Visible to the public RAPID: Resource and API-Based Detection Against In-Browser Miners

TitleRAPID: Resource and API-Based Detection Against In-Browser Miners
Publication TypeConference Paper
Year of Publication2018
AuthorsRodriguez, Juan D. Parra, Posegga, Joachim
Conference NameProceedings of the 34th Annual Computer Security Applications Conference
Date PublishedDecember 2018
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-6569-7
KeywordsBrowser Abuse, compositionality, cryptojacking, HTML5, Human Behavior, Metrics, pubcrawl, Resiliency, Web Browser Security, web security
Abstract

Direct access to the system's resources such as the GPU, persistent storage and networking has enabled in-browser crypto-mining. Thus, there has been a massive response by rogue actors who abuse browsers for mining without the user's consent. This trend has grown steadily for the last months until this practice, i.e., CryptoJacking, has been acknowledged as the number one security threat by several antivirus companies. Considering this, and the fact that these attacks do not behave as JavaScript malware or other Web attacks, we propose and evaluate several approaches to detect in-browser mining. To this end, we collect information from the top 330.500 Alexa sites. Mainly, we used real-life browsers to visit sites while monitoring resourcerelated API calls and the browser's resource consumption, e.g., CPU. Our detection mechanisms are based on dynamic monitoring, so they are resistant to JavaScript obfuscation. Furthermore, our detection techniques can generalize well and classify previously unseen samples with up to 99.99% precision and recall for the benign class and up to 96% precision and recall for the mining class. These results demonstrate the applicability of detection mechanisms as a server-side approach, e.g., to support the enhancement of existing blacklists. Last but not least, we evaluated the feasibility of deploying prototypical implementations of some detection mechanisms directly on the browser. Specifically, we measured the impact of in-browser API monitoring on page-loading time and performed micro-benchmarks for the execution of some classifiers directly within the browser. In this regard, we ascertain that, even though there are engineering challenges to overcome, it is feasible and bene!cial for users to bring the mining detection to the browser.

URLhttp://doi.acm.org/10.1145/3274694.3274735
DOI10.1145/3274694.3274735
Citation Keyrodriguez_rapid:_2018