CryptoCatch: Cryptomining Hidden Nowhere
Ruisheng Shi, Ziding Lin, Haoran Sun, Qin Wang, Shihan Zhang, Lina Lan, Zhiyuan Peng, Chenfeng Wang
TL;DR
CryptoCatch addresses the challenge of detecting encrypted cryptomining traffic by coupling a time-series ML classifier with protocol-aware active probing in a two-stage pipeline. The approach achieves a high F1-score of $0.99$ and multiclass cryptocurrency identification accuracy of $99.39\%$, while active probing dramatically reduces false positives. Extensive LAN-based experiments validate strong detection performance and manageable deployment overhead, including asynchronous operation and scalable throughput. By maintaining a dynamic blacklist and providing real-time verification results, CryptoCatch offers a practical, privacy-conscious solution for gateway-level network security against cryptomining abuse.
Abstract
Cryptomining poses significant security risks, yet traditional detection methods like blacklists and Deep Packet Inspection (DPI) are often ineffective against encrypted mining traffic and suffer from high false positive rates. In this paper, we propose a practical encrypted cryptomining traffic detection mechanism. It consists of a two-stage detection framework, which can effectively provide fine-grained detection results by machine learning and reduce false positives from classifiers through active probing. Our system achieves an F1-score of 0.99 and identifies specific cryptocurrencies with a 99.39\% accuracy rate. Extensive testing across various mining pools confirms the effectiveness of our approach, offering a more precise and reliable solution for identifying cryptomining activities.