Forensic Log Based Detection For Keystroke Injection "BadUsb" Attacks
George Karantzas
TL;DR
This paper presents a behavioral detection method for BadUSB keystroke injection attacks by analyzing speed and process activity correlations to identify malicious hardware-based exploits.
Contribution
It introduces a novel detection approach that correlates keystroke injection behaviors with system events to identify BadUSB attacks.
Findings
Behavioral indicators can effectively detect keystroke injection attacks.
Correlating process and device events improves detection accuracy.
The method enables basic cognitive detection for users without advanced technical skills.
Abstract
This document describes an experiment with main purpose to detect BadUSB attacks that utilize external Human Interaction Device hardware gadgets to inject keystrokes and acquire remote code execution. One of the main goals, is to detect such activity based on behavioral factors and allow everyone with a basic set of cognitive capabilities ,regardless of the user being a human or a computer, to identify anomalous speed related indicators but also correlate such speed changes with other elements such as commonly malicious processes like powershell processes being called in close proximity timing-wise, PnP device events occurring correlated with driver images loaded.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsUser Authentication and Security Systems · Digital and Cyber Forensics · Advanced Malware Detection Techniques