USB-Watch: a Generalized Hardware-Assisted Insider Threat Detection Framework

Denney, Kyle; Babun, Leonardo; Uluagac, A. Selcuk

doi:10.1007/s41635-020-00092-z

Cited by 12 publications

(5 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Additionally, the framework employs a decision tree anomaly detection classifier, which is implemented in the hardware itself. This classifier analyses the behavioral patterns of connected USB devices, allowing for the detection of anomalous behavior [19]. However, this method is not effective with insider threats which do not need USB connections.…”

Section: Literature Review and Related Workmentioning

confidence: 99%

Real-Time Intrusion Detection of Insider Threats in Industrial Control System Workstations Through File Integrity Monitoring

Al-Muntaser,

Mohamed,

Tuama

2023

IJACSA

View full text Add to dashboard Cite

Industrial control systems (ICS) play a crucial role in various industries and ensuring their security is paramount for maintaining process continuity and reliability. In ICS, the most damaging cyber-attacks often come from trusted insiders rather than external threats or malware. Insiders have the advantage of bypassing security measures and staying undetected. This research focuses on developing a real-time intrusion detection system for ICS workstations that effectively detects insider threats while prioritizing user privacy. The approach employs file integrity monitoring to identify suspicious activities, particularly file violations such as data tampering and destruction. The model presented in this research demonstrates low system resource consumption by utilizing an event-triggered approach instead of continuous polling of file data. The model leverages built-in operating system functions, eliminating the need for third-party software installation. To minimize disruptions to the ICS network, the model operates at the supervisory level within the ICS architecture. Through extensive testing, the model achieves a high level of accuracy, detecting insider intrusions with a high true positive rate. This reliable detection capability contributes to enhancing the security of ICS and mitigating the risks associated with insider threats. By implementing this real-time intrusion detection system, organizations can effectively protect their control systems while preserving user privacy.

show abstract

Section: Literature Review and Related Workmentioning

confidence: 99%

Real-Time Intrusion Detection of Insider Threats in Industrial Control System Workstations Through File Integrity Monitoring

Al-Muntaser,

Mohamed,

Tuama

2023

IJACSA

View full text Add to dashboard Cite

show abstract

“…An internet server can easily deduce the hopcount information from the IP Header's Time-to-Live (TTL) field. Using the IP to hop-count mapping, the server can distinguish between legitimate and spoofed IP packets [9,10], review [11] on Route Optimization in MIPv6 Experimental Test Bed for Network Mobility": "Trade off Analysis and Evaluation While in [12] demonstrates Zero Day Attack Prediction with Parameter Setting Using Bi Direction Recurrent Neural Network in Cyber Security. This work will improve upon a filtering technique known as Dynamic Path Update Based Hop Count Filtering, which has been used to detect and discard spoofed IP packets".…”

Section: Immune-inspiredmentioning

confidence: 99%

Mitigating Insider Threat’s IP Spoofing through Enhanced Dynamic Cluster Algorithm (EDPU Based HCF)

Akano,

Olayinka,

Adeniji

et al. 2024

AIR

View full text Add to dashboard Cite

Insider Threat has always been a major problem to computer security due to unauthorized system misuse by users in an organization. Understanding the concept and the inherent adverse consequences of the insider threat can assist in postulating mitigating approaches and techniques to the menace. Insider intrusion, from researches, experiences and literature have proved to be more expensive and destructive more than external attacks due the comprehensive understanding of the internal operations of the organization by the perpetrator. Many researchers have explored into the unhealthy nature of insider activity with the aim of eliminating the threat, thereby identifying the various categories as theft of intellectual property, fraud, sabotage, espionage. This work tends to address the menace by studying models for detecting, reducing and eliminating the threat through IP Spoofing in order to propose a better model for the intrusion. Certain experimental research through analysis of network data measurement has shown that HCF (Hop Count Filtering) can discover and discard almost 90% of spoofed IP packets but an improvement on this experiment called DPU (Dynamic Path Update) Based Hop Count Filtering has proved to identify and discard more than 90%. This was carried out in Linux Kernel environment to substantiate the effectiveness of its measurements. However, enhancing enhancing the performance of the DPU-based HCF by reducing the packet size of packets at the point of entry in order to decrease the network traffic, and to permanently discard 100% spoofed packets is the research direction of this work

show abstract

“…USB packet scanners and filters are tools that monitor the USB packets exchanged between the host and the device. USB-Watch is a framework that aims to identify rogue anomalous USB device behavior by analyzing the traffic exchanged with the host [30]. It is custom hardware that uses a Decision Tree anomaly detection classifier.…”

Section: Usb Defensesmentioning

confidence: 99%

“…Existing packet scanning tools like USB-Watch [30], GoodUSB [31] and USBFilter [32] are designed to monitor and control the packet exchanges between the host and the device, aiming to mitigate USB security threats. However, these tools might not be completely effective in preventing intrusions due to the inherent complexities of security-critical systems.…”

Section: Usb Defensesmentioning

confidence: 99%

To (US)Be or Not to (US)Be: Discovering Malicious USB Peripherals through Neural Network-Driven Power Analysis

Koffi,

Smiliotopoulos,

Kolias

et al. 2024

Electronics

View full text Add to dashboard Cite

Nowadays, The Universal Serial Bus (USB) is one of the most adopted communication standards. However, the ubiquity of this technology has attracted the interest of attackers. This situation is alarming, considering that the USB protocol has penetrated even into critical infrastructures. Unfortunately, the majority of the contemporary security detection and prevention mechanisms against USB-specific attacks work at the application layer of the USB protocol stack and, therefore, can only provide partial protection, assuming that the host is not itself compromised. Toward this end, we propose a USB authentication system designed to identify (and possibly block) heterogeneous USB-based attacks directly from the physical layer. Empirical observations demonstrate that any extraneous/malicious activity initiated by malicious/compromised USB peripherals tends to consume additional electrical power. Driven by this observation, our proposed solution is based on the analysis of the USB power consumption patterns. Valuable power readings can easily be obtained directly by the power lines of the USB connector with low-cost, off-the-shelf equipment. Our experiments demonstrate the ability to effectively distinguish benign from malicious USB devices, as well as USB peripherals from each other, relying on the power side channel. At the core of our analysis lies an Autoencoder model that handles the feature extraction process; this process is paired with a long short-term memory (LSTM) and a convolutional neural network (CNN) model for detecting malicious peripherals. We meticulously evaluated the effectiveness of our approach and compared its effectiveness against various other shallow machine learning (ML) methods. The results indicate that the proposed scheme can identify USB devices as benign or malicious/counterfeit with a perfect F1-score.

show abstract

USB-Watch: a Generalized Hardware-Assisted Insider Threat Detection Framework

Cited by 12 publications

References 12 publications

Real-Time Intrusion Detection of Insider Threats in Industrial Control System Workstations Through File Integrity Monitoring

Real-Time Intrusion Detection of Insider Threats in Industrial Control System Workstations Through File Integrity Monitoring

Mitigating Insider Threat’s IP Spoofing through Enhanced Dynamic Cluster Algorithm (EDPU Based HCF)

To (US)Be or Not to (US)Be: Discovering Malicious USB Peripherals through Neural Network-Driven Power Analysis

Contact Info

Product

Resources

About