Cryptominer detection: a Machine Learning approach

Cryptominer detection is a significant challenge due to the sophisticated evasion techniques used by attackers, making it difficult to distinguish malicious activities from legitimate ones without disrupting business operations. The article explores the implementation of machine learning techniques to detect cryptominer processes in running containers, focusing on a binary classification task using supervised learning methods. Data is collected from both malicious cryptominers set up in honeypots and legitimate processes, with features extracted to represent cryptominer characteristics while generalizing benign activities. The model assessment involves addressing highly imbalanced data and minimizing false positives, with a detailed evaluation using nested cross-validation and hyperparameter optimization to ensure unbiased generalization error estimation. A real-world detection case illustrates the effectiveness of machine learning in identifying cryptominer processes, highlighting the importance of human oversight to complement automated systems. The ongoing efforts in model improvement and data collection aim to enhance detection capabilities, with Sysdig offering tools and resources for those interested in implementing cryptominer detection solutions.