From: Detection of illicit cryptomining using network metadata
Design choice | Efficiency | Privacy | Cost-efficiency | Ease of deployment | Robustness | Accuracy |
---|---|---|---|---|---|---|
Network- vs. endpoint-based | Does not slow down endpoints. | Does not require endpoint agents. | Deployed and managed centrally. | Robust against endpoint evasion. Not applicable to novel protocols§. | ||
NetFlow vs. DPI | Several orders of magnitude less input to process. | Traffic content is not inspected. | Network devices, e.g., switches, already support NetFlow aggregation. | No need to decrypt traffic using an HTTPS proxy. | Relatively robust against encryption. | Information loss due to aggregation§. |
One-class vs. binary classification | Amount of mining traffic used for OCC training is a small fraction of normal enterprise traffic necessary for training binary classifiers. | No need to use sensitive enterprise traffic for training, only generic Stratum traffic. | Minimal training data maintenance: collection of generic Stratum traffic is sufficient. | The classifier, as trained by security vendors, can be shipped to customers without on-site adaptation. Minimal retraining required. | Not affected by any changes in enterprise traffic. | Information loss due to lack of access to normal traffic§. |
Specialized vs. generic NetFlow features | Computationally slightly more expensive§. | Robust against encryption, proxying, and tunneling. | Tailored to Stratum protocol semantics. |