simplification algorithm to reduce the computational burden of processing large and granular data-flow graphs while preserving local substructures; and (2) a subgraph similarity measure, the n-fragment inclusion score, based on fragment inclusion that is robust against noise and obfuscation. Using data-flow graphs as computation fingerprints, our detection framework PoT (Proof-of-Theft) was able to achieve high detection accuracy against standard obfuscations, outperforming existing detection methods. Moreover, PoT uses generic data-flow properties that can be applied to other platforms more susceptible to cryptojacking such as servers and data centers.
Paper Structure (11 sections, 3 theorems, 2 equations, 3 figures)

This paper contains 11 sections, 3 theorems, 2 equations, 3 figures.

Key Result

Lemma 4

Let $G$ be a directed acyclic graph with no multi-edges. The probability that a vertex $v \in V(G)$ is visited in a random backward walk is where $C(v)$ denotes the set of children vertices of $v$ in the directed graph and $|I(v_c)|$ denotes the number of incoming edges into $v_c$.

Figures (3)

  • Figure 1: A short WebAssembly function in text format alongside its data-flow graph.
  • Figure 2: (CryptoNight data-flow graphs) The images show visualizations of the data-flow graphs of the CryptoNight POW algorithm in its original and simplified forms and under different obfuscations. Figure (a) shows the original graph, while (b) to (d) show three obfuscated versions. Figures (e) to (h) show the simplified versions of (a) to (d). Vertices highlighted red, green, and blue represent and, xor, and shr instructions respectively. While other instructions are not traced, they may still appear as data origin in the graph represented by the uncolored vertices.
  • Figure 3: A step-by-step reduction of the CryptoNight graph. The root vertices of isomorphic subgraphs are highlight and merged at each step.

Theorems & Definitions (6)

  • Definition 1: Rooted Subgraph
  • Definition 2: Depth
  • Definition 3: Backward Random Walk
  • Lemma 4
  • Theorem 5
  • Lemma 6