Previous issues , We introduced that the threat of mining Trojan horse is underestimated by many people , Referring to the epidemic prevention and control measures, we can defend against the threat of mining Trojans at all levels . This issue , Let's introduce in detail how Tencent's security technology team uses artificial intelligence methods , Developed BinaryAI engine Software component analysis of sample files , Greatly improve the detection ability of unknown mining Trojan horse , at present Tencent host security （ Cloud mirror ） Has taken the lead in integrating BinaryAI engine .

background

The threat of mining Trojan horse is the first threat affecting the network security of government and enterprises in recent years , in the majority of cases , Network black production of mining Trojan horse , It's not like extortion virus attackers to engage in extreme destructive actions . They prefer long-term 、 Stable control of a large number of broiler computers , Set up botnets to mine for profit , Most of them are consumed CPU The Monroe mining of resources is absolutely dominant .

In addition to consuming a lot of system resources, mining interferes with normal service operation , The more serious potential risk of mining Trojan horse is generally in the system , It has buried serious hidden dangers for the information security of government and enterprise institutions . Affected by the fluctuation of the market value of digital cryptocurrencies such as bitcoin , All kinds of currency speculation continue , The rampant extortion software crime also promotes the digital cryptocurrency to become the medium of network black products and illegal transactions .

2021 year , The Chinese government announced bitcoin related production 、 The transaction is illegal , In order to achieve the goal of carbon peak and carbon neutralization , The government ordered the closure of all mines in China for the purpose of obtaining bitcoin . As part of achieving the double carbon goal , The national Internet security administration is strictly investigating the illegal activities of mining Trojans across the country , It is a serious violation of the law to mine by using Trojan horse invasion or by using the computing power of the organization host , Will be subject to legal sanctions . According to Tencent Security Threat Intelligence Center 2020 Data provided in the annual report ,2020 The upward trend of mining Trojan horse in is very obvious .

According to the latest statistics of Tencent security , In the attack of the public cloud , More than half of the intrusions were for mining purposes , achieve 54.9%, Tencent security team in the past 30 The cumulative number of mining Trojan horse attacks captured in more than days 6000 Pieces of . Technical reports disclosed by foreign safety manufacturers , It also shows that mining Trojan horse is the most important network threat in the world .

The traditional mining Trojan horse detection scheme includes three dimensions

1. The static test ： Based on string constants 、 Feature detection rules and files hash The test method of ; 2. Dynamic detection ： Detection method based on mine pool network connection behavior ; 3. Host layer detection ： Detection method of abnormal occupation of virtual machine resources . The current static test can only find known mining samples , And easily bypassed by attackers . The dynamic detection scheme will increase the detection cost and has no ability to detect the mining behavior connecting private ore pools . The detection of the host layer will introduce a large number of alarms in the host layer , Most of them are false positives and it is difficult to locate the threat directly .

BinaryAI The engine detects the mining Trojan horse

be based on BinaryAI Mining Trojan horse detection technology of engine , It is Tencent security Cohen laboratory and Tencent security capability operation team based on artificial intelligence （AI） Methods a new mining Trojan horse detection solution was introduced . BinaryAI The engine establishes a feature library for limited mining components and uses Tencent's safe and mature shelling technology , The static detection of mining samples is realized by matching whether the mining function semantics is included in the samples , Complete the accurate and efficient detection scheme of mining Trojan horse .

The mainstream component of mining Trojan horse （ Only part ）

BinaryAI The engine uses functional semantic vectorization to represent the model , Using deep learning algorithms , The function is expressed as a high-dimensional vector that can represent its semantics . Thanks to Tencent's security data accumulation ,BinaryAI It has the largest and most complete training data and industry-leading function similarity retrieval results , The study has been carried out in AAAI、NeurIPS Wait for the international top conference to release .

BinaryAI Functional semantic vectorization representation model

The mining Trojan horse has Encrypted Computing 、 Connect the ore pool communication Two core function modules , Therefore, in the process of sample matching, the mining component function library is established for the modules of encrypted calculation and connected ore pool communication . Based on the data cleaning of mining component function library , Firstly, the frequency of the function in the library on the non mining sample set is used to complete the coarse screening of the general function , Then, based on the principle that whether the function is directly related to mining or not , Filter and clean the functions in the library more finely . Based on the previous sample processing and mining component function library establishment ,BinaryAI The mining Trojan horse detection process of the engine only needs to complete the semantic matching process between the unknown sample function and the mining component function library , The sample attributes are determined by calculating the hit ratio , Achieve more efficient and accurate mining Trojan horse detection solution .

BinaryAI Detection effect of engine

On the test set constructed by massive data in the real scene ,BinaryAI The engine accuracy reaches 96%. Compared with the traditional static detection scheme of mining Trojan horse , It solves the problem of high false alarm rate , And because of the different design principles , Have good independent reporting ability .

Tencent host security （ Cloud mirror ） First access BinaryAI engine , Can pass BinaryAI The engine detects unknown mining Trojan threats . In the future, Tencent security will have more host sides 、 The terminal side security products will be connected to BinaryAI engine , take BinaryAI The algorithm ability is applied to various business scenarios of detecting mining Trojan horse .

About Tencent Cohen lab

Tencent security Cohen lab (Keen Security Lab of Tencent) Founded on 2016 year 1 month , As an international first-class information security team under Tencent group , Secure on the desktop 、 Mobile terminal security and other basic security fields have accumulated for more than ten years . In recent years , Cohen actively laid out the Internet of vehicles security 、 Industrial Internet Security and AI Safety and other frontier directions , The technical strength and research achievements have reached the international leading level . Cohen lab team won the international top hacker competition three times Pwn2Own Champion , And break history and become the first to get DEF CON CTF The champion's Chinese team , At home CTF Won the heavyweight championship many times in the competition . Cohen lab launched Tesla in the world 、 BMW 、 lexus 、 Research results on safety of well-known brands such as Mercedes Benz , Help manufacturers repair safety problems and build a comprehensive safety system . Escort the digital transformation of various industries , It is the mission of Tencent Cohen lab to protect the information security of users in the whole network .

Heavyweight recommendation

Tencent host security flagship press conference will be held in 2022 year 1 Held at the beginning of the month , More application examples and technical interpretation , Please pay attention to the update of Tencent Security Threat Intelligence Center official account. ！