Abstract
The USB protocol is among the most widely adopted protocols today thanks to its plug-and-play capabilities and the vast number of devices which support the protocol. However, this same adaptability leaves unwitting computing devices prone to attacks. Malicious USB devices can disguise themselves as benign devices (e.g., keyboard, mouse, etc.) to insert malicious commands on end devices. These malicious USB devices can mimic an actual device or a human typing pattern and appear as a real device to the operating system. Typically, advanced software-based detection schemes are used to identify the malicious nature of such devices. However, a powerful adversary (e.g., as rootkits or advanced persistent threats) can still subvert those software-based detection schemes. To address these concerns, in this work, we introduce a novel hardware-assisted, dynamic USB-threat detection framework called USB-Watch. Specifically, USB-Watch utilizes hardware placed between a USB device and the host machine to hook into the USB communication, collect USB data, and provides the capability to view unaltered USB protocol communications. This unfettered data is then fed into a machine learning-based classifier which dynamically determines the true nature of the USB device. Using real malicious USB devices (i.e., Rubber-Ducky) mimicking as a keyboard, we perform a thorough analysis of typing dynamic features (e.g., typing time differentials, key press durations, etc.) to effectively classify malicious USB devices from normal human typing behaviors. In this work, we show that USB-Watch provides a lightweight, OS-independent framework which effectively distinguishes differences between normal and malicious USB behaviors with a ROC curve of 0.89. To the best of our knowledge, this is the first hardware-based detection mechanism to dynamically detect threats coming from USB devices.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cunningham, A.: How USB became the undefeated king of connectors, October 2017. https://www.wired.co.uk/article/usb-history
Nohl, K., Lell, J.: BadUSB-on accessories that turn evil, Black Hat USA (2014)
IBM bans USB drives - but will it work? May 2018. https://nakedsecurity.sophos.com/2018/05/11/ibm-bans-usb-drives-but-will-it-work/
Otachi, E.: 8 of the best antivirus with USB scanner for 2018, February 2018. https://windowsreport.com/antivirus-usb-scanner/
Neuner, S., Voyiatzis, A.G., Fotopoulos, S., Mulliner, C., Weippl, E.R.: USBlock: blocking USB-based keypress injection attacks. In: Kerschbaum, F., Paraboschi, S. (eds.) DBSec 2018. LNCS, vol. 10980, pp. 278–295. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-95729-6_18
Tian, D.J., Bates, A., Butler, K.: Defending against malicious USB firmware with goodUSB. In: Proceedings of the 31st Annual Computer Security Applications Conference, Series ACSAC 2015, New York, NY, USA, pp. 261–270. ACM (2015). https://doi.org/10.1145/2818000.2818040
Daley, B.L.: USBeSafe: applying one class SVM for effective USB event anomaly detection. Northeastern University, College of Computer and Information Systems Boston United States, Technical report (2016)
Sikka, S., Srivastva, U., Sharma, R.: A review of detection of USB malware. Int. J. Eng. Sci. 7, 14283 (2017)
Admin: Tutorial about USB hid report descriptors, January 2018. https://eleccelerator.com/tutorial-about-usb-hid-report-descriptors/
Looks like a flash drive. Types like a keyboard. https://www.hak5.org/gear/usb-rubber-ducky
Smith: Say hello to BadUSB 2.0: A USB man-in-the-middle attack proof of concept, June 2016. https://www.csoonline.com/article/3087484/security/say-hello-to-badusb-20-usb-man-in-the-middle-attack-proof-of-concept.html
RedTeam: USB drop attacks: the danger of “lost and found” thumb drives”, October 2017. https://www.redteamsecure.com/usb-drop-attacks-the-danger-of-lost-and-found-thumb-drives/
Bursztein, E.: Does dropping USB drives really work? Blackhat. Technical report (2016)
Mamiit, A.: How bad is BadUSB? security experts say there is no quick fix, vol. 18, p. 2014, November 2014
Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: IEEE Twenty-Third Annual Computer Security Applications Conference ACSAC 2007, pp. 421–430 (2007)
Tian, D.J., Scaife, N., Bates, A., Butler, K., Traynor, P.: Making USB great again with USBFILTER. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 415–430 (2016)
Robertson, J., Riley, M.: The big hack: How China used a tiny chip to infiltrate U.S. companies. https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
Raval, M.S., Gandhi, R., Chaudhary, S.: Insider threat detection: machine learning way. In: Conti, M., Somani, G., Poovendran, R. (eds.) Versatile Cybersecurity. AIS, vol. 72, pp. 19–53. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-97643-3_2
Lopez, J., Babun, L., Aksu, H., Uluagac, A.S.: A survey on function and system call hooking approaches. J. Hardware Syst. Secur. 1(2), 114–136 (2017)
9.6. random - generate pseudo-random numbers. https://docs.python.org/2/library/random.html
Maxion, R.A., Roberts, R.R.: Proper use of ROC curves in Intrusion/Anomaly Detection. University of Newcastle upon Tyne, Computing Science (2004)
Acknowledgements
This work is partially supported by the US National Science Foundation (Awards: NSF-CAREER-CNS-1453647, NSF-1663051) and Florida Center for Cybersecurity’s Capacity Building Program. The views expressed are those of the authors only, not of the funding agencies.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Denney, K., Erdin, E., Babun, L., Vai, M., Uluagac, S. (2019). USB-Watch: A Dynamic Hardware-Assisted USB Threat Detection Framework. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 304. Springer, Cham. https://doi.org/10.1007/978-3-030-37228-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-37228-6_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37227-9
Online ISBN: 978-3-030-37228-6
eBook Packages: Computer ScienceComputer Science (R0)