Skip to main content
SpringerLink
Log in

A data infrastructure for heterogeneous telemetry adaptation: application to Netflow-based cryptojacking detection

  • Published:
Annals of Telecommunications Aims and scope Submit manuscript

Abstract

The increasing development of cryptocurrencies has brought cryptojacking as a new security threat in which attackers steal computing resources for cryptomining. The digitization of the supply chain is a potential major target for cryptojacking due to the large number of different infrastructures involved. These different infrastructures provide information sources that can be useful to detect cryptojacking, but with a wide variety of data formats and encodings. This paper describes the semantic data aggregator (SDA), a normalization and aggregation system based on data modelling and low-latency processing of data streams that facilitates the integration of heterogeneous information sources. As a use case, the paper describes a cryptomining detection system (CDS) based on network traffic flows processed by a machine learning engine. The results show how the SDA is leveraged in this use case to obtain aggregated information that improves the performance of the CDS.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

Data Availability

The code of the framework can be accessed here: https://github.com/giros-dit/semantic-data-aggregator. While the data and scripts for the results can be accessed here: https://github.com/aams-eam/ALSDA.

References

  1. Zhang D, He M, Wang X, Tehranipoor M (2017) Dynamically obfuscated scan for protecting IPs against scan-based attacks throughout supply chain. In: 2017 IEEE 35th VLSI Test symposium (VTS). pp 1–6

  2. Heinbockel WJ, Laderman ER, Serrao GJ (2017) Supply chain attacks and resiliency mitigations. In: Guidance for system security engineers

  3. H H2020 Fishy, a coordinated framework for cyber resilient supply chain systems. [Online]. Available: https://fishy-project.eu/

  4. Pastor A, Mozo A, Lopez DR, Folgueira J, Kapodistria A (2018) The Mouseworld, a security traffic analysis lab based on NFV/SDN. In: Proceedings of the 13th international conference on availability, reliability and security, ARES 2018. Association for Computing Machinery New York, NY, USA

  5. Moreno-Sancho AA, Pastor A, Martinez-Casanueva ID, González-Sánchez D, Triana LB (2023) A data infrastructure for heterogeneous telemetry adaptation. application to Netflow-based cryptojacking detection. In: 2023 26th conference on innovation in clouds, internet and networks and workshops (ICIN). pp 105–112

  6. FISHY (2022) D6.2 it-1 fishy release validated. In: A coordinated framework for cyber resilient supply chain systems over complex ICT infrastructures

  7. H. H2020 Palantir, practical autonomous cyberhealth for resilient SMEs & microenterprises.” [Online]. Available: https://www.palantir-project.eu/

  8. Claise B (2004) Cisco systems Netflow services export version 9. RFC 3954, RFC Editor, 10

  9. Soni S, Bhushan B (2019) Use of machine learning algorithms for designing efficient cyber security solutions. In: 2019 2nd international conference on intelligent computing, instrumentation and control technologies (ICICICT), vol 1. pp 1496–1501

  10. Geneiatakis D, Kozik R, Pawlicki M, Choraś M (2018) Cost-sensitive distributed machine learning for Netflow-based botnet activity detection. Secur Commun Netw

  11. Buczak AL, Guven E (2016) A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun Surv Tutor 18(2):1153–1176

    Article  Google Scholar 

  12. Delplace A, Hermoso S, Anandita K (2020) Cyber attack detection thanks to machine learning algorithms

  13. Campazas-Vega A, Crespo-Martínez IS, Guerrero-Higueras AM, Fernández-Llamas C (2020) Flow-data gathering using Netflow sensors for fitting malicious-traffic detection models. Sensors 20:24

  14. Sarhan M, Layeghy S, Moustafa N, Portmann M (2021) Netflow datasets for machine learning-based network intrusion detection systems. In: Deze Z, Huang H, Hou R, Rho S, Chilamkurti N (eds) Big data technologies and applications. Springer International Publishing, Cham, pp 117–135

    Chapter  Google Scholar 

  15. Cisco (2019) Netflow switching enhancements feature module. [Online] Available: https://web.archive.org/web/20091221041522http://www.cisco.com/en/US/docs/ios/11_2/feature/guide/netflow.html Accessed 21 Dec 2019

  16. Cisco (2011) Netflow version 9 flow-record format. [Online]. Available: https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html. Accessed: March 2022

  17. Enns R, Bjorklund M, Schoenwaelder J, Bierman A (2011) Network configuration protocol (NETCONF). RFC 6241, RFC Editor

  18. Bjorklund M (2010) YANG - a data modeling language for the network configuration protocol (NETCONF). RFC 6020, RFC Editor

  19. YangModels (2020) YANG vendor Cisco xr 622. [Online] Available: https://github.com/YangModels/yang/tree/main/vendor/cisco/xr/622 Accessed 2017

  20. Cisco (2015) Cisco-ios-xr-traffmon-netflow-cfg.” [Online]. Available: https://github.com/YangModels/yang/tree/main/vendor/cisco/xr/622 Accessed 19 Nov 2015

  21. González-Sánchez D, Martinez-Casanueva ID, Pastor A, Triana LB, Zamarro CPM, Sancho AAM, Cambronero DF, Lopez D (2022) Model-driven network monitoring using Netflow applied to threat detection. In: 2022 IEEE 8th International conference on network softwarization (NetSoft). pp 450–455

  22. O’Kane P, Sezer S, Carlin D (2018) Evolution of ransomware. IET. Networks 7(5):321–327

    Google Scholar 

  23. Symantec C (2019) Internet security threat report 2019. [Online] Available: https://docs.broadcom.com/doc/istr-24-2019-en. Accessed: March 2022

  24. Frankenfield J (2022) Mining pool. [Online] Available: https://www.investopedia.com/terms/m/mining-pool.asp Accessed 15 Jan 2022

  25. Caprolu M, Raponi S, Oligeri G, Di Pietro R (2021) Cryptomining makes noise: detecting cryptojacking via machine learning. Comput Comm 171:126–139

    Article  Google Scholar 

  26. Kharraz A, Ma Z, Murley P, Lever C, Mason J, Miller A, Borisov N, Antonakakis M, Bailey M (2019) Outguard: detecting in-browser covert cryptocurrency mining in the wild. The World Wide Web Conference, WWW ’19. Association for Computing Machinery, New York, NY, USA, pp 840–852

    Chapter  Google Scholar 

  27. Yulianto AD, Sukarno P, Warrdana AA, Makky MA (2019) Mitigation of cryptojacking attacks using taint analysis,” In: 2019 4th International conference on information technology, information systems and electrical engineering (ICITISEE). pp 234–238

  28. Tanana D (2020) Behavior-based detection of cryptojacking malware. In: 2020 Ural symposium on biomedical engineering, radioelectronics and information technology (USBEREIT). pp 0543–0545

  29. Mani G, Pasumarti V, Bhargava B, Vora FT, MacDonald J, King J, Kobes J (2020) Decrypto pro: deep learning based cryptomining malware detection using performance counters. In: 2020 IEEE International conference on autonomic computing and self-organizing systems (ACSOS). pp 109–118

  30. Tahir R, Durrani S, Ahmed F, Saeed H, Zaffar F, Ilyas S (2019) The browsers strike back: countering cryptojacking and parasitic miners on the web. In: IEEE INFOCOM 2019 - IEEE Conference on computer communications. pp 703–711

  31. Petrov I, Invernizzi L, Bursztein E (2020) CoinPolice: detecting hidden cryptojacking attacks with neural networks

  32. Cunha Neto HN, Martin Andreoni L, Fernandes NC, Mattos DMF (2020) MineCap: super incremental learning for detecting and blocking cryptocurrency mining on software-defined networking. Ann Telecommun

  33. Rodriguez JDP, Posegga J (2018) RAPID: Resource and API-based detection against in-browser miners. In: Proceedings of the 34th annual computer security applications conference, ACSAC ’18. Association for Computing Machinery, New York, NY, USA pp 313–326

  34. Ning R, Wang C, Xin C, Li J, Zhu L, Wu H (2019) CapJack: capture in-browser crypto-jacking by deep capsule network through behavioral analysis. In: IEEE INFOCOM 2019 - IEEE conference on computer communications. pp 1873–1881

  35. Kelton C, Balasubramanian A, Raghavendra R, Srivatsa M (2020) Browser-based deep behavioral detection of web cryptomining with CoinSpy. In: Workshop on measurements, attacks, and defenses for the web (MADWeb) 2020. pp 1–12

  36. Li Z, Hou J, Wang H, Wang C, Kang C, Fu P (2019) Ethereum behavior analysis with Netflow data. In: 2019 20th Asia-Pacific network operations and management symposium (APNOMS). pp 1–6

  37. Zayuelas i Muñoz J, Suárez-Varela J, Barlet-Ros P (2019) Detecting cryptocurrency miners with Netflow/IPFIX network measurements. In: 2019 IEEE International symposium on measurements & networking (M &N). pp 1–6

  38. Pastor A, Mozo A, Vakaruk S, Canavese D, López DR, Regano L, Gómez-Canaval S, Lioy A (2020) Detection of encrypted cryptomining malware connections with machine and deep learning. IEEE Access 8:158036–158055

  39. AS Foundation. Apache flink. [Online]. Available: https://flink.apache.org/. Accessed May 2011

  40. netsampler. Goflow2. [Online]. Available: https://github.com/netsampler/goflow2/releases Accessed 26 May2021

  41. OpenDaylight. Yang tools. [Online]. Available: https://docs.opendaylight.org/en/stable-sulfur/developer-guides/yang-tools.html

  42. mbj4668. Pyang. [Online]. Available: https://github.com/mbj4668/pyang Accessed 14 Jan 2020

  43. openconfig. ygot. [Online]. Available: https://github.com/openconfig/ygot. Accessed 11 June 2019

  44. DIT-UPM G. SDA tool source code. [Online]. Available: https://github.com/giros-dit/semantic-data-aggregator. Accessed 30 June 2022

  45. Qin J, Kruber N. Getting into low-latency gears with apache Flink - part one. [Online]. Available: https://flink.apache.org/2022/05/18/latency-part1.html. Accessed 18 May 2022

  46. Polito. TStat (TCP statistic and analysis tool). [Online]. Available: http://tstat.polito.it/. Accessed 30 May 2016

Download references

Acknowledgements

The research leading to these results received funding from the European Union’s Horizon 2020 research and innovation program under grant agreement no. 952644 (FISHY) and no. 883335 (PALANTIR). The paper reflects only the author view. The Commission is not responsible for any use that may be made of the information it contains.

Author information

Authors and Affiliations

  1. Cybersecurity Laboratory, Atos Research & Innovation, Málaga, Spain

    Alejandro A. Moreno-Sancho

  2. GCTIO Office, Telefónica I+D, Madrid, Spain

    Antonio Pastor & Ignacio D. Martinez-Casanueva

  3. Departamento de Ingeniería de Sistemas Telemáticos, Universidad Politécnica de Madrid, Madrid, Spain

    Daniel González-Sánchez & Luis Bellido Triana

Authors
  1. Alejandro A. Moreno-Sancho
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Antonio Pastor
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ignacio D. Martinez-Casanueva
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Daniel González-Sánchez
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Luis Bellido Triana
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alejandro A. Moreno-Sancho.

Ethics declarations

Conflict of interest

The authors declare no competing interests.

Disclaimer

The paper reflects only the authors’ view. The commission is not responsible for any use that may be made of the information it contains.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Moreno-Sancho, A.A., Pastor, A., Martinez-Casanueva, I.D. et al. A data infrastructure for heterogeneous telemetry adaptation: application to Netflow-based cryptojacking detection. Ann. Telecommun. 79, 241–256 (2024). https://doi.org/10.1007/s12243-023-00991-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12243-023-00991-6

Keywords

Search

Navigation