In the past mining attacks, from a technical point of view, most of the viruses were implanted into the target host through various intrusion methods, and the process hiding technology was used to try to evade the detection of anti-virus software, so that the virus can control the host for a long time. Nowadays, with the introduction of the mining pool concept, the execution of mining tasks no longer requires such a large amount of computing resources. Miners only need to join the mining pool and donate part of the computing power to obtain the distribution of mining rewards. From the mining attacks in recent years, it can be found that a small number of viruses have begun to dynamically adjust the use of computing resources for mining tasks, which increases the time and complexity of training features for machine learning. This thesis assumes that in addition to the behavior of a mining virus that significantly invokes CPU hardware resources, the virus will show new behavior characteristics when the system usage changes. The method proposed in this paper can be divided into three parts. Firstly, the normal call behavior of the host hardware resources is found through the analysis of huge data to detect the abnormal state of the CPU; secondly, we will run the virus in the experimental environment. To observe its call on the CPU, and then set the threshold value of the oscillation amplitude and duration according to the change ratio of the system usage, and then determine whether the CPU abnormality is caused by the mining virus program; Finally, we will confirm the entity of the mining virus program in the system by suspending several programs in the system with large changes in usage and observing the changes in system usage and program usage. Experiments show that the detection method proposed in this paper can not only find mining viruses that use a large amount of CPU resources, but also has outstanding results for virus detection that can dynamically adjust resource usage.