基于多特征识别的恶意挖矿网页检测及其取证研究

doi:10.3969/j.issn.1671-1122.2021.07.011

摘要/Abstract

摘要：

针对恶意挖矿网页检测技术存在的漏报率高、时效性低、预测不准、过于依赖规则等问题,文章设计了基于多特征识别的恶意挖矿网页检测模型和多层级证据保存的恶意挖矿网页取证方法。该检测模型通过对Coinhive、Jsecoin、Webmine、Crypto-loot四种挖矿网页的实现方式、代码特点分析,归纳总结其特征,构建出挖矿网页的多特征序列,实现对恶意挖矿网页的自动检测。研究表明,该检测模型能够对用户提交的URL进行自动检测,区分出恶意挖矿网页并判断出其类型,整体检测准确率达到97.83%。多层级取证方法能够从平面层、代码层、网络数据层三个维度对恶意挖矿网页数据进行固定,获取完整、合法、可信的证据,生成取证报告,满足公安机关对恶意挖矿网页检测和取证的需求。

关键词: 恶意挖矿, 网页挖矿, 检测, 取证

Abstract:

In view of the current domestic and foreign malicious mining Web detection technology has a high failure rate, low timeliness, inaccurate prediction, too dependent on rules and other problems, this paper designed a malicious mining web detection model based on multi-feature recognition and multi-level evidence preservation of malicious mining web forensic method. Through analyzing the implementation methods and code characteristics of Coinhive, Jsecoin, Webmine and Crypto-loot mining Web pages, and summarizing their characteristics, the detection model constructed the multi-feature sequence of mining Web pages to realize the automatic detection of malicious mining Web pages. The research shows that the detection model can automatically detect the URLs submitted by users, distinguish malicious mining Web pages and determine their types, and the overall detection accuracy reaches 97.83%. The multi-level forensics method can fix the malicious mining Web page data from the three dimensions of plane layer, code layer and network data layer, obtain complete, legal and credible evidence, generate the forensics report, and meet the public security organs' requirements for malicious mining Web page detection and forensics.

Key words: malicious mining, Web mining, detection, forensics

中图分类号:

TP309

黄子依, 秦玉海. 基于多特征识别的恶意挖矿网页检测及其取证研究[J]. 信息网络安全, 2021, 21(7): 87-94.

HUANG Ziyi, QIN Yuhai. Malicious Mining Web Page Detection and Forensics Based on Multi-feature Recognition[J]. Netinfo Security, 2021, 21(7): 87-94.

图/表 13

表1

图1

图2

表2

表3

表4

表5

图3

图4

图5

图6

图7

图8

参考文献 15

[1]	RAMESH G, KRISHNAMURTHI I, KUMAR K. An Efficacious Method for Detecting Phishing Webpages Through Target Domain Identification[J]. Decision Support Systems, 2014, 14(1):12-22.
[2]	ZHANG Yue, HONG J, CRANOR L. Cantina: A Content-based Approach to Detecting Phishing Web Sites[C]// WWW 2007. Proceedings of the 16th International Conference on World Wide Web, May 8-12, 2007, Banff, Alberta. Canada: ACM, 2007: 639-648.
[3]	KHONJI M, IRAQI Y, JONES A. Phishing Detection: A Literature Survey[J]. IEEE Communications Surveys & Tutorials, 2013, 15(4):2091-2121.
[4]	XIE Ping, SHI Wuguang. Research on Digital Cryptocurrency: A Literature Review[J]. Journal of Financial Research, 2015, 15(1):1-15. doi: 10.1111/jfir.1992.15.issue-1 URL
	谢平, 石午光. 数字加密货币研究:一个文献综述[J]. 金融研究, 2015, 15(1):1-15.
[5]	EYAL I. Blockchain Technology: Transforming Libertarian Cryptocurrency Dreams to Finance and Banking Realities[J]. Computer, 2017, 50(9):38-49.
[6]	Baidu Encyclopedia. Cryptocurrency[EB/OL]. https://baike.baidu.com/item/Cryptocurrency/22415288?fr=aladdin, 2020-12-26.
[7]	NAKAMOTO S. Bitcoin: A Peer-to-peer Electronic Cash System[EB/OL]. https://bitcoin.org/bitcoin.pdf, 2020-12-29.
[8]	HAN Jian. Research on Bitcoin Mining Attacks and Defense Schemes[D]. Ji'nan:Shandong University, 2019.
	韩健. 比特币挖矿攻击及防御方案研究[D]. 济南:山东大学, 2019.
[9]	REILLY W, YORGOS M, NAZRUL I, et al. Is Bitcoin A Currency, A Technology-based Product, or Something Else[EB/OL]. https://doi.org/10.1016/j.techfore.2019.119877, 2020-12-30.
[10]	HUANG Jianjun, LIANG Bin. Web Page Malicious Code Detection Based on Embedded Fingerprints[J]. Journal of Tsinghua University (Science and Technology), 2009, 49(S2):2208-2214.
	黄建军, 梁彬. 基于植入特征的网页恶意代码检测[J]. 清华大学学报(自然科学版), 2009, 49(S2):2208-2214.
[11]	XU Qing, ZHU Yan, TANG Shouhong. Analysing Multi-type Features and Fraud Technology to Detect Javascript Malicious Code[J]. Computer Applications and Software, 2015, 32(7):293-296.
	徐青, 朱焱, 唐寿洪. 分析多类特征和欺诈技术检测JavaScript恶意代码[J]. 计算机应用与软件, 2015, 32(7):293-296.
[12]	YUE Tao. The Research of Malicious Web Pages Detection Based on Multiple features[D]. Changsha: Hunan University, 2013.
	岳涛. 基于多特征的恶意网页检测系统[D]. 长沙:湖南大学, 2013.
[13]	ZHAO Zixu. JavaScript Malicious Code Detection System[D]. Harbin :Harbin Institute of Technology, 2016.
	赵梓旭. JavaScript脚本恶意代码检测系统[D]. 哈尔滨:哈尔滨工业大学, 2016.
[14]	LI Yadong. A Study on Some Key Issues in Web Page Forensics[D]. Hefei: Hefei University of Technology, 2014.
	李亚东. 网页取证若干关键问题研究[D]. 合肥:合肥工业大学, 2014.
[15]	CAI Jianping. Software Testing Practice Course[M]. Beijing: Tsinghua University Press, 2014.
	蔡建平. 软件测试实践教程[M]. 北京: 清华大学出版社, 2014.

字段	描述	大小/ B
区块大小	该字段之后的区块的大小	4
版本	区块的版本号,用于跟踪软件/协议的更新	4
父区块哈希值	前一个区块的256位哈希值	32
默克尔根	该区块中所有交易的Merkel树根哈希值	4
时间戳	区块创建的时间	4
难度值	该区块工作量证明算法的难度目标	4
随机数	用于工作量证明算法的计数器	4
交易计数器	区块中包含的交易数量	1~9
交易列表	区块中的所有交易信息	可变大小

特征序号	特征值
1	调用外部JavaScript脚本"coinhive.min.js"
2	调用外部JavaScript脚本"authedmine.min.js"
3	设置验证key值的参数"site_key"
4	对网页访问客户端是否为移动设备进行判断的参数"isMobile"
5	调用"miner.start()"方法
6	包含"coinhive"或"coin-hive"敏感字段
7	设置"throttle"参数,用以控制挖矿效率
8	调用"CoinHive.Anonymous()"方法

特征序号	特征值
1	包含"jsecoin"或"JSEcoin"敏感字段
2	调用外部JavaScript脚本"jsecoin.min.js"
3	包含外链" https://jsecoin.com"
4	调用"createElement()"方法创建script脚本
5	包含外链" https://load.jsecoin.com"
6	调用"parentNode.insertBefore()"方法
7	包含外链" https://jsecoin.com/pixels.php?rt=jsecoin.com"

特征序号	特征值
1	包含"webmine"或"Webmine"敏感字段
2	包含外链"https://webmine.cz/worker"
3	调用"createElement('iframe')"方法创建iframe框架
4	使用隐藏的iframe
5	设置验证key值参数"key=****"
6	调用外部JavaScript脚本"authedminer.js"

特征序号	特征值
1	包含"crypto-loot"敏感字段
2	调用外部JavaScript脚本"crypta.js"
3	调用"miner.start()"方法
4	设置挖矿币种参数"coin:"
5	设置验证key值参数"key=****
6	设置"throttle"参数
7	设置"threads"参数
8	调用"CRLT.Anonymous()"方法
9	包含外链"https://verifypow.com/lib/captcha.js"