AI-based Detection of Crypto-mining Docker Containers in Cloud Environments

Thumbnail Image

Files

master_Rosales_Flores_Javier_Alberto_2025.pdf (35.6 MB)

URL

Journal Title

Journal ISSN

Volume Title

School of Science | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2024-12-31

Department

Major/Subject

Security and Cloud Computing

Mcode

Degree programme

Master's Programme in Security and Cloud Computing

Language

en

Pages

81

Series

Abstract

Crypto-mining activities in cloud environments present significant security and performance challenges for cloud service providers. This thesis addresses the detection of unauthorized crypto-mining activities on Virtual Machines (VM) within cloud infrastructures with the use of machine learning. We present two adversarial models that execute crypto-mining in the cloud. In the first scenario, the adversary runs a crypto-mining container within a VM in the cloud without hiding its activities. The second is where the adversary obfuscates its crypto-mining activities by concurrently running legitimate and crypto-mining containers within the same VM. We develop a machine learning-based method to identify resource usage based on patterns that indicate crypto-mining operations. We built and trained two Random Forest models to accurately classify (i) crypto-mining activities for Docker containers mining BTC, ETH, SHIB, and XMR, and (ii) legitimate activities. The models are tested in both crypto-mining and obfuscated crypto-mining environments, obtaining an accuracy of 99.99% for the crypto-mining model and 99.99% even when obfuscating cryptomining. Notably, the trained models also achieved 100% F1 score, recall, precision, and True Positive Rate (TPR) in classifying legitimate activities. These results demonstrate that the proposed methodology can effectively distinguish between legitimate and crypto-mining activities and can further classify the specific cryptocurrency being mined among BTC, ETH, SHIB, and XMR. This thesis provides cloud service providers valuable insights and practical tools for mitigating the risks associated with unauthorized crypto-mining, ultimately contributing to more secure and efficient cloud computing environments.

Description

Supervisor

Aura, Tuomas

Thesis advisor

Papadimitratos, Panos
Hussain, Ahmed

Keywords

cybersecurity, crypto-mining, crypto currencies, docker containers, virtual machines, machine learning, cloud, cloud providers

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202501282070

Collections

[dipl] Perustieteiden korkeakoulu / SCI