過去所發生的挖礦攻擊事件中，以技術層面來看，大多為通過各種入侵手段將病毒植入目標主機中，並且使用進程隱藏技術試圖躲避防毒軟體的檢測，使病毒能夠長時間地操控主機上的CPU運算資源而不被發現。而現今隨著礦池概念的提出，執行挖礦任務不再需要如此大量的運算資源，礦工只需要加入礦池並且捐獻部分算力，就能夠取得挖礦獎勵的分配。從近年來發生的挖礦攻擊事件中能發現，開始出現少數病毒具有動態調整用於挖礦任務上的運算資源使用量，使得機器學習在訓練特徵上所需要的時間與複雜度增加。

本論文假設挖礦病毒除了具有大幅調用CPU硬體資源的行為，在系統使用率出現變化時病毒會表現出新的行為特徵。而本論文所提出的方法可以分為三部分，首先，透過巨量資料分析找出主機硬體資源的正常調用行為，來偵測CPU的異常狀態；其次，我們將在實驗環境中運行病毒，來觀察其在CPU上的調用情況，後續依照系統使用率的變化比例，來設置震盪幅度以及持續時間的門檻值，進而判定CPU異常是否為挖礦病毒程式所造成；最後，我們會透過暫停系統中使用率變化較大的幾支程式，並觀察系統使用率以及程式使用率間的變化，來確認系統中挖礦病毒程式的實體。實驗顯示，本論文所提出之檢測方法，除了能找出大量使用CPU資源的挖礦病毒之外，對於能動態調整資源使用量的病毒檢測也有相當傑出的成果。

In the past mining attacks, from a technical point of view, most of the viruses were implanted into the target host through various intrusion methods, and the process hiding technology was used to try to evade the detection of anti-virus software, so that the virus can control the host for a long time.

Nowadays, with the introduction of the mining pool concept, the execution of mining tasks no longer requires such a large amount of computing resources. Miners only need to join the mining pool and donate part of the computing power to obtain the distribution of mining rewards. From the mining attacks in recent years, it can be found that a small number of viruses have begun to dynamically adjust the use of computing resources for mining tasks, which increases the time and complexity of training features for machine learning.

This thesis assumes that in addition to the behavior of a mining virus that significantly invokes CPU hardware resources, the virus will show new behavior characteristics when the system usage changes. The method proposed in this paper can be divided into three parts. Firstly, the normal call behavior of the host hardware resources is found through the analysis of huge data to detect the abnormal state of the CPU; secondly, we will run the virus in the experimental environment. To observe its call on the CPU, and then set the threshold value of the oscillation amplitude and duration according to the change ratio of the system usage, and then determine whether the CPU abnormality is caused by the mining virus program; Finally, we will confirm the entity of the mining virus program in the system by suspending several programs in the system with large changes in usage and observing the changes in system usage and program usage. Experiments show that the detection method proposed in this paper can not only find mining viruses that use a large amount of CPU resources, but also has outstanding results for virus detection that can dynamically adjust resource usage.

第一章 緒論 1
1.1 研究背景與動機 1
1.2 研究目的 2
1.3 論文架構 3
第二章 相關技術介紹與文獻探討 4
2.1 加密貨幣挖礦原理 4
2.2 挖礦軟體 5
2.3 挖礦病毒檢測的研究 8
第三章 實驗架構 10
3.1 問題陳述 10
3.2 研究方法 11
3.2.1 巨量資料分析找出硬體資源的正常調用行為 11
3.2.2 實驗觀察找出挖礦病毒在硬體資源的調用行為 12
3.2.3 異常的檢測與後續的處理 13
第四章 實驗結果 16
4.1 環境架設 16
4.2 挖礦病毒的實驗與觀察 17
4.2.1 第一類病毒的主機異常判定 18
4.2.2 第二類病毒的主機異常判定 24
4.2.3 病毒程式檢測 27
4.3 挖礦病毒的實際檢測結果 33
4.3.1 病毒taskhost的實際檢測 34
4.3.2 病毒Crypt的實際檢測 36
第五章 結論與未來展望 40
5.1 結論 40
5.2 未來展望 40
參考文獻 42
附錄 - 其餘病毒檢測結果 45

圖目錄
圖3.2.1 挖礦病毒檢測模型 15
圖4.2.1 程式WordPad運行數據 19
圖4.2.2 程式Google Chrome運行數據 20
圖4.2.3 程式Youtube Video運行數據 21
圖4.2.4 病毒4.5運行數據 22
圖4.2.5 病毒notepad運行數據 23
圖4.2.6 病毒updat運行數據 24
圖4.2.7 先運行Youtube Video 27
圖4.2.8 先運行RmxMiner 27
圖4.2.9 CPU的異常行為 28
圖4.2.10 暫停4.5.exe 30
圖4.2.11 暫停Youtube Video 30
圖4.2.12 CPU的異常行為 31
圖4.2.13 暫停Youtube Video 32
圖4.2.14 暫停RmxMiner 33
圖4.3.1 CPU的異常行為 34
圖4.3.2 暫停taskhost 35
圖4.3.3 暫停Youtube Video 36
圖4.3.4 CPU的異常行為 37
圖4.3.5 暫停Youtube Video 38
圖4.3.6 暫停Crypt 39

表目錄
表2.2.1 挖礦軟體列表 6
表2.2.2 挖礦攻擊事件列表 7
表3.1.1 挖礦病毒樣本 11
表4.1.1 實驗主機配置 17

[1]NerdWallet, “What Is Cryptocurrency? Here’s What You Should Know” [線上]. Available: https://www.nerdwallet.com/article/investing/cryptocurrency-7-things-to-know. [存取日期: 07 2021].
[2]Kaspersky, “What is Cryptojacking? – Definition and Explanation,” [線上]. Available: https://www.kaspersky.com/resource-center/definitions/what-is-cryptojacking. [存取日期: 07 2021].
[3]ITW01, “「今日消息面」Garena 伺服器感染惡意軟體，英雄聯盟玩家被迫參與了 XMR 挖礦,” [線上]. Available: https://itw01.com/QBAIOEA.html. [存取日期: 07 2021].
[4]Investopedia, “Cryptocurrency,” [線上]. Available: https://www.investopedia.com/terms/c/cryptocurrency.asp. [存取日期: 07 2021].
[5]S. Pastrana and G. Suarez-Tangil, “A First Look at the Crypto-Mining Malware Ecosystem: A
Decade of Unrestricted Wealth,”  the Proceedings of 19th ACM Internet Measurement Conference, 2019. 
[6]I. Ibrahim, V. Prenosil and M. Hammoudeh, “BotDet: A System for Real Time Botnet Command and Control Traffic Detection,” IEEE Access, 2018. 
[7]A. Pastor and A. Mozo, “Detection of Encrypted Cryptomining Malware Connections With Machine and Deep Learning,” IEEE Access, 2020. 
[8]Fábio and Miguel, “Cryptojacking Detection with CPU Usage Metrics,” 19th International Symposium on Network Computing and Applications (NCA), 2020. 
[9]M. Caprolua, S. Raponia and G. Oligeria, “Cryptomining Makes Noise: a Machine Learning Approach for Cryptojacking Detection,” Computer Communications, 2021.
[10]M. Conti, A. Gangwal and G. Lain, “Detecting Covert Cryptomining using HPC,” Springer International Publishing, 2019. 
[11]W.-B.-T. Handaya1, M.-N. Yusoff2 and A. Jantan2, “Machine learning approach for detection of fileless cryptocurrency,” Journal of Physics: Conference Series, 2019.
[12]A. Yazdinejad, H. HaddadPajouh and A. Dehghantanha, “Cryptocurrency malware hunting: A deep Recurrent Neural Network approach,” Applied Soft Computing, 2020.
[13]G. Mani, V. Pasumarti and B. Bhargava, “DeCrypto Pro: Deep Learning Based Cryptomining
Malware Detection Using Performance Counters,” Applied Soft Computing, 2020.
[14]V. Marchetto and X. Liu, “An Investigation of Cryptojacking: Malware Analysis and Defense Strategies,” Journal of Strategic Innovation and Sustainability, 2019.