基于中间语义的加密挖矿检测研究

In this paper, we mainly solves the problem that crypto-ming detection tools are easily affected by programming languages, which leads to a significant reduction in the accuracy rate. At present, there are variants of crypto-mining scripts based on CryptoNight variant algorithms and implementation in different programming languages, which can escape the detection of CMTracker, MineSweeper and Outguard. The reason is that core hash functions of the variant samples based on CryptoNight variant algorithmsare different from that of CryptoNight, which leads to the failure of the identification based on function signature and Wasm instruction. At the same time, existing tools cannot recognize new samples implemented with JS. This paper summarizes the core hash functions\'features of mining by analyzing current typical scripts. Firstly, we construct the intermediate language representation specification of mining scripts and give the corresponding mapping table. Secondly, we extract mining semantics and design a mining detection algorithm. The algorithm can detect crypto-mining scripts and their variants regardless of the sample programming language. Our evaluation with the Alexa top 1M websites demonstrates that it can accurately detect in-browser cryptomining with both a low false positive rate and a low false negative rate.