Accession Number:



USBeSafe: Applying One Class SVM for Effective USB Event Anomaly Detection

Descriptive Note:

Technical Report

Corporate Author:

Northeastern University, College of Computer and Information Systems Boston United States

Personal Author(s):

Report Date:


Pagination or Media Count:



Increased use of transient devices such as wireless keyboards, webcams, and flash storage in the last ten years has drastically increased the surface area on which attackers can target vulnerable systems. USB devices, a subclass of transient devices TDs, have become a common transport mechanism for malware making its way into a target machine or network. The rogue-TD attack class, demonstrated by BadUSB, relies on updating the device firmware to perform malicious actions and can be undetectable at the end-user level if written effectively, as the attack hides in plain sight. In this thesis, we present USBeSafe as a first-of-its-kind machine learning-based anomaly detection framework for detecting a specific subclass of rogue-TD attack in which a covert keyboard interface is defined on a seemingly benign device. We apply machine learning techniques, specifically one-class support vector machines, to create an offline USB event anomaly detection system that serves as the basis for a live detection system. The USBeSafe system provides an extensible framework for efficient USB traffic feature extraction, model selection and training, and classification.

Subject Categories:

  • Cybernetics
  • Computer Systems Management and Standards

Distribution Statement: