Detecting Cryptojacking Containers Using eBPF-Based Security Runtime and Machine Learning

As the use of containers has become mainstream in the cloud environment, various security threats targeting containers have also been increasing. Among them, a notable malicious activity is a cryptojacking attack that steals resources without the consent of an instance owner to mine cryptocurrency. However, detecting such anomalies in a containerized environment is more complex because containers share the host kernel, making it challenging to pinpoint resource usage and anomalies at the container granularity without introducing significant overhead. To this end, this study proposes a runtime detection framework for identifying malicious mining behaviors in the cloud-native environment. By leveraging Tetragon, a runtime security tool based on the extended Berkeley Packet Filter (eBPF), we capture system call traces and flow-level information of cryptojacking containers to extract rich feature representations for training and evaluating various machine learning models. As a result of the experiment, our framework delivers up to 99.75% classification accuracy with moderate runtime monitoring overhead.