USB-Watch: a Generalized Hardware-Assisted Insider Threat Detection Framework

Today, the USB protocol is among the most widely used protocols—mostly due to its plug-and-play nature and number of supported devices. However, the mass-proliferation of USB has led to a threat vector wherein USB devices are assumed innocent, leaving computers open to an attack. Malicious USB devices are able to disguise themselves as benign devices to insert malicious commands to connected end devices. Currently, a rogue device appears as a normal USB device to the average OS, requiring advanced detection schemes (i.e., classification) to identify malicious behaviors from the devices. However, using system-level hooks, an advanced threat may subvert OS-reliant detection schemes. This paper showcases USB-Watch, a hardware-based USB threat detection framework. The use of hardware allows the framework to collect live USB traffic before advanced threats may alter the data in a corrupted OS. Through analyzing the behavioral dynamics of USB devices, a decision tree anomaly detection classifier can be placed into hardware—allowing for the detection of abnormal USB device behavior from connected USB devices. The framework tested achieves an ROC AUC of 0.99 against a testbed of live USB devices acting both normally and maliciously.