Abstract
The Universal Serial Bus (USB) provides an easy and convenient architecture for attaching external devices to a computer, which makes USB devices become one of the malware transmission media. Furthermore, attackers might exploit the weakness of USB devices and reprogram it as an HID (Human Interface Device) device to conduct spoofing attacks. In this paper, an HID identification system, HIDTracker, is proposed to recognize the suspicious HID attacks by analyzing native host event logs. The HID event graph is constructed by finding out the time of inserting HID and the events generated in a time period after insertion. In order to identify the suspiciousness of the events, the correlation of the process events and the objects within the event graph are analyzed with guilt-by-association method, and an HID event scoring module is implemented to identify the suspicious HID event graphs. We conduct three experiments to evaluate the effectiveness of HIDTracker. Experimental results show that with guilt-by-association analysis, our approach can achieve 90% precision rate, and the false positive rate decreases to 2.33%.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
