USB-Watch: a Generalized Hardware-Assisted Insider Threat Detection Framework

Today, the USB protocol is among the most widely used protocols—mostly due to its plug-and-play nature and number of supported devices. However, the mass-proliferation of USB has led to a threat vector wherein USB devices are assumed innocent, leaving computers open to an attack. Malicious USB devices are able to disguise themselves as benign devices to insert malicious commands to connected end devices. Currently, a rogue device appears as a normal USB device to the average OS, requiring advanced detection schemes (i.e., classification) to identify malicious behaviors from the devices. However, using system-level hooks, an advanced threat may subvert OS-reliant detection schemes. This paper showcases USB-Watch, a hardware-based USB threat detection framework. The use of hardware allows the framework to collect live USB traffic before advanced threats may alter the data in a corrupted OS. Through analyzing the behavioral dynamics of USB devices, a decision tree anomaly detection classifier can be placed into hardware—allowing for the detection of abnormal USB device behavior from connected USB devices. The framework tested achieves an ROC AUC of 0.99 against a testbed of live USB devices acting both normally and maliciously.

[1]  Edgar R. Weippl,et al.  USBlock: Blocking USB-Based Keypress Injection Attacks , 2018, DBSec.

[2]  Mauro Conti,et al.  Advertising in the IoT Era: Vision and Challenges , 2018, IEEE Communications Magazine.

[3]  Sanjay Chaudhary,et al.  Insider Threat Detection: Machine Learning Way , 2018 .

[4]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[5]  Patrick Traynor,et al.  Making USB Great Again with USBFILTER , 2016, USENIX Security Symposium.

[6]  Leonardo Babun,et al.  Identifying counterfeit smart grid devices: A lightweight system level framework , 2017, 2017 IEEE International Conference on Communications (ICC).

[7]  Amit Kumar Sikder,et al.  IoTDots: A Digital Forensics Framework for Smart Environments , 2018, ArXiv.

[8]  Leonardo Babun,et al.  A System-level Behavioral Detection Framework for Compromised CPS Devices , 2019, ACM Trans. Cyber Phys. Syst..

[9]  Sergey Bratus,et al.  Protecting Against Malicious Bits On the Wire: Automatically Generating a USB Protocol Parser for a Production Kernel , 2017, ACSAC.

[10]  Leonardo Babun,et al.  USB-Watch: A Dynamic Hardware-Assisted USB Threat Detection Framework , 2019, SecureComm.

[11]  Patrick D. McDaniel,et al.  Sensitive Information Tracking in Commodity IoT , 2018, USENIX Security Symposium.

[12]  Brandon L Daley,et al.  USBeSafe: Applying One Class SVM for Effective USB Event Anomaly Detection , 2016 .

[13]  Kemal Akkaya,et al.  HDMI-walk: attacking HDMI distribution networks via consumer electronic control protocol , 2019, ACSAC.

[14]  Leonardo Babun,et al.  Dynamically detecting USB attacks in hardware: poster , 2019, WiSec.

[15]  Elie Bursztein Does dropping usb drives really work , 2016 .

[16]  Fabian Monrose,et al.  Authentication via keystroke dynamics , 1997, CCS '97.

[17]  Leonardo Babun,et al.  A Survey on Function and System Call Hooking Approaches , 2017, Journal of Hardware and Systems Security.

[18]  Leonardo Babun,et al.  Real-time Analysis of Privacy-(un)aware IoT Applications , 2019, Proc. Priv. Enhancing Technol..

[19]  Leonardo Babun,et al.  Detection of Compromised Smart Grid Devices with Machine Learning and Convolution Techniques , 2018, 2018 IEEE International Conference on Communications (ICC).