The hosting company's operations manager received their October electricity bill on a Friday morning: €4,200 for a facility that typically ran €2,800 monthly. Something was consuming nearly 50% more power than expected across their 40-server fleet.
The obvious culprit should have been visible in standard monitoring. top showed normal process loads. htop revealed familiar application names. Resource monitoring dashboards displayed CPU utilisation within expected ranges. Yet somewhere in their infrastructure, cryptocurrency miners were silently consuming electricity worth hundreds of euros weekly.
The Investigation Begins: When Process Lists Lie
This wasn't the first time malware had disguised itself with legitimate process names. The attackers had named their mining processes kworker/0:1, systemd-resolve, and dbus-daemon - perfect mimicry of genuine system processes that most administrators would ignore in process lists.
Traditional monitoring focused on obvious metrics: process names, CPU percentages, memory usage. But cryptocurrency mining creates distinct computational patterns that remain visible even when process names lie.
Baseline CPU Instruction Analysis
The breakthrough came from examining /proc/stat over sustained periods. Legitimate system processes create varied instruction patterns as they handle different types of work. Cryptocurrency miners, however, execute the same mathematical operations continuously, creating recognisable signatures in CPU instruction counters.
Normal system activity shows fluctuating ratios between user time, system time, and idle periods. Mining malware maintains consistent high-intensity computation with minimal variation - exactly the pattern hidden in their /proc/stat data.
Identifying Suspicious Patterns
The investigation revealed three telltale signs in CPU instruction analysis:
Sustained computation consistency: Mining algorithms maintain steady CPU instruction rates over 10-15 minute periods, unlike legitimate applications that show natural variation in computational load.
User-space dominance: Cryptocurrency mining occurs primarily in user space, creating abnormally high user time ratios compared to system time - a pattern that process monitoring overlooks when focusing on individual process percentages.
Thermal correlation: Mining processes generate consistent heat signatures that correlate with instruction patterns, visible through temperature monitoring when CPU instruction analysis identifies suspicious activity.
Building Detection Scripts from /proc/stat
Once the pattern became clear, building automated detection required monitoring CPU instruction ratios rather than traditional process metrics.
The key insight: /proc/stat reveals system-wide computational characteristics that individual process analysis cannot detect. Mining malware might disguise process names and split workloads across multiple fake processes, but the underlying CPU instruction patterns remain consistent.
Real-Time Pattern Monitoring
Effective detection monitors CPU instruction ratios over rolling 5-minute windows. The script calculates user time, system time, and idle time percentages, then flags sustained periods where user time exceeds 85% with less than 10% variation.
Legitimate high-CPU applications create different patterns: compile jobs show bursts followed by idle periods, database queries create mixed user/system time ratios, and web applications generate variable loads based on traffic patterns.
Alert Thresholds That Actually Work
The hosting company implemented three-tier detection: yellow alerts for 5-minute periods exceeding baseline instruction patterns, orange alerts for 15-minute sustained anomalies, and red alerts when temperature correlation confirms mining activity.
This approach eliminated false positives from legitimate high-CPU work while catching mining activity within minutes rather than days. Understanding smart alerts explains how sustained thresholds prevent alert fatigue from brief CPU spikes.
Prevention Through Continuous Monitoring
The power bill investigation revealed that mining malware had operated undetected for six weeks. Traditional process monitoring had failed because it focused on what processes claimed to be rather than what they actually did.
Automating the Detection Pipeline
Continuous /proc/stat analysis became part of their standard monitoring stack. The CPU and memory monitoring documentation covers implementation details for teams wanting to build similar detection capabilities.
Server Scout's agent includes CPU instruction pattern analysis as standard functionality, monitoring the computational signatures that reveal mining activity regardless of process name spoofing. This monitoring approach catches threats that traditional process-based monitoring misses entirely.
The hosting company's October incident cost them €1,400 in excess electricity bills, but implementing CPU instruction pattern monitoring prevented three subsequent mining infections that would have cost significantly more. Real-time detection now catches suspicious computational patterns within minutes rather than waiting for monthly power bills to reveal the problem.
Most importantly, they learned that effective security monitoring requires understanding what systems do, not just what they claim to be doing. CPU instruction analysis provides that deeper visibility into actual system behaviour that process lists cannot reveal.
FAQ
Can cryptocurrency miners completely hide their CPU instruction patterns?
No. Mining algorithms require specific mathematical operations that create recognisable patterns in /proc/stat data, even when process names are spoofed or workloads are distributed across multiple fake processes.
How quickly can this detection method identify mining activity?
Properly configured CPU instruction pattern monitoring can detect mining activity within 5-10 minutes of execution, compared to traditional methods that might take weeks or require manual investigation.
Will this monitoring method interfere with legitimate high-CPU applications?
No. Legitimate applications like compilation, video encoding, or scientific computing create different instruction patterns than cryptocurrency mining, allowing the detection system to distinguish between normal and suspicious activity.