USBeSafe: Applying One Class SVM for Effective USB Event Anomaly Detection
Abstract
Increased use of transient devices such as wireless keyboards, webcams, and flash storage in the last ten years has drastically increased the surface area on which attackers can target vulnerable systems. USB devices, a subclass of transient devices (TDs), have become a common transport mechanism for malware making its way into a target machine or network. The rogue-TD attack class, demonstrated by BadUSB, relies on updating the device firmware to perform malicious actions and can be undetectable at the end-user level if written effectively, as the attack hides in plain sight. In this thesis, we present USBeSafe as a first-of-its-kind machine learning-based anomaly detection framework for detecting a specific subclass of rogue-TD attack in which a covert keyboard interface is defined on a seemingly benign device. We apply machine learning techniques, specifically one-class support vector machines, to create an offline USB event anomaly detection system that serves as the basis for a live detection system. The USBeSafe system provides an extensible framework for efficient USB traffic feature extraction, model selection and training, and classification.
Document Details
- Document Type
- Technical Report
- Publication Date
- Apr 25, 2016
- Accession Number
- AD1033665
Entities
People
- Brandon L Daley
Organizations
- Northeastern University