Host-based cryptomining malware, commonly known as cryptojackers, have gained notoriety for their stealth and the significant financial losses they cause in Linux-based cloud environments. Existing solutions often struggle with scalability due to high monitoring overhead, low detection accuracy against obfuscated behavior, and lack of integrated remediation. We present CryptoGuard, a lightweight hybrid solution that combines detection and remediation strategies to counter cryptojackers. To ensure scalability, CryptoGuard uses sketch- and sliding window-based syscall monitoring to collect behavior patterns with minimal overhead. It decomposes the classification task into a two-phase process, leveraging deep learning models to identify suspicious activity with high precision. To counter evasion techniques such as entry point poisoning and PID manipulation, CryptoGuard integrates targeted remediation mechanisms based on eBPF, a modern Linux kernel feature deployable on any compatible host. Evaluated on 123 real-world cryptojacker samples, it achieves average F1-scores of 96.12% and 92.26% across the two phases, and outperforms state-of-the-art baselines in terms of true and false positive rates, while incurring only 0.06% CPU overhead per host.

翻译：基于主机的加密挖矿恶意软件，通常被称为加密劫持程序，因其隐蔽性以及在Linux云环境中造成的重大财务损失而臭名昭著。现有解决方案常因监控开销高、对混淆行为的检测准确率低以及缺乏集成化的修复措施而难以扩展。我们提出了CryptoGuard，一种结合了检测与修复策略以对抗加密劫持程序的轻量级混合解决方案。为确保可扩展性，CryptoGuard采用基于草图与滑动窗口的系统调用监控机制，以极低开销收集行为模式。它将分类任务分解为两阶段过程，利用深度学习模型高精度地识别可疑活动。为应对入口点污染和PID操纵等规避技术，CryptoGuard集成了基于eBPF（一种可部署在任何兼容主机上的现代Linux内核特性）的针对性修复机制。在123个真实世界加密劫持样本上的评估表明，其在两个阶段的平均F1分数分别达到96.12%和92.26%，在真阳性率与假阳性率方面均优于现有先进基线方法，同时每台主机仅产生0.06%的CPU开销。