Abstract: To strengthen the network protection, clean up the mining Trojan virus, and effectively control the cryptomining behavior of the campus network, a detection and blocking model of mining behavior is proposed. The model adopts the signature-based deep packet inspection technology, which is combined with dynamic threat intelligence, establishes a state machine model of mining protocols, conducts in-depth packet analysis, identifies mining protocols, and realizes the detection, identification and blocking of mining traffic at the campus network egress. Practice has proved that the model can detect the cryptomining-related traffic in real time, dynamically intercept the communication traffic between the victim miner and the mining pool, and locate the infected host in real time, which effectively curbs the malicious cryptomining behavior of the campus network.