1.
Kyle Denney, Enes Erdin, Leonardo Babun, Michael Vai, Selcuk Uluagac
USB-Watch: A Dynamic Hardware-Assisted USB Threat Detection Framework Conference Paper
In the Proceedings of the Security and Privacy in Communication Networks, 2020.
Abstract | Links | BibTeX | Tags: Hardware Security
@conference{Denney2019USB-Watchb,
title = {USB-Watch: A Dynamic Hardware-Assisted USB Threat Detection Framework},
author = {Kyle Denney and Enes Erdin and Leonardo Babun and Michael Vai and Selcuk Uluagac},
url = {https://link.springer.com/chapter/10.1007/978-3-030-37228-6_7},
year = {2020},
date = {2020-02-15},
urldate = {2020-02-15},
booktitle = {In the Proceedings of the Security and Privacy in Communication Networks},
abstract = {The USB protocol is among the most widely adopted protocols today thanks to its plug-and-play capabilities and the vast number of devices which support the protocol. However, this same adaptability leaves unwitting computing devices prone to attacks. Malicious USB devices can disguise themselves as benign devices (e.g., keyboard, mouse, etc.) to insert malicious commands on end devices. These malicious USB devices can mimic an actual device or a human typing pattern and appear as a real device to the operating system. Typically, advanced software-based detection schemes are used to identify the malicious nature of such devices. However, a powerful adversary (e.g., as rootkits or advanced persistent threats) can still subvert those software-based detection schemes. To address these concerns, in this work, we introduce a novel hardware-assisted, dynamic USB-threat detection framework called USB-Watch. Specifically, USB-Watch utilizes hardware placed between a USB device and the host machine to hook into the USB communication, collect USB data, and provides the capability to view unaltered USB protocol communications. This unfettered data is then fed into a machine learning-based classifier which dynamically determines the true nature of the USB device. Using real malicious USB devices (i.e., Rubber-Ducky) mimicking as a keyboard, we perform a thorough analysis of typing dynamic features (e.g., typing time differentials, key press durations, etc.) to effectively classify malicious USB devices from normal human typing behaviors. In this work, we show that USB-Watch provides a lightweight, OS-independent framework which effectively distinguishes differences between normal and malicious USB behaviors with a ROC curve of 0.89. To the best of our knowledge, this is the first hardware-based detection mechanism to dynamically detect threats coming from USB devices.},
howpublished = {In the proceedings of the Security and Privacy in Communication Networks (SecureComm)},
keywords = {Hardware Security},
pubstate = {published},
tppubtype = {conference}
}
The USB protocol is among the most widely adopted protocols today thanks to its plug-and-play capabilities and the vast number of devices which support the protocol. However, this same adaptability leaves unwitting computing devices prone to attacks. Malicious USB devices can disguise themselves as benign devices (e.g., keyboard, mouse, etc.) to insert malicious commands on end devices. These malicious USB devices can mimic an actual device or a human typing pattern and appear as a real device to the operating system. Typically, advanced software-based detection schemes are used to identify the malicious nature of such devices. However, a powerful adversary (e.g., as rootkits or advanced persistent threats) can still subvert those software-based detection schemes. To address these concerns, in this work, we introduce a novel hardware-assisted, dynamic USB-threat detection framework called USB-Watch. Specifically, USB-Watch utilizes hardware placed between a USB device and the host machine to hook into the USB communication, collect USB data, and provides the capability to view unaltered USB protocol communications. This unfettered data is then fed into a machine learning-based classifier which dynamically determines the true nature of the USB device. Using real malicious USB devices (i.e., Rubber-Ducky) mimicking as a keyboard, we perform a thorough analysis of typing dynamic features (e.g., typing time differentials, key press durations, etc.) to effectively classify malicious USB devices from normal human typing behaviors. In this work, we show that USB-Watch provides a lightweight, OS-independent framework which effectively distinguishes differences between normal and malicious USB behaviors with a ROC curve of 0.89. To the best of our knowledge, this is the first hardware-based detection mechanism to dynamically detect threats coming from USB devices.
2.
Enes Erdin, Hidayet Aksu, Selcuk Uluagac, Micheal Vai, Kemal Akkaya
OS Independent and Hardware-Assisted Insider Threat Detection and Prevention Framework Conference Paper
In the Proceedings of the IEEE Military Communications Conference (MILCOM), 2018.
Abstract | Links | BibTeX | Tags: Hardware Security, Malware
@conference{8599719b,
title = {OS Independent and Hardware-Assisted Insider Threat Detection and Prevention Framework},
author = {Enes Erdin and Hidayet Aksu and Selcuk Uluagac and Micheal Vai and Kemal Akkaya},
url = {https://ieeexplore.ieee.org/abstract/document/8599719},
year = {2018},
date = {2018-01-01},
urldate = {2018-01-01},
publisher = {In the Proceedings of the IEEE Military Communications Conference (MILCOM)},
abstract = {Governmental and military institutions harbor critical infrastructure and highly confidential information. Although institutions are investing a lot for protecting their data and assets from possible outsider attacks, insiders are still a distrustful source for information leakage. As malicious software injection is one among many attacks, turning innocent employees into malicious attackers through social attacks is the most impactful one. Malicious insiders or uneducated employees are dangerous for organizations that they are already behind the perimeter protections that guard the digital assets; actually, they are trojans on their own. For an insider, the easiest possible way for creating a hole in security is using the popular and ubiquitous Universal Serial Bus (USB) devices due to its versatile and easy to use plug-and-play nature. USB type storage devices are the biggest threats for contaminating mission critical infrastructure with viruses, malware, and trojans. USB human interface devices are also dangerous as they may connect to a host with destructive hidden functionalities. In this paper, we propose a novel hardware-assisted insider threat detection and prevention framework for the USB case. Our novel framework is also OS independent. We implemented a proof-of-concept design on an FPGA board which is widely used in military settings supporting critical missions, and demonstrated the results considering different experiments. Based on the results of these experiments, we show that our framework can identify rapid-keyboard key-stroke attacks and can easily detect the functionality of the USB device plugged in. We present the resource consumption of our framework on the FPGA for its utilization on a host controller device. We show that the our hard-to-tamper framework introduces no overhead in USB communication in terms of user experience.},
keywords = {Hardware Security, Malware},
pubstate = {published},
tppubtype = {conference}
}
Governmental and military institutions harbor critical infrastructure and highly confidential information. Although institutions are investing a lot for protecting their data and assets from possible outsider attacks, insiders are still a distrustful source for information leakage. As malicious software injection is one among many attacks, turning innocent employees into malicious attackers through social attacks is the most impactful one. Malicious insiders or uneducated employees are dangerous for organizations that they are already behind the perimeter protections that guard the digital assets; actually, they are trojans on their own. For an insider, the easiest possible way for creating a hole in security is using the popular and ubiquitous Universal Serial Bus (USB) devices due to its versatile and easy to use plug-and-play nature. USB type storage devices are the biggest threats for contaminating mission critical infrastructure with viruses, malware, and trojans. USB human interface devices are also dangerous as they may connect to a host with destructive hidden functionalities. In this paper, we propose a novel hardware-assisted insider threat detection and prevention framework for the USB case. Our novel framework is also OS independent. We implemented a proof-of-concept design on an FPGA board which is widely used in military settings supporting critical missions, and demonstrated the results considering different experiments. Based on the results of these experiments, we show that our framework can identify rapid-keyboard key-stroke attacks and can easily detect the functionality of the USB device plugged in. We present the resource consumption of our framework on the FPGA for its utilization on a host controller device. We show that the our hard-to-tamper framework introduces no overhead in USB communication in terms of user experience.
Citations: 8413
h-index: 44
i10-index: 107