Cryptomining detection on cloud environments through containerised application profiling and classification

During my internship at Sysdig, I had the opportunity to work on the task of novelty detection in monitored cloud environments. This study focuses specifically on the last project to which I was assigned: the development of a new feature for Sysdig Secure, the product of Sysdig that provides security monitoring and compliance for containerized applications. In particular, the objective was to implement a crypto-mining activity detector, which by leveraging low-level data collected by the Image Profil- ing component, and performing machine learning-based dynamic analysis, would have been able to detect crypto-mining activities in containerized ap- plications with a high degree of accuracy. This paper is organized as follows. In the first chapter, I define the problem of crypto-jacking detection, and I present a brief review of the literature on the topic, with a focus both on static analysis approaches and machine-learning techniques. In the second chapter, I introduce the Sysdig Secure product, and I de- scribe the Image Profiling component, and the pipeline for the collection of low-level data. In the third chapter, I describe the feature extraction pipelines and the rationale behind the choice of the features based on the analysis of the be- havior of xmrig and cpuminer. In the fourth chapter, I describe the machine-learning models that I have implemented, and I present the results of the experiments that I have carried out. In the fifth chapter, I expose the study of scalability and roll-out policy I have carried out, the design of the model’s training architecture and im- plementation of machine learning operations, from preprocessing to model storage, and the development of components for production environments and deployment. In the last chapter, I present the conclusions of my work.