CryptoGuard: Lightweight Hybrid Detection and Response to Host-based Cryptojackers in Linux Cloud Environments
- URL: http://arxiv.org/abs/2510.18324v1
- Date: Tue, 21 Oct 2025 06:15:48 GMT
- Title: CryptoGuard: Lightweight Hybrid Detection and Response to Host-based Cryptojackers in Linux Cloud Environments
- Authors: Gyeonghoon Park, Jaehan Kim, Jinu Choi, Jinwoo Kim,
- Abstract summary: CryptoGuard is a lightweight hybrid solution that combines detection and remediation strategies to counter cryptojackers.<n>It decomposes the classification task into a two-phase process, leveraging deep learning models to identify suspicious activity with high precision.<n>It achieves average F1-scores of 96.12% and 92.26% across the two phases, and outperforms state-of-the-art baselines in terms of true and false positive rates.
- Score: 9.40606834287371
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Host-based cryptomining malware, commonly known as cryptojackers, have gained notoriety for their stealth and the significant financial losses they cause in Linux-based cloud environments. Existing solutions often struggle with scalability due to high monitoring overhead, low detection accuracy against obfuscated behavior, and lack of integrated remediation. We present CryptoGuard, a lightweight hybrid solution that combines detection and remediation strategies to counter cryptojackers. To ensure scalability, CryptoGuard uses sketch- and sliding window-based syscall monitoring to collect behavior patterns with minimal overhead. It decomposes the classification task into a two-phase process, leveraging deep learning models to identify suspicious activity with high precision. To counter evasion techniques such as entry point poisoning and PID manipulation, CryptoGuard integrates targeted remediation mechanisms based on eBPF, a modern Linux kernel feature deployable on any compatible host. Evaluated on 123 real-world cryptojacker samples, it achieves average F1-scores of 96.12% and 92.26% across the two phases, and outperforms state-of-the-art baselines in terms of true and false positive rates, while incurring only 0.06% CPU overhead per host.
Related papers
- MI$^2$DAS: A Multi-Layer Intrusion Detection Framework with Incremental Learning for Securing Industrial IoT Networks [47.386868423451595]
MI$2$DAS is a multi-layer intrusion detection framework that integrates anomaly-based hierarchical traffic pooling and open-set recognition.<n>Experiments conducted on the Edge-IIoTset dataset demonstrate strong performance across all layers.<n>These results showcase MI$2$DAS as an effective, scalable and adaptive framework for enhancing IIoT security.
arXiv Detail & Related papers (2026-02-27T09:37:05Z) - CryptoCatch: Cryptomining Hidden Nowhere [18.251780652108785]
We propose a practical encrypted cryptomining traffic detection mechanism.<n>It consists of a two-stage detection framework, which can effectively provide fine-grained detection results by machine learning.<n>Our system achieves an F1-score of 0.99 and identifies specific cryptocurrencies with a 99.39% accuracy rate.
arXiv Detail & Related papers (2026-02-11T06:55:36Z) - ShellForge: Adversarial Co-Evolution of Webshell Generation and Multi-View Detection for Robust Webshell Defense [0.8122270502556375]
ShellForge is an adversarial co-evolution framework for webshell detection.<n>A detector and generator mutually reinforce each other via the exchange of hard samples.<n>The detector maintains a 0.981 F1-score while the generator achieves a 0.939 evasion rate against commercial engines on VirusTotal.
arXiv Detail & Related papers (2026-01-28T07:02:47Z) - Optimistic TEE-Rollups: A Hybrid Architecture for Scalable and Verifiable Generative AI Inference on Blockchain [4.254924788681319]
We introduce Optimistic TEE-Rollups (OTR), a hybrid verification protocol that harmonizes constraints.<n>OTR achieves 99% of the throughput of centralized baselines with a marginal cost overhead of $0.07 per query.
arXiv Detail & Related papers (2025-12-23T09:16:41Z) - Hypervisor-based Double Extortion Ransomware Detection Method Using Kitsune Network Features [0.0]
This paper presents detailed attack stages, tactics, procedures, and tools used in the double extortion ransomware attacks.<n>We present a novel detection method using low-level storage and memory behavioral features and network traffic features.<n>Our experimental results showed that the presented method improved by 0.166 in the macro F score of the data exfiltration phase detection rate.
arXiv Detail & Related papers (2025-08-12T05:45:05Z) - BlindGuard: Safeguarding LLM-based Multi-Agent Systems under Unknown Attacks [58.959622170433725]
BlindGuard is an unsupervised defense method that learns without requiring any attack-specific labels or prior knowledge of malicious behaviors.<n>We show that BlindGuard effectively detects diverse attack types (i.e., prompt injection, memory poisoning, and tool attack) across multi-agent systems.
arXiv Detail & Related papers (2025-08-11T16:04:47Z) - ScamDetect: Towards a Robust, Agnostic Framework to Uncover Threats in Smart Contracts [1.6229760224067287]
ScamDetect aims to enable proactive, scalable security for the future of decentralized ecosystems.<n>This paper presents a vision for ScamDetect, a robust, modular, and platform-agnostic framework for smart contract malware detection.
arXiv Detail & Related papers (2025-08-09T20:38:07Z) - Decompiling Smart Contracts with a Large Language Model [51.49197239479266]
Despite Etherscan's 78,047,845 smart contracts deployed on (as of May 26, 2025), a mere 767,520 ( 1%) are open source.<n>This opacity necessitates the automated semantic analysis of on-chain smart contract bytecode.<n>We introduce a pioneering decompilation pipeline that transforms bytecode into human-readable and semantically faithful Solidity code.
arXiv Detail & Related papers (2025-06-24T13:42:59Z) - Dynamic Graph-based Fingerprinting of In-browser Cryptomining [0.5261718469769449]
cryptojacking is an attack that uses stolen computing resources to mine cryptocurrencies without consent for profit.<n>In-browser cryptojacking malware exploits web technologies like WebAssembly to mine cryptocurrencies directly within the browser.<n>We propose using instruction-level data-flow graphs to detect cryptomining behavior.
arXiv Detail & Related papers (2025-05-05T09:21:58Z) - Understanding crypter-as-a-service in a popular underground marketplace [51.328567400947435]
Crypters are pieces of software whose main goal is to transform a target binary so it can avoid detection from Anti Viruses (AVs) applications.
The crypter-as-a-service model has gained popularity, in response to the increased sophistication of detection mechanisms.
This paper provides the first study on an online underground market dedicated to crypter-as-a-service.
arXiv Detail & Related papers (2024-05-20T08:35:39Z) - DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified
Robustness [58.23214712926585]
We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection.
Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables.
We are the first to offer certified robustness in the realm of static detection of malware executables.
arXiv Detail & Related papers (2023-03-20T17:25:22Z) - RS-Del: Edit Distance Robustness Certificates for Sequence Classifiers
via Randomized Deletion [23.309600117618025]
We adapt randomized smoothing for discrete sequence classifiers to provide certified robustness against edit distance-bounded adversaries.
Our proof of certification deviates from the established Neyman-Pearson approach, which is intractable in our setting, and is instead organized around longest common subsequences.
When applied to the popular MalConv malware detection model, our smoothing mechanism RS-Del achieves a certified accuracy of 91% at an edit distance radius of 128 bytes.
arXiv Detail & Related papers (2023-01-31T01:40:26Z) - ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep
Neural Network and Transfer Learning [80.85273827468063]
Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable.
We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts.
We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
arXiv Detail & Related papers (2021-03-23T15:04:44Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.