The present invention relates to the detection of crypto-jacking.

So called “crypto-jacking” malware is malicious software that consumes one or more of a target computer system’s processing, memory and network resources to perform blockchain mining functions on behalf of a malicious controlling or source entity. The blockchain mining functions can be beneficial as part of a wider network attack (such as a “51 -percent attack” for influencing the state of a distributed transactional database such as a blockchain) and/or for the generation of crypto-currency.

A crypto-jacking attack involves the communication of executable code or script to the target system through an infected Webserver or web intermediary. A webpage retrieved by a target browser can include, for example, Javascript that is configured to access and retrieve miner code for execution within the browser of the target. The functions of the miner involve performing mathematical hashing operations on a received data item (a “nonce”) for a candidate block in the blockchain which can be conducted entirely within the sandbox of the browser.

It would be beneficial to provide for the detection of deviant browser behaviour indicative of such infection and to identify a type of infection to inform remediation.

According to a first aspect of the present invention, there is provided a computer implemented method of detecting blockchain miner code executing in a web browser comprising: receiving a profile for the browser identifying typical resource consumption by the browser in use; responsive to a detection of a deviation of the resource consumption by the browser from the profile, intercepting a communication with the browser including a cryptographic nonce, training a plurality of classifiers based on generated training examples, each training example being generated by applying a hashing algorithm to the nonce such that each classifier is trained with training examples generated using a different hashing algorithm; intercepting one or more second communications with the browser, each of the second communications including a hash value; executing at least a subset of the classifiers based on the hash value of each of the second communications; and identifying malicious miner code executing in the browser based on the classifications of the at least a subset of classifiers.

Preferably, the method further comprises: storing network communication between the browser and a remote entity, and wherein intercepting a communication to the browser including a cryptographic nonce includes analysing the stored network communication for a connection-setup portion of a communication between code executed by the browser and the remote entity to identify a communication received by the code including the cryptographic nonce as a payload of the communication.

Preferably, intercepting the second communications includes analysing the stored network communication for a communication between code executed by the browser and the remote entity to identify a communication sent by the code including a hash value as a payload of the communication.

Preferably, the identification of malicious miner code executing in the browser includes identifying a hashing algorithm associated with a classifier.

Preferably, the identified hashing algorithm indicates a type of the malicious miner code executing in the browser, and the method further comprising triggering a responsive action, the responsive action being determined based on the indicated type.

Preferably, the method further comprises triggering a responsive action to the identified miner code including one or more of: terminating the browser; terminating the execution of the miner code in the browser; commencing or increasing a monitoring function to monitor the browser and/or data communicated therewith; blocking communications with a remote network address associated with a web page loaded by the browser; and terminating the execution of scripts by browser.

Preferably, the profile for the browser includes a clustered model of resource consumptions of the browser in use, and detecting the deviation of the resource consumption by the browser is based on the clustered model.

According to a second aspect of the present invention, there is a provided a computer system including a processor and memory storing computer program code for performing the steps of the method set out above.

According to a third aspect of the present invention, there is a provided a computer system including a processor and memory storing computer program code for performing the steps of the method set out above.

Embodiments of the present invention will now be described, by way of example only, with reference to the accompanying drawings, in which:

Figure 1 is a block diagram a computer system suitable for the operation of embodiments of the present invention; Figure 2 is a component diagram of an arrangement for detecting blockchain miner code executing in a web browser in accordance with an embodiment of the present invention; and

Figure 3 is a flowchart of a method for detecting blockchain miner code executing in a web browser in accordance with an embodiment of the present invention.

Figure 1 is a block diagram of a computer system suitable for the operation of embodiments of the present invention. A central processor unit (CPU) 102 is communicatively connected to a storage 104 and an input/output (I/O) interface 106 via a data bus 108. The storage 104 can be any read/write storage device such as a random- access memory (RAM) or a non-volatile storage device. An example of a non-volatile storage device includes a disk or tape storage device. The I/O interface 106 is an interface to devices for the input or output of data, or for both input and output of data. Examples of I/O devices connectable to I/O interface 106 include a keyboard, a mouse, a display (such as a monitor) and a network connection. Figure 2 is a component diagram of an arrangement for detecting blockchain miner code executing in a web browser in accordance with an embodiment of the present invention. Web browser 200 is a software component executing in a client computer system 206 as a physical or virtualised network-connected computer system. The browser 200 is operable to enter into network communication with a server 204 such as a web server or the like via a network 240, such as a wired, wireless, mobile or combination network. Thus, communications between the browser 200 and the server 204 can include, for example, hypertext transport protocol communications. A malware detection system 230 is indicated generally as a single system such as a physical or virtual computer system though it will be appreciated by those skilled in the art that components and aspects of the malware detection system 230 could alternatively be provided as separate components either individually or in groups or collectively, and any one or more of the components of the malware detection system 230 could be provided in, with or for the client computer system 206 such as part of a security facility or function of the computer system 206. Furthermore, any of the components of the malware detection system 230 indicated, described or illustrated separately with reference to Figure 2 could alternatively be combined into common or like components.

The malware detection system 230 includes a malware detector 220 as a hardware, software, firmware or combination component arranged to provide malware detection facilities in accordance with embodiments of the present invention. The malware detector 220 accesses a browser profile 208 identifying typical resource consumption by the browser 200 in use. The browser profile 208 can be pre-defined based on the execution of the browser 200 in use, or alternatively the malware detector 220 can be configured to trigger or request the generation of the browser profile 208 at a runtime of the malware detector 220.

Typical resource consumption of the browser 200 can be identified in the browser profile 208 for resources of the computer system 206 including, for example, inter alia, one or more of: memory; storage; processor; and network resources of the computer system 206. In one embodiment, the browser profile 208 includes indications of typical resource consumption by the browser 200 in multiple use-cases or contexts. For example, typical resource consumption by the browser 200 can include resource consumption during: accessing, loading and rendering text-based web pages; accessing, loading and rendering image-based web pages; accessing, loading and rendering video-based web pages; accessing, loading and rendering audio-based web pages; accessing, loading and rendering web pages including scripts such as Javascript; and accessing, loading and rendering composite web pages including some combination of one or more of text, image, video, audio and script content. For example, resource consumption for each context can be measured based on typical use-case of the browser 200 in use in communication with one or more web servers. Resource consumption can be measured literally (e.g. memory consumption, percentage of processor utilisation) and may be converted or normalised for ready comparison.

In one embodiment, the resource consumption associated with each of one or more use contexts of the browser 200 are clustered using a clustering method such as k-means clustering so as to generate a clustered model of resource consumption of the browser 200 in use. Preferably, such a clustered model of resource consumption is used to identify average, mean or centroid resource consumption metrics for representation of typical resource consumption.

In use, the malware detector 220 monitors the browser 200 to detect a deviation of execution of the browser 200 from the browser profile 208. For example, deviation of resource consumption by the browser 200 from typical resource consumptions indicated in the profile 208 can be detected. Where the profile uses a clustered model, a resource consumption of the browser 200 that, when modelled in the clustered model, constitutes an outlier in the model can serve to identify such a deviation. On detection of such deviation, the malware detector 220 is further operable with an interceptor 212 component as a hardware, software, firmware or combination component arranged to intercept communication occurring with the browser 200 such as communication sent or received by the browser via the network 240. The interceptor 212 can include one or more functions or features of the browser 200 such as a network logging or tracing feature, or alternatively the interceptor 212 can be external to the browser 200 such as a network monitoring, snooping or sniffing tool. Initially, the interceptor 212 is used to intercept a communication to the browser including a cryptographic “nonce”. Such a nonce is communicated by a malicious server 202 to the browser 200 when the browser executes blockchain miner code such as blockchain miner script code or the like. Thus, such communication can be suspected based on the presence of network communication received by the browser 200 originating from a network connected device that is not the web server 204, such as a malicious server 202. Furthermore, the malicious communication of such a nonce will occur during an initial portion of communication between code executing in the browser 200 and the malicious server 202 referred to herein as a setup portion of communication. That includes an initial number of messages communicated therebetween of which the payload of a message received by the browser 200 from the malicious server 202 includes the nonce value.

On receiving the cryptographic nonce, the malware detector 220 is operable to trigger the generation of training examples for a plurality of classifiers 214. The classifiers 214 are machine learning components suitable for generating a classification as an output based on an input set of parameters. For example, each classifier 214 is implemented as a neural network, autoencoder or support vector machine, though other suitable classifiers are and may become available. Each classifier 214 is configured to accept, as an input data set, a data structure corresponding to a hash value generated by blockchain miner code using a hashing algorithm. In particular, each classifier 214 is specific to a particular hashing algorithm. Thus, the malware detector 220 initially triggers a training example generator 218 component to generate a repository 222 of training examples for training the classifiers 214. The training examples for each classifier 214 are generated by hashing the nonce value using a cryptographic hashing function specific to the classifier 214. Preferably, the classifier is arranged to received input data as a vector or matrix format and training examples can therefore be encoded as vectors or matrices using, for example, a one-hot encoding scheme according to which each value in a hash is encoded to a vector having a position for every possible symbol in an alphabet for the value.

Once generated, the repository 222 of training examples are used by a trainer 216 component to train each of the classifiers 214. Preferably, the classifiers 214 are trained using an unsupervised or semi-supervised technique such that each classifier 214 is trained based on training examples for a particular hashing function so as to reinforce recognition of hash values arising from the hashing function. In this way, each classifier 214, when trained, is suitable for indicating a degree of likelihood that a hash value was generated by a hashing algorithm associated with the classifier 214. The malware detector 220 is further operable to receive one or more further communications from with the browser 200 including a hash value. Such communications can be identified based on, for example, a remote server such as the malicious server 202 involved in the communication. A payload of each intercepted communication including a hash value is identified, such intercepted hash value being generated by blockchain miner code executing in the browser 200. Subsequently, the malware detector 220 triggers the execution of each of the classifiers 214 using each of the one or more intercepted hash values so as to determine a degree, extent, measure or confidence of classification of each intercepted hash value by each classifier 214. Where a classifier 214 classifies an intercepted hash value to a predetermined extent, threshold or similar, the presence of malicious blockchain miner code executing in the browser 200 is determined. In particular, blockchain miner code utilising a hashing algorithm associated with the classifying classifier 200 is determined. Accordingly, an identified hashing algorithm can indicate a type of the malicious miner code executing in the browser 200.

In one embodiment, a responder component 210 as a hardware, software, firmware or combination component, is responsive to an identification by the malware detector 220 of malicious miner code executing in the browser 200. The responder 210 is configured to undertake a responsive action including, for example, one or more of: terminating the browser 200; terminating the execution of the miner code in the browser 200; commencing or increasing a monitoring function to monitor the browser 200 and/or data communicated therewith; blocking communications with a remote network address associated with a web page loaded by the browser 200, such as an address of the malicious server 202; and terminating the execution of scripts by browser 200. In one embodiment, the responsive action(s) performed by the responder 210 are determined on the basis of the type of the malicious miner code determined based on a hashing algorithm associated with a classifying classifier 200.

The process of detecting a deviation of the resource consumption by the browser 200 from the browser profile 208 can occur during or after the communication of a nonce and/or hash values between the browser 200 and the malicious server 202, and thus subsequent interception of communication by the interceptor 212 may fail to identify the nonce and/or hash values. To overcome this, in one embodiment, network communication between the browser and the network (or any remote entity such as the server 204 and/or malicious server 202) are stored, such as by being stored by the interceptor 212. Thus, stored network communication can be subsequently analysed by the interceptor 212 and/or malware detector 220 to identify the nonce and/or hash values.

Figure 3 is a flowchart of a method for detecting blockchain miner code executing in a web browser in accordance with an embodiment of the present invention. Initially, at step 302, the method receives the browser profile 208. At step 304 the method determines if there is a deviation from the profile 208, and where a deviation is detected the method proceeds to step 306 where a cryptographic nonce is intercepted in communication with the browser 200. At step 308 training examples are generated for the classifiers 214 and the classifier is trained at step 310. At step 312 one or more hash values are intercepted in communication with the browser 200 and used as abasis for executing the classifiers at step 314. At step 316, classification by a classifier 214 identifies malicious code in the browser on which basis responsive actions can be triggered.

Insofar as embodiments of the invention described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present invention. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.

Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilises the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical carrier wave. Such carrier media are also envisaged as aspects of the present invention.

It will be understood by those skilled in the art that, although the present invention has been described in relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the invention.

The scope of the present invention includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims.