Accession Number : AD1033665


Title :   USBeSafe: Applying One Class SVM for Effective USB Event Anomaly Detection


Descriptive Note : Technical Report


Corporate Author : Northeastern University, College of Computer and Information Systems Boston United States


Personal Author(s) : Daley,Brandon L


Full Text : https://apps.dtic.mil/dtic/tr/fulltext/u2/1033665.pdf


Report Date : 25 Apr 2016


Pagination or Media Count : 95


Abstract : Increased use of transient devices such as wireless keyboards, webcams, and flash storage in the last ten years has drastically increased the surface area on which attackers can target vulnerable systems. USB devices, a subclass of transient devices (TDs), have become a common transport mechanism for malware making its way into a target machine or network. The rogue-TD attack class, demonstrated by BadUSB, relies on updating the device firmware to perform malicious actions and can be undetectable at the end-user level if written effectively, as the attack hides in plain sight. In this thesis, we present USBeSafe as a first-of-its-kind machine learning-based anomaly detection framework for detecting a specific subclass of rogue-TD attack in which a covert keyboard interface is defined on a seemingly benign device. We apply machine learning techniques, specifically one-class support vector machines, to create an offline USB event anomaly detection system that serves as the basis for a live detection system. The USBeSafe system provides an extensible framework for efficient USB traffic feature extraction, model selection and training, and classification.


Descriptors :   computer network security , supervised machine learning , kernel functions , feature extraction , artificial neural networks , change detection , information systems , pattern recognition , classification , dimensionality reduction


Subject Categories : Cybernetics
      Computer Systems Management and Standards


Distribution Statement : APPROVED FOR PUBLIC RELEASE