USB-Watch: A Dynamic Hardware-Assisted USB Threat Detection Framework

The USB protocol is among the most widely adopted protocols today thanks to its plug-and-play capabilities and the vast number of devices which support the protocol. However, this same adaptability leaves unwitting computing devices prone to attacks. Malicious USB devices can disguise themselves as benign devices (e.g., keyboard, mouse, etc.) to insert malicious commands on end devices. These malicious USB devices can mimic an actual device or a human typing pattern and appear as a real device to the operating system. Typically, advanced software-based detection schemes are used to identify the malicious nature of such devices. However, a powerful adversary (e.g., as rootkits or advanced persistent threats) can still subvert those software-based detection schemes. To address these concerns, in this work, we introduce a novel hardware-assisted, dynamic USB-threat detection framework called USB-Watch. Specifically, USB-Watch utilizes hardware placed between a USB device and the host machine to hook into the USB communication, collect USB data, and provides the capability to view unaltered USB protocol communications. This unfettered data is then fed into a machine learning-based classifier which dynamically determines the true nature of the USB device. Using real malicious USB devices (i.e., Rubber-Ducky) mimicking as a keyboard, we perform a thorough analysis of typing dynamic features (e.g., typing time differentials, key press durations, etc.) to effectively classify malicious USB devices from normal human typing behaviors. In this work, we show that USB-Watch provides a lightweight, OS-independent framework which effectively distinguishes differences between normal and malicious USB behaviors with a ROC curve of 0.89. To the best of our knowledge, this is the first hardware-based detection mechanism to dynamically detect threats coming from USB devices.