Malware Speaks! Deep Learning Based Assembly Code Processing for Detecting Evasive Cryptojacking

Mani, Ganapathy; Kim, Myeongsu; Bhargava, Bharat; ANGIN, PELİN; Deniz, Ayca; Pasumarti, Vikram

doi:10.1109/tdsc.2023.3307445

Malware Speaks! Deep Learning Based Assembly Code Processing for Detecting Evasive Cryptojacking

Atıf İçin Kopyala

Mani G., Kim M., Bhargava B., ANGIN P., Deniz A., Pasumarti V.

IEEE Transactions on Dependable and Secure Computing, 2023 (SCI-Expanded)

Yayın Türü: Makale / Tam Makale
Basım Tarihi: 2023
Doi Numarası: 10.1109/tdsc.2023.3307445
Dergi Adı: IEEE Transactions on Dependable and Secure Computing
Derginin Tarandığı İndeksler: Science Citation Index Expanded (SCI-EXPANDED), Scopus, ABI/INFORM, Aerospace Database, Applied Science & Technology Source, Communication Abstracts, Compendex, Computer & Applied Sciences, INSPEC, Metadex, Civil Engineering Abstracts
Anahtar Kelimeler: Assembly code, Blockchains, Codes, cryptojacking, cryptomining, Cyberattack, deep learning, Deep learning, Feature extraction, LSTM, Malware, Natural language processing, natural language processing
Orta Doğu Teknik Üniversitesi Adresli: Evet

Özet

The increasing prevalence of blockchain-based cryptocurrencies as a payment instrument in the past decade and the rewards earned by the cryptominers has resulted in a new class of cyber attacks, cryptojacking, which involves unauthorized mining of cryptocurrencies on someone's system. Spotting cryptojacking is difficult in many cases, since the relevant software tries to disguise its presence to evade detection, by mimicking benign software such as compression applications by performing similar bitwise, cryptographic, and encryption operations. In this paper, we propose the processing of assembly code—a fundamental and platform-independent programming language—as a natural language using deep learning for profiling applications, which we call Deep Code Profiler (DeCode Pro). Our proposed solution leverages the immutable step of any cyber attack: the deployment of instructions in system memory to carry out the attack. Through extensive experimentation with different neural network architectures in the profiling stage, we show that DeCode Pro is highly effective in the detection of evasive cryptojacking attacks and achieves low false positive and false negative rates. We also show that the model achieves high classification accuracy even with limited training data, which can considerably reduce the computing resources required for training and retraining the deep learning model.