Skip to main content
SpringerLink
Log in

USB-Watch: a Generalized Hardware-Assisted Insider Threat Detection Framework

  • Published:
Journal of Hardware and Systems Security Aims and scope Submit manuscript

Abstract

Today, the USB protocol is among the most widely used protocols—mostly due to its plug-and-play nature and number of supported devices. However, the mass-proliferation of USB has led to a threat vector wherein USB devices are assumed innocent, leaving computers open to an attack. Malicious USB devices are able to disguise themselves as benign devices to insert malicious commands to connected end devices. Currently, a rogue device appears as a normal USB device to the average OS, requiring advanced detection schemes (i.e., classification) to identify malicious behaviors from the devices. However, using system-level hooks, an advanced threat may subvert OS-reliant detection schemes. This paper showcases USB-Watch, a hardware-based USB threat detection framework. The use of hardware allows the framework to collect live USB traffic before advanced threats may alter the data in a corrupted OS. Through analyzing the behavioral dynamics of USB devices, a decision tree anomaly detection classifier can be placed into hardware—allowing for the detection of abnormal USB device behavior from connected USB devices. The framework tested achieves an ROC AUC of 0.99 against a testbed of live USB devices acting both normally and maliciously.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. Admin: Tutorial about usb hid report descriptors. https://eleccelerator.com/tutorial-about-usb-hid-report-descriptors/ (2018). Accessed: 16 Sept 2018

  2. Aksu H, Babun L, Conti M, Tolomei G, Uluagac AS (2018) Advertising in the iot era: Vision and challenges. IEEE Commun Mag 56(11):138–144. https://doi.org/10.1109/MCOM.2017.1700871

    Article  Google Scholar 

  3. Babun L, Aksu H, Uluagac AS (2019) A system-level behavioral detection framework for compromised cps devices: Smart-grid case. ACM Trans Cyber-phys Syst 4(2). https://doi.org/10.1145/3355300

  4. Babun L, Celik ZB, McDaniel P, Uluagac AS (2019) Real-time analysis of privacy-(un)aware iot applications

  5. Babun L, Sikder AK, Acar A, Uluagac AS (2018) Iotdots: A digital forensics framework for smart environments. CoRR arXiv:abs/1809.00745

  6. Babun L, Aksu H, Uluagac SA (2018) Detection of counterfeit and compromised devices using system and function call tracing techniques. http://www.freepatentsonline.com/10027697.html

  7. Babun L, Aksu H, Uluagac SA (2019) Method of resource-limited device and device class identification using system and function call tracing techniques, performance, and statistical analysis. http://www.freepatentsonline.com/10242193.html

  8. Bursztein E (2016) Does dropping usb drives really work? Blackhat, Tech. Rep. Accessed: 16 Sept 2018

  9. Celik ZB, Babun L, Sikder AK, Aksu H, Tan G, McDaniel P, Uluagac AS (2018) Sensitive information tracking in commodity iot. In: 27Th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, pp 1687–1704

  10. Cunningham A (2017) How usb became the undefeated king of connectors. https://www.wired.co.uk/article/usb-history. Accessed: 25 Nov 2018

  11. Daley BL (2016) Usbesafe: Applying one class svm for effective usb event anomaly detection. Tech. rep., Northeastern University, College of Computer and Information Systems Boston United States. Accessed: 04 Oct 2018

  12. Denney K, Erdin E, Babun L, Uluagac AS (2019) Dynamically detecting usb attacks in hardware: Poster. In: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’19. https://doi.org/10.1145/3317549.3326315. Association for Computing Machinery, New York, pp 328–329

  13. Denney K, Erdin E, Babun L, Vai M, Uluagac S (2019) Usb-watch: a dynamic hardware-assisted usb threat detection framework. In: International Conference on Security and Privacy in Communication Systems, Springer, pp 126–146

  14. Ducklin P, Parkes M, James T, Pottage D (2016) Sidestepping your lockscreen with an innocent-looking usb stick. https://nakedsecurity.sophos.com/2016/09/09/sidestepping-your-lockscreen-with-an-innocent-looking-usb-stick/

  15. Hak5: Looks like a flash drive. types like a keyboard. https://www.hak5.org/gear/usb-rubber-ducky. Accessed: 28 Aug 2018

  16. Johnson PC, Bratus S, Smith SW (2017) Protecting against malicious bits on the wire: automatically generating a usb protocol parser for a production kernel. In: Proceedings of the 33rd Annual Computer Security Applications Conference, ACM, pp 528– 541

  17. Kaygusuz C, Babun L, Aksu H, Uluagac AS (2018) Detection of compromised smart grid devices with machine learning and convolution techniques. In: 2018 IEEE International Conference on Communications (ICC), pp 1–6. https://doi.org/10.1109/ICC.2018.8423022

  18. Killourhy K, Maxion R Keystroke dynamics - benchmark data set. https://www.cs.cmu.edu/keystroke/. Accessed: 25 Mar 2019

  19. Babun L. author=Aksu, H (2017) Identifying counterfeit smart grid devices: a lightweight system level framework. In: Proceedings of the IEEE ICC Intern Conf on Communications. IEEE, Paris, France

  20. Linux: Usbmon documentation. https://www.kernel.org/doc/Documentation/usb/usbmon.txt. Accessed: 04 Oct 2018

  21. Lopez J, Babun L, Aksu H, Uluagac AS (2017) A survey on function and system call hooking approaches. Journal of Hardware and Systems Security 1(2):114–136. Accessed: 17 Nov 2018

    Article  Google Scholar 

  22. Mamiit A (2014) How bad is badusb? security experts say there is no quick fix. Retrieved November 18, 2014. Accessed: 19 Oct 2018

  23. Maxion RA, Roberts RR (2004) Proper use of ROC curves in Intrusion/Anomaly Detection. University of Newcastle upon Tyne, Computing Science. Accessed: 05 Nov 2018

  24. Monrose F, Rubin A (1997) Authentication via keystroke dynamics. In: Proceedings of the 4th ACM Conference on Computer and Communications Security, pp 48–56. Citeseer. Accessed: 30 Oct 2018

  25. Moser A, Kruegel C, Kirda E (2007) Limits of static analysis for malware detection. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 421–430. IEEE. Accessed: 08 Dec 2018

  26. Mulliner C, Weippl ER (2018) Usblock: Blocking usb-based keypress injection attacks. In: Data and Applications Security and Privacy XXXII: 32nd Annual IFIP WG 11.3 Conference, DBSec 2018, Bergamo, Italy, July 16–18, 2018, Proceedings, vol 10980. Springer, p 278. Accessed: 16 Sept 2018

  27. Nohl K, Lell J (2014) Badusb–on accessories that turn evil. Black Hat USA. Accessed: 19 Aug 2018

  28. Python: Python 9.6. random - generate pseudo-random numbers. https://docs.python.org/2/library/random.html

  29. Raval MS, Gandhi R, Chaudhary S (2018) Insider Threat Detection: Machine Learning Way. Springer International Publishing, Cham, pp 19–53. Accessed: 16 Oct 2018

    Google Scholar 

  30. RedTeam: Usb drop attacks: The danger of “lost and found” thumb drives. https://www.redteamsecure.com/usb-drop-attacks-the-danger-of-lost-and-found-thumb-drives/ (2017). Accessed: 25 Jan 2019

  31. Robertson J, Riley M The big hack: How china used a tiny chip to infiltrate u.s. companies. https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies. Accessed: 04 Mar 2019

  32. Rondon LP, Babun L, Akkaya K, Uluagac AS (2019) Hdmi-walk: Attacking hdmi distribution networks via consumer electronic control protocol. In: Proceedings of the 35th Annual Computer Security Applications Conference, ACSAC ’19. https://doi.org/10.1145/3359789.3359841. Association for Computing Machinery, New York, pp 650–659

  33. Sikka S, Srivastva U, Sharma R (2017) A review of detection of usb malware. International Journal of Engineering Science 14283. Accessed: 14 Sept 2018

  34. Smith: Say hello to badusb 2.0: A usb man-in-the-middle attack proof of concept. https://www.csoonline.com/article/3087484/security/say-hello-to-badusb-20-usb-man-in-the-middle-attack-proof-of-concept.html (2016). Accessed: 09-16-2018

  35. Tian DJ, Scaife N, Bates A, Butler K, Traynor P (2016) Making USB great again with USBFILTER. In: 25th USENIX Security Symposium (USENIX Security 16), pp 415–430. Accessed: 15 Mar 2019

  36. Xu X, Chen X, Liu C, Rohrbach A, Darell T, Song D (2017) Can you fool ai with adversarial examples on a visual turing test. arXiv preprint arXiv:1709.08693. Accessed: 15 Feb 2019

Download references

Funding

This work is partially supported by the US National Science Foundation (Awards: NSF-CAREER-CNS-1453647, NSF-1663051) and Florida Center for Cybersecurity’s Capacity Building Program. The views expressed are those of the authors only, not of the funding agencies.

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Florida International University, Miami, FL, USA

    Kyle Denney, Leonardo Babun & A. Selcuk Uluagac

Authors
  1. Kyle Denney
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Leonardo Babun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. A. Selcuk Uluagac
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kyle Denney.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Denney, K., Babun, L. & Uluagac, A.S. USB-Watch: a Generalized Hardware-Assisted Insider Threat Detection Framework. J Hardw Syst Secur 4, 136–149 (2020). https://doi.org/10.1007/s41635-020-00092-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41635-020-00092-z

Keywords

Search

Navigation