Outguard: Detecting in-browser covert cryptocurrency mining in the wild

Amin Kharraz; Charles Lever; Nikita Borisov; Zane Ma; Joshua Mason; Manos Antonakakis; Paul Murley; Andrew Miller; Michael Bailey

doi:10.1145/3308558.3313665

Outguard: Detecting in-browser covert cryptocurrency mining in the wild

Amin Kharraz, Charles Lever, Nikita Borisov, Zane Ma, Joshua Mason, Manos Antonakakis, Paul Murley, Andrew Miller, Michael Bailey

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In-browser cryptojacking is a form of resource abuse that leverages end-users' machines to mine cryptocurrency without obtaining the users' consent. In this paper, we design, implement, and evaluate Outguard, an automated cryptojacking detection system. We construct a large ground-truth dataset, extract several features using an instrumented web browser, and ultimately select seven distinctive features that are used to build an SVM classification model. Outguardachieves a 97.9% TPR and 1.1% FPR and is reasonably tolerant to adversarial evasions. We utilized Outguardin the wild by deploying it across the Alexa Top 1M websites and found 6,302 cryptojacking sites, of which 3,600 are new detections that were absent from the training data. These cryptojacking sites paint a broad picture of the cryptojacking ecosystem, with particular emphasis on the prevalence of cryptojacking websites and the shared infrastructure that provides clues to the operators behind the cryptojacking phenomenon.

Original language	English (US)
Title of host publication	The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019
Publisher	Association for Computing Machinery, Inc
Pages	840-852
Number of pages	13
ISBN (Electronic)	9781450366748
DOIs	https://doi.org/10.1145/3308558.3313665
State	Published - May 13 2019
Event	2019 World Wide Web Conference, WWW 2019 - San Francisco, United States Duration: May 13 2019 → May 17 2019

Publication series

Name	The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019

Conference

Conference	2019 World Wide Web Conference, WWW 2019
Country	United States
City	San Francisco
Period	5/13/19 → 5/17/19

Keywords

Browser Security
Cryptojacking
Web Security

ASJC Scopus subject areas

Computer Networks and Communications
Software

Access to Document

10.1145/3308558.3313665

Fingerprint Dive into the research topics of 'Outguard: Detecting in-browser covert cryptocurrency mining in the wild'. Together they form a unique fingerprint.

Cite this

Kharraz, A., Lever, C., Borisov, N., Ma, Z., Mason, J., Antonakakis, M., Murley, P., Miller, A., & Bailey, M. (2019). Outguard: Detecting in-browser covert cryptocurrency mining in the wild. In The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019 (pp. 840-852). (The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019). Association for Computing Machinery, Inc. https://doi.org/10.1145/3308558.3313665

Outguard : Detecting in-browser covert cryptocurrency mining in the wild. / Kharraz, Amin; Lever, Charles; Borisov, Nikita; Ma, Zane; Mason, Joshua; Antonakakis, Manos; Murley, Paul; Miller, Andrew ; Bailey, Michael.

The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019. Association for Computing Machinery, Inc, 2019. p. 840-852 (The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kharraz, A, Lever, C, Borisov, N, Ma, Z, Mason, J, Antonakakis, M, Murley, P, Miller, A & Bailey, M 2019, Outguard: Detecting in-browser covert cryptocurrency mining in the wild. in The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019. The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019, Association for Computing Machinery, Inc, pp. 840-852, 2019 World Wide Web Conference, WWW 2019, San Francisco, United States, 5/13/19. https://doi.org/10.1145/3308558.3313665

Kharraz A, Lever C, Borisov N, Ma Z, Mason J, Antonakakis M et al. Outguard: Detecting in-browser covert cryptocurrency mining in the wild. In The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019. Association for Computing Machinery, Inc. 2019. p. 840-852. (The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019). https://doi.org/10.1145/3308558.3313665

Kharraz, Amin ; Lever, Charles ; Borisov, Nikita ; Ma, Zane ; Mason, Joshua ; Antonakakis, Manos ; Murley, Paul ; Miller, Andrew ; Bailey, Michael. / Outguard : Detecting in-browser covert cryptocurrency mining in the wild. The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019. Association for Computing Machinery, Inc, 2019. pp. 840-852 (The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019).

@inproceedings{1661132d108b48e4b1f448f1e549aa74,

title = "Outguard: Detecting in-browser covert cryptocurrency mining in the wild",

abstract = "In-browser cryptojacking is a form of resource abuse that leverages end-users' machines to mine cryptocurrency without obtaining the users' consent. In this paper, we design, implement, and evaluate Outguard, an automated cryptojacking detection system. We construct a large ground-truth dataset, extract several features using an instrumented web browser, and ultimately select seven distinctive features that are used to build an SVM classification model. Outguardachieves a 97.9% TPR and 1.1% FPR and is reasonably tolerant to adversarial evasions. We utilized Outguardin the wild by deploying it across the Alexa Top 1M websites and found 6,302 cryptojacking sites, of which 3,600 are new detections that were absent from the training data. These cryptojacking sites paint a broad picture of the cryptojacking ecosystem, with particular emphasis on the prevalence of cryptojacking websites and the shared infrastructure that provides clues to the operators behind the cryptojacking phenomenon.",

keywords = "Browser Security, Cryptojacking, Web Security",

author = "Amin Kharraz and Charles Lever and Nikita Borisov and Zane Ma and Joshua Mason and Manos Antonakakis and Paul Murley and Andrew Miller and Michael Bailey",

year = "2019",

month = may,

day = "13",

doi = "10.1145/3308558.3313665",

language = "English (US)",

series = "The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019",

publisher = "Association for Computing Machinery, Inc",

pages = "840--852",

booktitle = "The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019",

note = "2019 World Wide Web Conference, WWW 2019 ; Conference date: 13-05-2019 Through 17-05-2019",

}

TY - GEN

T1 - Outguard

T2 - 2019 World Wide Web Conference, WWW 2019

AU - Kharraz, Amin

AU - Lever, Charles

AU - Borisov, Nikita

AU - Ma, Zane

AU - Mason, Joshua

AU - Antonakakis, Manos

AU - Murley, Paul

AU - Miller, Andrew

AU - Bailey, Michael

PY - 2019/5/13

Y1 - 2019/5/13

N2 - In-browser cryptojacking is a form of resource abuse that leverages end-users' machines to mine cryptocurrency without obtaining the users' consent. In this paper, we design, implement, and evaluate Outguard, an automated cryptojacking detection system. We construct a large ground-truth dataset, extract several features using an instrumented web browser, and ultimately select seven distinctive features that are used to build an SVM classification model. Outguardachieves a 97.9% TPR and 1.1% FPR and is reasonably tolerant to adversarial evasions. We utilized Outguardin the wild by deploying it across the Alexa Top 1M websites and found 6,302 cryptojacking sites, of which 3,600 are new detections that were absent from the training data. These cryptojacking sites paint a broad picture of the cryptojacking ecosystem, with particular emphasis on the prevalence of cryptojacking websites and the shared infrastructure that provides clues to the operators behind the cryptojacking phenomenon.

AB - In-browser cryptojacking is a form of resource abuse that leverages end-users' machines to mine cryptocurrency without obtaining the users' consent. In this paper, we design, implement, and evaluate Outguard, an automated cryptojacking detection system. We construct a large ground-truth dataset, extract several features using an instrumented web browser, and ultimately select seven distinctive features that are used to build an SVM classification model. Outguardachieves a 97.9% TPR and 1.1% FPR and is reasonably tolerant to adversarial evasions. We utilized Outguardin the wild by deploying it across the Alexa Top 1M websites and found 6,302 cryptojacking sites, of which 3,600 are new detections that were absent from the training data. These cryptojacking sites paint a broad picture of the cryptojacking ecosystem, with particular emphasis on the prevalence of cryptojacking websites and the shared infrastructure that provides clues to the operators behind the cryptojacking phenomenon.

KW - Browser Security

KW - Cryptojacking

KW - Web Security

UR - http://www.scopus.com/inward/record.url?scp=85066898170&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85066898170&partnerID=8YFLogxK

U2 - 10.1145/3308558.3313665

DO - 10.1145/3308558.3313665

M3 - Conference contribution

AN - SCOPUS:85066898170

T3 - The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019

SP - 840

EP - 852

BT - The Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019

PB - Association for Computing Machinery, Inc

Y2 - 13 May 2019 through 17 May 2019

ER -