Abstract
Today, the USB protocol is among the most widely used protocols—mostly due to its plug-and-play nature and number of supported devices. However, the mass-proliferation of USB has led to a threat vector wherein USB devices are assumed innocent, leaving computers open to an attack. Malicious USB devices are able to disguise themselves as benign devices to insert malicious commands to connected end devices. Currently, a rogue device appears as a normal USB device to the average OS, requiring advanced detection schemes (i.e., classification) to identify malicious behaviors from the devices. However, using system-level hooks, an advanced threat may subvert OS-reliant detection schemes. This paper showcases USB-Watch, a hardware-based USB threat detection framework. The use of hardware allows the framework to collect live USB traffic before advanced threats may alter the data in a corrupted OS. Through analyzing the behavioral dynamics of USB devices, a decision tree anomaly detection classifier can be placed into hardware—allowing for the detection of abnormal USB device behavior from connected USB devices. The framework tested achieves an ROC AUC of 0.99 against a testbed of live USB devices acting both normally and maliciously.
Similar content being viewed by others
References
Admin: Tutorial about usb hid report descriptors. https://eleccelerator.com/tutorial-about-usb-hid-report-descriptors/ (2018). Accessed: 16 Sept 2018
Aksu H, Babun L, Conti M, Tolomei G, Uluagac AS (2018) Advertising in the iot era: Vision and challenges. IEEE Commun Mag 56(11):138–144. https://doi.org/10.1109/MCOM.2017.1700871
Babun L, Aksu H, Uluagac AS (2019) A system-level behavioral detection framework for compromised cps devices: Smart-grid case. ACM Trans Cyber-phys Syst 4(2). https://doi.org/10.1145/3355300
Babun L, Celik ZB, McDaniel P, Uluagac AS (2019) Real-time analysis of privacy-(un)aware iot applications
Babun L, Sikder AK, Acar A, Uluagac AS (2018) Iotdots: A digital forensics framework for smart environments. CoRR arXiv:abs/1809.00745
Babun L, Aksu H, Uluagac SA (2018) Detection of counterfeit and compromised devices using system and function call tracing techniques. http://www.freepatentsonline.com/10027697.html
Babun L, Aksu H, Uluagac SA (2019) Method of resource-limited device and device class identification using system and function call tracing techniques, performance, and statistical analysis. http://www.freepatentsonline.com/10242193.html
Bursztein E (2016) Does dropping usb drives really work? Blackhat, Tech. Rep. Accessed: 16 Sept 2018
Celik ZB, Babun L, Sikder AK, Aksu H, Tan G, McDaniel P, Uluagac AS (2018) Sensitive information tracking in commodity iot. In: 27Th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, pp 1687–1704
Cunningham A (2017) How usb became the undefeated king of connectors. https://www.wired.co.uk/article/usb-history. Accessed: 25 Nov 2018
Daley BL (2016) Usbesafe: Applying one class svm for effective usb event anomaly detection. Tech. rep., Northeastern University, College of Computer and Information Systems Boston United States. Accessed: 04 Oct 2018
Denney K, Erdin E, Babun L, Uluagac AS (2019) Dynamically detecting usb attacks in hardware: Poster. In: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’19. https://doi.org/10.1145/3317549.3326315. Association for Computing Machinery, New York, pp 328–329
Denney K, Erdin E, Babun L, Vai M, Uluagac S (2019) Usb-watch: a dynamic hardware-assisted usb threat detection framework. In: International Conference on Security and Privacy in Communication Systems, Springer, pp 126–146
Ducklin P, Parkes M, James T, Pottage D (2016) Sidestepping your lockscreen with an innocent-looking usb stick. https://nakedsecurity.sophos.com/2016/09/09/sidestepping-your-lockscreen-with-an-innocent-looking-usb-stick/
Hak5: Looks like a flash drive. types like a keyboard. https://www.hak5.org/gear/usb-rubber-ducky. Accessed: 28 Aug 2018
Johnson PC, Bratus S, Smith SW (2017) Protecting against malicious bits on the wire: automatically generating a usb protocol parser for a production kernel. In: Proceedings of the 33rd Annual Computer Security Applications Conference, ACM, pp 528– 541
Kaygusuz C, Babun L, Aksu H, Uluagac AS (2018) Detection of compromised smart grid devices with machine learning and convolution techniques. In: 2018 IEEE International Conference on Communications (ICC), pp 1–6. https://doi.org/10.1109/ICC.2018.8423022
Killourhy K, Maxion R Keystroke dynamics - benchmark data set. https://www.cs.cmu.edu/keystroke/. Accessed: 25 Mar 2019
Babun L. author=Aksu, H (2017) Identifying counterfeit smart grid devices: a lightweight system level framework. In: Proceedings of the IEEE ICC Intern Conf on Communications. IEEE, Paris, France
Linux: Usbmon documentation. https://www.kernel.org/doc/Documentation/usb/usbmon.txt. Accessed: 04 Oct 2018
Lopez J, Babun L, Aksu H, Uluagac AS (2017) A survey on function and system call hooking approaches. Journal of Hardware and Systems Security 1(2):114–136. Accessed: 17 Nov 2018
Mamiit A (2014) How bad is badusb? security experts say there is no quick fix. Retrieved November 18, 2014. Accessed: 19 Oct 2018
Maxion RA, Roberts RR (2004) Proper use of ROC curves in Intrusion/Anomaly Detection. University of Newcastle upon Tyne, Computing Science. Accessed: 05 Nov 2018
Monrose F, Rubin A (1997) Authentication via keystroke dynamics. In: Proceedings of the 4th ACM Conference on Computer and Communications Security, pp 48–56. Citeseer. Accessed: 30 Oct 2018
Moser A, Kruegel C, Kirda E (2007) Limits of static analysis for malware detection. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 421–430. IEEE. Accessed: 08 Dec 2018
Mulliner C, Weippl ER (2018) Usblock: Blocking usb-based keypress injection attacks. In: Data and Applications Security and Privacy XXXII: 32nd Annual IFIP WG 11.3 Conference, DBSec 2018, Bergamo, Italy, July 16–18, 2018, Proceedings, vol 10980. Springer, p 278. Accessed: 16 Sept 2018
Nohl K, Lell J (2014) Badusb–on accessories that turn evil. Black Hat USA. Accessed: 19 Aug 2018
Python: Python 9.6. random - generate pseudo-random numbers. https://docs.python.org/2/library/random.html
Raval MS, Gandhi R, Chaudhary S (2018) Insider Threat Detection: Machine Learning Way. Springer International Publishing, Cham, pp 19–53. Accessed: 16 Oct 2018
RedTeam: Usb drop attacks: The danger of “lost and found” thumb drives. https://www.redteamsecure.com/usb-drop-attacks-the-danger-of-lost-and-found-thumb-drives/ (2017). Accessed: 25 Jan 2019
Robertson J, Riley M The big hack: How china used a tiny chip to infiltrate u.s. companies. https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies. Accessed: 04 Mar 2019
Rondon LP, Babun L, Akkaya K, Uluagac AS (2019) Hdmi-walk: Attacking hdmi distribution networks via consumer electronic control protocol. In: Proceedings of the 35th Annual Computer Security Applications Conference, ACSAC ’19. https://doi.org/10.1145/3359789.3359841. Association for Computing Machinery, New York, pp 650–659
Sikka S, Srivastva U, Sharma R (2017) A review of detection of usb malware. International Journal of Engineering Science 14283. Accessed: 14 Sept 2018
Smith: Say hello to badusb 2.0: A usb man-in-the-middle attack proof of concept. https://www.csoonline.com/article/3087484/security/say-hello-to-badusb-20-usb-man-in-the-middle-attack-proof-of-concept.html (2016). Accessed: 09-16-2018
Tian DJ, Scaife N, Bates A, Butler K, Traynor P (2016) Making USB great again with USBFILTER. In: 25th USENIX Security Symposium (USENIX Security 16), pp 415–430. Accessed: 15 Mar 2019
Xu X, Chen X, Liu C, Rohrbach A, Darell T, Song D (2017) Can you fool ai with adversarial examples on a visual turing test. arXiv preprint arXiv:1709.08693. Accessed: 15 Feb 2019
Funding
This work is partially supported by the US National Science Foundation (Awards: NSF-CAREER-CNS-1453647, NSF-1663051) and Florida Center for Cybersecurity’s Capacity Building Program. The views expressed are those of the authors only, not of the funding agencies.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Denney, K., Babun, L. & Uluagac, A.S. USB-Watch: a Generalized Hardware-Assisted Insider Threat Detection Framework. J Hardw Syst Secur 4, 136–149 (2020). https://doi.org/10.1007/s41635-020-00092-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41635-020-00092-z