Detection of Malicious Cryptomining in Network Metadata

back to overview

Type and Duration

FFF-Förderprojekt, December 2018 until January 2019 (finished)


Institute of Information Systems

Main Research

Business Process Management

Field of Research

Big Data Analytics


Cryptocurrencies and related blockchain technologies are one of the most fascinating developments in information technology in the last decade. In 2017, the cryptocurrency market hit an all-time high valuation of over $600 billion. Since then, the market has demonstrated its genuine interest in this new technology, and cryptocurrencies have proved to be a revolutionary asset class. Numerous projects and companies have emerged to provide innovative products and services running on top of public blockchains.

The growing importance of cryptocurrencies and the potential financial gains attracted not only investors but also malicious actors. Security incidents in organizations dealing with cryptocurrencies resulted in massive financial losses and in some cases, even bankruptcy of the victims. Illicit cryptocurrency mining is another stealthy but not less lucrative attack technique. By deploying mining software on users' computers or even running it in their browsers, the miscreants can obtain steady income of up to tens of thousands US$ per month.

To mitigate the threat of illicit cryptomining, in this project we investigate techniques for detecting both in-browser and malware based mining through network traffic analysis. Our approach for detection of illicit mining uses network metadata produced by routers and switches that support NetFlow. These devices can collect IP traffic statistics and export them as NetFlow records which can be analyzed by machine learning techniques. The new approach should enable accurate detection of illicit mining activity while at the same time avoiding privacy implications arising from analysis of cleartext network traffic. In contrast to related work, our approach is much more practical from the operational point of view. It does not require installation of special monitoring software on endpoint devices and substantially raises the bar for successful evasion.

Principal Investigator


  • Forschungsförderungsfonds der Universität Liechtenstein