基于多源检测与AI行为分析的挖矿木马协同防御研究

doi:10.3969/j.issn.1671-1122.2026.03.005

摘要/Abstract

摘要：

随着互联网与新型信息技术的深度融合，跨行业、跨地域、跨系统的多维度互联互通已成为现代信息技术发展的核心特征。区块链加密货币的持续增长与普及，推动了非法挖矿活动的规模化扩张，对个人隐私保护、企业数据资产安全及关键信息基础设施构成持续性威胁。在此背景下，针对挖矿木马的应急响应机制已被提升至国家网络安全战略层面。文章聚焦挖矿木马攻击链的防御与处置问题，构建了多维监测体系。为验证多源检测与AI行为异常检测的协同可行性，文章在隔离主机环境中集成静态、主机与网络3侧特征采集，采用学习型融合（Stacking）将多源得分与异常评分统一决策，对检测效果与响应时延开展阶段性对比评估。通过基于多源检测技术对挖矿木马的传播路径进行逆向建模，形成了覆盖攻击预防、感染检测、威胁清除的全流程应急响应方案，最后设计了基于多源检测与AI行为分析协同防御方案，比传统单一检测方法的效果更好。

关键词: 网络安全, 网络攻击, 挖矿木马, 应急响应

Abstract:

With the deep integration of the internet and emerging information technologies, multi-dimensional interconnectivity across industries, regions, and systems has become a core characteristic of modern technological development. The continuous growth and proliferation of blockchain cryptocurrencies have driven the large-scale expansion of illegal mining activities, posing persistent threats to personal privacy, corporate data assets, and critical information infrastructure. In this context, emergency response mechanisms against mining malware have been elevated to the national cybersecurity strategy level. This paper focused on the defense and remediation of mining malware attack chains by constructing a multi-dimensional monitoring system. To verify the feasibility of collaboration between multi-source detection and AI-based behavioral anomaly detection, the study integrated static, host, and network-level feature collection within an isolated environment. A stacking-based ensemble learning approach was adopted to unify multi-source scores and anomaly assessments for final decision-making, with periodic comparative evaluations conducted on detection performance and response latency. By leveraging multi-source detection techniques to reverse-model the propagation pathways of mining malware, a comprehensive emergency response framework was established, covering attack prevention, infection detection, and threat removal. The proposed collaborative defense mechanism combining multi-source detection and AI-driven behavioral analysis demonstrates superior detection effectiveness compared to traditional single-method detection techniques.

Key words: network security, network attacks, mining trojan, emergency response

中图分类号:

TP309

康文杰, 刘怡果, 刘绪崇, 赵薇, 欧阳天健, 李嘉欣. 基于多源检测与AI行为分析的挖矿木马协同防御研究[J]. 信息网络安全, 2026, 26(3): 389-398.

KANG Wenjie, LIU Yiguo, LIU Xuchong, ZHAO Wei, OUYANG Tianjian, LI Jiaxin. Research on Collaborative Defense against Cryptojacking Malware Based on Multi-Source Detection and AI Behavior Analysis[J]. Netinfo Security, 2026, 26(3): 389-398.

图/表 9

图1

图2

图3

表1

图4

图5

表2

图6

表3

参考文献 24

[1]	HOU Jian, LU Hui, LIU Fang’ai, et al. Detection and Countermeasure of Encrypted Malicious Traffic: A Survey[J]. Journal of Software, 2024, 35(1): 333-355.
	侯剑, 鲁辉, 刘方爱, 等. 加密恶意流量检测及对抗综述[J]. 软件学报, 2024, 35(1): 333-355.
[2]	NI Xueli, MA Zhuo, WANG Qun. Overview of Blockchain Mining Pool Networks and Typical Attack Modes[J]. Computer Engineering, 2024, 50(1): 17-29. doi: 10.19678/j.issn.1000-3428.0068203
	倪雪莉, 马卓, 王群. 区块链矿池网络及典型攻击方式综述[J]. 计算机工程, 2024, 50(1): 17-29. doi: 10.19678/j.issn.1000-3428.0068203
[3]	HE Shijie. Research on DNS Covert Tunnels in APT Attacks[D]. Chengdu: Southwest Jiaotong University, 2019.
	贺诗洁. APT攻击中的DNS隐蔽隧道技术研究[D]. 成都: 西南交通大学, 2019.
[4]	GU Guomin, CHEN Wenhao, HUANG Weida. A Covert Tunnel and Encrypted Malicious Traffic Detection Method Based on Multi-Model Fusion[J]. Netinfo Security, 2024, 24(5): 694-708.
	顾国民, 陈文浩, 黄伟达. 一种基于多模型融合的隐蔽隧道和加密恶意流量检测方法[J]. 信息网络安全, 2024, 24(5): 694-708.
[5]	MANI G, KIM M, BHARGAVA B, et al. Malware Speaks! Deep Learning Based Assembly Code Processing for Detecting Evasive Cryptojacking[J]. IEEE Transactions on Dependable and Secure Computing, 2024, 21(4): 2461-2477. doi: 10.1109/TDSC.2023.3307445 URL
[6]	DONG Fanghe, SHI Qiong, SHI Zhibin. Adversarial Traffic Detection Method Based on Ensemble Learning and Anomaly Detection[J]. Computer Engineering, 2026, 52(2): 275-286. doi: 10.19678/j.issn.1000-3428.0069846
	董方和, 石琼, 师智斌. 基于集成学习与异常检测的对抗流量检测方法[J]. 计算机工程, 2026, 52(2): 275-286. doi: 10.19678/j.issn.1000-3428.0069846
[7]	SUN Haoran. Research and Implementation of Mining Traffic Detection System for Campus Network[D]. Beijing: Beijing University of Posts and Telecommunications, 2024.
	孙浩然. 面向校园网的挖矿流量检测系统的研究与实现[D]. 北京: 北京邮电大学, 2024.
[8]	LIANG Fei, FANG Ruobing, WANG Kai. Detection of Illegal Bitcoin Transactions Based on Variational Bayesian Network[EB/OL]. [2025-07-08]. https://www.doc88.com/p-39999494179531.html.
	梁飞, 方若冰, 王凯. 基于变分贝叶斯图神经网络检测比特币非法交易的技术[EB/OL]. [2025-07-08]. https://www.doc88.com/p-39999494179531.html.
[9]	WANG Gang, GAO Yunpeng, YANG Songru, et al. A Survey on Deep Learning-Based Encrypted Malicious Traffic Detection Methods[J]. Netinfo Security, 2025, 25(8): 1276-1301.
	王钢, 高雲鹏, 杨松儒, 等. 基于深度学习的加密恶意流量检测方法研究综述[J]. 信息网络安全, 2025, 25(8): 1276-1301.
[10]	SANDA O, PAVLIDIS M, POLATIDIS N. A Deep Learning Approach for Host-Based Cryptojacking Malware Detection[J]. Evolving Systems, 2024, 15(1): 41-56. doi: 10.1007/s12530-023-09534-9
[11]	KADHUM L M, FIRDAUS A, HISHAM S I, et al. Features, Analysis Techniques, and Detection Methods of Cryptojacking Malware: A Survey[J]. International Journal on Informatics Visualization, 2024, 8(2): 891-896.
[12]	CHAHOKI A Z, SHAHRIARI H R, ROVERI M. Demo-Unmasking the Unseen: CryptojackingTrap, the Most Resilient Evasion-Proof Cryptojacking Malware Detection Algorithm[C]// IEEE. 2024 IEEE International Workshop on Information Forensics and Security (WIFS). New York: IEEE, 2024: 1-4.
[13]	LIU Renting, ZHENG Yahong, ZHANG Yingmin, et al. Detection and Practice of Cryptomining Behavior Based on Deep Packet Inspection[J]. Experiment Science and Technology, 2024, 22(3): 15-21.
	刘仁婷, 郑雅洪, 张映敏, 等. 基于深度流量分析的挖矿行为检测与实践[J]. 实验科学与技术, 2024, 22(3): 15-21.
[14]	WEI Jinxia, HUANG Xizhang, FU Yuhao, et al. Mining Traffic Detection Method Based on Global Feature Learning[J]. Netinfo Security, 2024, 24(10): 1506-1514.
	魏金侠, 黄玺章, 付豫豪, 等. 基于全局特征学习的挖矿流量检测方法[J]. 信息网络安全, 2024, 24(10): 1506-1514.
[15]	LIU Fengchun, WANG Zihe, YANG Aimin, et al. Research on the Detection Method of Network Malicious Traffic Based on CPO-BiLSTM-KAN[J]. Electronic Measurement Technology, 2026, 49(1): 70-79.
	刘凤春, 王子贺, 杨爱民, 等. 基于CPO-BiLSTM-KAN的网络恶意流量检测方法研究[J]. 电子测量技术, 2026, 49(1): 70-79.
[16]	ZAREH C A, SHAHRIARI H R, ROVERI M. CryptojackingTrap: An Evasion Resilient Nature-Inspired Algorithm to Detect Cryptojacking Malware[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 7465-7477. doi: 10.1109/TIFS.2024.3353072 URL
[17]	QIAN Kexiang. Research on Intelligent Analysis Methods for Multi-Layer Anomalous Behavior in Botnets[D]. Beijing: Beijing University of Posts and Telecommunications, 2025.
	钱珂翔. 多层僵尸网络异常行为智能分析方法研究[D]. 北京: 北京邮电大学, 2025.
[18]	ZHAO Bo, PENG Junru, WANG Yixuan. Network Security Situation Assessment Method Based on Threat Propagation[J]. Netinfo Security, 2025, 25(6): 843-858.
	赵波, 彭君茹, 王一琁. 基于威胁传播的网络安全态势评估方法[J]. 信息网络安全, 2025, 25(6): 843-858.
[19]	LUO Heng, WAN Liang. A Network Traffic Intrusion Detection Method Based on Dynamic Spatio-Temporal Graph Neural Network[EB/OL]. (2025-03-06)[2025-07-08]. https://www.ecice06.com/CN/10.19678/j.issn.1000-3428.0070520.
	罗恒, 万良. 基于动态时空图神经网络的网络流量入侵检测方法[EB/OL]. (2025-03-06)[2025-07-08]. https://www.ecice06.com/CN/10.19678/j.issn.1000-3428.0070520.
[20]	SUN Jianwen, ZHANG Bin, SI Nianwen, et al. Lightweight Malicious Traffic Detection Method Based on Knowledge Distillation[J]. Netinfo Security, 2025, 25(6): 859-871.
	孙剑文, 张斌, 司念文, 等. 基于知识蒸馏的轻量化恶意流量检测方法[J]. 信息网络安全, 2025, 25(6): 859-871.
[21]	BAI Wuxia. Research on Malicious Traffic Detection Method Based on Generative Adversarial Network[D]. Wuhan: Huazhong University of Science and Technology, 2024.
	白无瑕. 基于生成对抗网络的网络恶意流量检测方法研究[D]. 武汉: 华中科技大学, 2024.
[22]	VASUDEVAN A R, STEPHAN J, MOHAMED A E, et al. MinerJAB: CLI-Based Tool for Detection and Mitigation of Host-Based Cryptojacking Malware[C]// IEEE. 2025 6th International Conference on Control, Communication and Computing (ICCC). New York: IEEE, 2025: 1-6.
[23]	PAN Xue, YANG Yingkui, LIU Chunxue. Discussion on Virus Analysis and Treatment of no File Mining[J]. Heilongjiang Meteorology, 2022, 39(4): 41-42.
	潘雪, 杨英奎, 刘春雪. 浅谈无文件挖矿病毒分析与处理[J]. 黑龙江气象, 2022, 39(4): 41-42.
[24]	GU Huanhuan, LI Qianmu, LIU Zhen, et al. Research on Hidden Backdoor Prompt Attack Methods Based on False Demonstrations[J]. Netinfo Security, 2025, 25(4): 619-629.
	顾欢欢, 李千目, 刘臻, 等. 基于虚假演示的隐藏后门提示攻击方法研究[J]. 信息网络安全, 2025, 25(4): 619-629.

得分/特征	原始观测信号	评分/归一化方法	范围	用途说明
s_static	不可变文件标记、异常落地路径/关键目录写入、可疑文件属性	规则命中项加权求和后归一化（min-max/分段映射）	[0,1]	静态持久化/落地异常强度
s_host	CPU占用率、持续时间、进程树异常度（父子关系/命令行特征）	时间窗统计量→异常分，归一化后输出	[0,1]	主机侧行为异常强度
s_net	外联频率、目的地址画像、Stratum特征命中度	命中/相似度→风险分，归一化后输出	[0,1]	网络侧挖矿通信可疑度
s_AI	AI异常检测模块输出（概率/异常分）	模型输出直接作为异常分（必要时做校准）	[0,1]	补足弱信号与伪装场景检出

方法	输入特征	检测率/ 召回率	F1分数	平均延迟/s
仅多源检测	[s_static, s_host, s_net]	100%	1.00	15（窗口）
仅AI异常检测	[s_AI]	100%	1.00	15（窗口）
融合（Stacking）	[s_static, s_host, s_net, s_AI]	100%	1.00	15（窗口）

测试场景	样本规模 /个	检测率 [95% CI]	假阳性率 [95% CI]	平均延迟 /s[SD]	F1分数
良性环境（特异度）	50	100%[92.9%~ 100%]	0[0~7.1%]	15.0 [0]	_
挖矿仿真（检测率）	50	100%[92.9%~ 100%]	0[0~7.1%]	15.0 [0]	1.00
总体（准确率）	100	100%[96.3%~ 100%]	0[0~7.1%]	15.0 [0]	1.00