How to Detect Cryptocurrency Miners? By Traffic Forensics!
Veselý V. & Žádník, M. for Digital Investigation
In order to verify and reproduce results outlined in the paper, we publicly disclose all our materials including source-codes and datasets. This repository contains following folders:
This folder offers database dump including all mining servers, pools, IP addresses, ports and checking history relevant for the end of May 2018 in subfolder sql
. Moreover, it has a snapshot of the system related to article content in src
and zip
.
Submodule pointing to the newest version of sMaSheD source-codes.
All PCAP files related mostly to a development of mining server catalogue are located in PCAPs
. The folder CGMiner
includes mining software configs and outputs employed for testing of sMaSheD results.
CSV files containing feature vectors that are ready for Weka tool. File wekaready_miners.csv contains feature vectors of positive samples, i.e. of miners. File wekaready_notminers.csv contains feature vectors of negative samples, i.e. of not-miners.
The feature vector consists of the following features in this order:
- ackpush/all - Number of flows with ACK+PUSH flags to all flows
- bpp - Bytes per packet per flow per all flows
- ppf - Packets per flow per all flows
- ppm - Packets per minute
- req/all - Request flows to all flows (request flow is considered a flow where src port is greater than dst port)
- syn/all - Number of flows with SYN flag to all flows
- rst/all - Number of flows with RST flag to all flows
- fin/all - Number of flows with FIN flag to all flows
- class - miner or notminer
For futher details on compuation of statistics see: https://github.com/CESNET/Nemea-Detectors/blob/master/miner_detector/miner_detector.cpp