USBIPS Framework: Protecting Hosts from Malicious USB Peripherals

USB-based attacks have increased in complexity in recent years. Modern attacks incorporate a wide range of attack vectors, from social engineering to signal injection. The security community is addressing these challenges using a growing set of fragmented defenses. Regardless of the vector of a USB-based attack, the most important risks concerning most people and enterprises are service crashes and data loss. The host OS manages USB peripherals, and malicious USB peripherals, such as those infected with BadUSB, can crash a service or steal data from the OS. Although USB firewalls have been proposed to thwart malicious USB peripherals, such as USBFilter and USBGuard, they cannot prevent real-world intrusions. This paper focuses on building a security framework called USBIPS within OSs to defend against malicious USB peripherals. This includes major efforts to explore the nature of malicious behavior and build persistent protection from USB-based intrusions. We first present a behavior-based detection mechanism focusing on attacks integrated into USB peripherals. We then introduce the novel idea of an allowlisting-based method for USB access control. We finally develop endpoint detection and response system to build the first generic security framework that thwarts USB-based intrusion. Within a centralized threat analysis framework, it provides persistent protection and may detect unknown malicious behavior. By addressing key security and performance challenges, these efforts help modern OSs against attacks from untrusted USB peripherals.
Comment: Under review by Computer Standards & Interfaces