The Internet of Things on AWS – Official Blog

Detect Cryptocurrency Mining Threats on Edge Devices using AWS IoT

Introduction

Machine learning (ML) at the edge requires powerful edge requires powerful edge devices with a unique set of requirements. The availability, safety, and security requirements for the edge differ from cloud since they are located at the customer site, outside the data center, and interface directly with operational technology (OT) and the internet. Since edge locations often lack the physical security that data centers have and lack the security controls available in the cloud, they have become attractive targets for bad actors such as cryptocurrency miners. In many cases, edge devices don’t have anti-malware defenses making it even more difficult to detect cryptocurrency mining activity.

An end-to-end security model that protects edge devices from hostile networks and protects sensitive data and ML models is paramount for a successful deployment. Customers can use AWS IoT Device Defender to help audit and monitor their edge device fleet. In this blog post, we show you the steps involved in helping to detect and mitigate cryptocurrency mining threats on edge devices using AWS IoT Device Defender custom metrics.

Cryptocurrency mining use case

Cryptocurrency, sometimes called crypto-currency or crypto, is any form of currency that exists digitally or virtually and uses cryptography to secure transactions. Cryptocurrency mining is a process of creating new digital coins and is a compute intensive activity that has been on the rise in recent years.

Cryptojacking is a type of cybercrime that involves the unauthorized use of devices (edge computers, smartphones, tablets, or even servers) to mine for cryptocurrency and illicitly create currency. As cryptocurrency prices rise and more powerful edge devices with GPU capabilities are used to run ML at the edge use cases, there is an increasing threat of cryptojackers to exploit security vulnerabilities on edge devices. When this happens, edge computing resources are used to mine crypto currency resulting in higher CPU/GPU usage and a degradation in performance of edge applications and an increase in ML at the edge inference processing times.

In this blog, we show you how to monitor CPU/GPU usage and ML at the edge inference processing time with custom metrics that can help indicate crypto currency mining activity on edge devices. AWS IoT Device Defender custom metrics are metrics you define that are unique to your devices and use case. In this cryptocurrency mining cyber security use case, you can monitor for anomalies using two custom metrics – CPU/GPU usage metric and average ML at the edge inference time metric. More information about using AWS IoT Device Defender for detecting cryptocurrency mining can be found here. Note that to investigate an anomaly, you need to correlate the alarm details with other contextual information such as device attributes, device metric historical trends, security profile metric historical trends, standard metrics, and logs to determine if a security threat is present.

Solution prerequisites

  1. AWS account
  2. A development environment/computer with docker and AWS CLI installed.
  3. AWS role or user with ability to create a new IAM user or role for AWS IoT Greengrass minimal IAM policy.
  4. A computer with the latest browser.
  5. Basic understanding of Linux such as creating directories, setting file permissions, and programming.

Solution architecture and overview

Our edge security solution for detecting cryptocurrency mining threats implements edge application management with AWS IoT Greengrass, custom metrics data collection and ingestion to the cloud with AWS IoT Greengrass custom components and AWS IoT Device Defender for security profile definition and monitoring.

The steps to implement the solution are as follows:

  • Create an AWS IoT Greengrass device
  • Create and deploy a custom AWS IoT Greengrass component for AWS IoT Device Defender
  • Define security profiles with custom metrics for GPU resources and average ML at the edge inference time in AWS IoT Device Defender
  • Simulate the GPU load and ML at the edge average inference time metric changes for a cryptocurrency mining situation
  • Check and acknowledge AWS IoT Device Defender service’s alarm status

Architecture Diagram Edge Security
Figure: Solution architecture to help monitor and detect edge devices for crypto currency mining threats

Solution walk through

1. Prepare and Publish AWS IoT Device Defender component with custom metrics

Connect to your development computer using AWS CLI or AWS Cloud9 instance. This blog post deploys the solution to the us-east-1 (N. Virginia) region by default. You’ll see instructions to change the region in case you want to deploy to another region.

First, run the following to install AWS IoT Greengrass Development Kit to test and publish custom AWS IoT Greengrass components.

python3 -m pip install -U git+https://github.com/aws-greengrass/aws-greengrass-gdk-cli.git@v1.1.0

We use a slightly modified version of a public and open source AWS IoT Device Defender component for AWS IoT Greengrass. The modifications are mainly enhanced debugging/logging for easier development workflow and custom metrics definitions for simulated GPU resource metrics and ML at the edge inference time metrics.

The public AWS IoT Device Defender component is deployed from the central AWS IoT Greengrass component repository, but the modified version will be stored in your own account.

Clone the Git repository of this blog post and run the component repository build script:

cd ~/environment
git clone https://github.com/aws-samples/aws-iot-blogs-greengrass-device-defender-custom
cd aws-iot-blogs-greengrass-device-defender-custom
chmod +x build.sh
./build.sh

Run the following to build and publish the AWS IoT Greengrass component. To change the default region us-east-1, modify region section in the com.awsiotblog.DeviceDefenderCustom/gdk-config.json file.

gdk component build
gdk component publish

Go to AWS IoT Greengrass console > Components to confirm your component is published.

Greengrass component

2. Create and deploy a containerized AWS IoT Greengrass device

In this section, we’ll use docker containers to create an AWS IoT Greengrass device to simulate and represent your edge device.

The Dockerfile in the repository will allow us to get the base AWS IoT Greengrass container image and build it with some GPU resource metric measurement files.

Run the following to build the AWS IoT Greengrass device container.

cd ~/environment/aws-iot-blogs-greengrass-device-defender-custom
docker build -t gg-awsiotblog-image .

The AWS IoT Greengrass container requires AWS credentials to provision these resources and deploy the local development tools. Create an IAM user with Minimal IAM policy for installer to provision resources or retrieve temporary AWS credentials from a role that has the same minimal IAM policy to provide it to the container. For details, see Run AWS IoT Greengrass in a Docker container with automatic resource provisioning.

Create a folder where you place your credential file.

cd ~/environment/
mkdir ./greengrass-v2-credentials

Create a configuration file named credentials in the ./greengrass-v2-credentials folder. Add your AWS credentials to the credentials file in the following format.

[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk

Include aws_session_token for temporary credentials only.
Run the following to create, provision and initialize an AWS IoT Greengrass device. This container will represent your edge device with GPU resources.

docker run -v $(pwd)/greengrass-v2-credentials:/root/.aws/:ro \
-e GGC_ROOT_PATH=/greengrass/v2 \
-e AWS_REGION=us-east-1 \
-e PROVISION=true \
-e THING_NAME=gg-awsiotblog-01 \
-e THING_GROUP_NAME=gg-awsiotblog \
-e TES_ROLE_NAME=GGBlogTokenExchangeRole \
-e TES_ROLE_ALIAS_NAME=GGBlogTokenExchangeRoleAlias \
-e COMPONENT_DEFAULT_USER=ggc_user:ggc_group \
--name gg-awsiotblog-01 \
gg-awsiotblog-image:latest

After running the docker container, you’ll see the final log output as the following; this indicates your virtual AWS IoT Greengrass device is provisioned and started successfully.


Launching Nucleus…
Launched Nucleus successfully..

NOTE: After creating the first container, you can run the command with different THING_NAME inputs to create more virtual edge devices.

You can go to AWS IoT > Manage > Greengrass devices > Core devices to see the created AWS IoT Greengrass devices.

Greengrass core devices

3. Deploy components to the AWS IoT Greengrass simulated device fleet

Now, it’s time to deploy some components to your newly created device, including the custom/modified AWS IoT Device Defender component.

Before deploying the component, run the following command to allow the AWS IoT Greengrass device to download component artifacts from Amazon Simple Storage Service (Amazon S3).

cd ~/environment/
aws iam put-role-policy --role-name GGBlogTokenExchangeRole --policy-name GGComponentArtifactPolicy --policy-document file://component-artifact-policy.json

The deployed virtual device is added into gg-awsiot-blog thing group. So, you’ll create a deployment that targets the gg-awsiot-blog thing group.

  1. Go to AWS IoT > Manage > Greengrass devices > Deployments
  2. Choose Create, specify a deployment name
  3. Select the target name as gg-awsiotblog, choose Next
  4. On Step 2:
    1. Select com.awsiotblog.DeviceDefenderCustom under My components
    2. Select aws.greengrass.Cli and aws.greengrass.Nucleus under Public components
  5. On Step 3 – Configure components, you should see your 3 selected components.
  6. Choose “com.awsiotblog.DeviceDefenderCustom” component and select Configure component
  7. On the right pane, enter the following for Configuration to merge 
    {
"EnableGPUMetrics": true
}
  8. For the next steps, proceed by selecting Deploy.

After creating the deployment, your device will receive the deployment, apply it and report the status to the cloud. Finally; you’ll see the Core devices section in the deployment details page as your device reported as Healthy.

Greengrass core devices

Now, you have your AWS IoT Greengrass device reporting device-side metrics and custom metrics to AWS IoT Device Defender. You can check the actual payloads that the component publishes.

docker exec -it gg-awsiotblog-01 grep "stdout. Publishing metrics:" /greengrass/v2/logs/com.awsiotblog.DeviceDefenderCustom.log

Copy and paste the output JSON to your favorite JSON parser/viewer to check the metrics published from your devices.

4. Create a security profile for custom GPU resource metric and average ML at the edge average inference time metric.

Firstly, you’ll start with definition of the custom metrics in AWS IoT Device Defender:

  1. Go to AWS IoT > Manage > Security > Detect > Metrics and choose Create.
  2. Create a custom metric for GPU load.
    1. For name, specify gpu_load_per_inference
    2. For type, choose number.
  3. Create a custom metric for inference time.
    1. For name, specify avg_inference_time
    2. For type, choose number.

Now, AWS IoT Device Defender is able to monitor two defined custom metrics from the edge devices.

You can proceed to create a security profile that uses custom the GPU metric and the ML at the edge average inference time metric to evaluate the cryptocurrency threat situation.

  1. Navigate to the Security Profiles section of the AWS IoT Device Defender Console: AWS IoT > Manage > Security > Detect > Security Profiles
  2. Choose Create Security Profile and choose Create Rule-based anomaly Detect profile
  3. For Target, choose gg-awsiotblog
  4. Specify a Security Profile name
  5. Clear all Cloud-side metrics to keep the focus.
  6. Select two Device-side custom metrics that you just created; gpu_load_per_inference and avg_inference_time.
  7. Choose Next
  8. Under the Define metric behaviors section, specify the following parameters:
    1. Metric: gpu_load_per_inference
      1. Operator: “Less Than”
      2. Value: “40”
      3. Duration: “5 minutes”
    2. Metric: avg_inference_time
      1. Operator: “Less Than”
      2. Value: “100”
      3. Duration: “5 minutes”
  9. Choose Next
  10. Choose Create

AWS IoT Device Defender Security Profile

5. Run the cryptocurrency mining condition simulation

Now our simulated AWS IoT Greengrass device runs in a container and publishes device side metrics along with custom metrics to AWS IoT Device Defender service. Current values of custom metrics are within the expected behavior of the device.

In each container, there are two files that represent custom metrics as /var/gpu_load_fb and /var/gpu_inference_fb; similar to other available system metrics like CPU temperature, load … etc. The custom AWS IoT Device Defender component is configured to read metric values from those files for each metric publish operation.

Now, you’ll update the values in those files to simulate the condition of a cryptocurrency mining activity on your GPU-powered device, along with your ML model. Increase of GPU load and average ML model inference time will represent this situation as an abnormality.

docker exec -it gg-awsiotblog-01 bash -c "echo 85 > /var/gpu_load_fb; echo 180 > /var/gpu_inference_fb"

After running the update, you can check the published payloads for the device to see the increasing custom metrics in the payload, using the following command.

docker exec -it gg-awsiotblog-01 grep "stdout. Publishing metrics:" /greengrass/v2/logs/com.awsiotblog.DeviceDefenderCustom.log

Once metrics are delivered to the AWS IoT Device Defender service and evaluated by the service, you’ll see the alarm status on the Security Profile page.

AWS IoT Device Defender violations

Congrats! You made the AWS IoT Device Defender service monitor and detect an abnormal behavior by configuring your edge device to send GPU load and ML at the edge inference time custom metrics to help detect cryptocurrency mining threat at the edge.

Lastly, note that we’ve created the security profile with no automated actions. In this case, the alarm status appears only on the AWS IoT Device Defender console and you are able to start a mitigation action on the console. You can also create and set an Amazon Simple Notification Service in the security profile to notify users or other services and take customized automated actions in case of an AWS IoT Device Defender alarm. Check the documentation for the AWS IOT Device Defender Mitigation Actions for more information.

Cleanup

  • Stop and remove the docker container by running docker stop gg-awsiotblog-01 and docker rm -v gg-awsiotblog-01 commands.
  • Delete the created AWS IoT Greengrass device.
  • Delete the created custom AWS IoT Greengrass component.
  • Delete the security profiles and custom metrics in AWS IoT Device Defender.

Conclusion

It is important to quickly detect signs of cryptocurrency mining activity on your edge devices, so that you can protect your IoT/IIoT solution and maintain edge application performance. In this blog post, we demonstrated how to define custom metrics in AWS IoT Device Defender to monitor CPU/GPU usage and average ML at the edge inference time to help detect cryptocurrency mining activities by creating a rule-based security profile. Alternatively, customers could use AWS IoT Device Defender ML Detect to automatically set the security profile with custom metrics. The solution can be extended by using this example to create your own custom metrics unique to your device fleet or use case, get alerts, and take mitigation actions using AWS IoT Device Defender. You can read about other security use cases which AWS IoT Device Defender can support. In addition to using AWS IoT Device Defender to audit and monitor your fleet of IoT devices, AWS recommends following the Ten security golden rules for IIoT solutions, Implementing zero trust IoT solutions, Securing IoT with AWS whitepaper and AWS IoT Lens and being alert to the latest cryptojacking trends.

About the authors

Emir Ayar AWSEmir Ayar is a Tech Lead Solutions Architect on the AWS Prototyping team. He specializes in helping customers build IoT, ML at the Edge, and Industry 4.0 solutions and implement architectural best practices. He lives in Luxembourg and enjoys playing synthesizers.
Ryan Dsouza AWSRyan Dsouza is a Principal Solutions Architect for IoT at AWS. Based in New York City, Ryan helps customers design, develop, and operate more secure, scalable, and innovative solutions using the breadth and depth of AWS capabilities to deliver measurable business outcomes. Ryan has over 25 years of experience in digital platforms, smart manufacturing, energy management, building and industrial automation, and OT/IIoT security across a diverse range of industries. Before AWS, Ryan worked for Accenture, SIEMENS, General Electric, IBM, and AECOM, serving customers for their digital transformation initiatives.