USBESAFE: An End-Point Solution to Protect Against USB-Based Attacks


Amin Kharraz, University of Illinois at Urbana Champaign; Brandon L. Daley and Graham Z. Baker, MIT Lincoln Laboratory; William Robertson and Engin Kirda, Northeastern University


Targeted attacks via transient devices are not new. How- ever, the introduction of BadUSB attacks has shifted the attack paradigm tremendously. Such attacks embed malicious code in device firmware and exploit the lack of access control in the USB protocol. In this paper, we propose USBESAFE as a mediator of the USB communication mechanism. By lever- aging the insights from millions of USB packets, we propose techniques to generate a protection model that can identify covert USB attacks by distinguishing BadUSB devices as a set of novel observations. Our results show that USBESAFE works well in practice by achieving a true positive [TP] rate of 95.7% with 0.21% false positives [FP] with latency as low as three malicious USB packets on USB traffic. We tested USBESAFE by deploying the model at several end-points for 20 days and running multiple types of BadUSB-style attacks with different levels of sophistication. Our analysis shows that USBESAFE can detect a large number of mimicry attacks without introducing any significant changes to the standard USB protocol or the underlying systems. The performance evaluation also shows that USBESAFE is transparent to the operating system, and imposes no discernible performance overhead during the enumeration phase or USB communication compared to the unmodified Linux USB subsystem.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {242022,
author = {Amin Kharraz and Brandon L. Daley and Graham Z. Baker and William Robertson and Engin Kirda},
title = {{USBESAFE}: An {End-Point} Solution to Protect Against {USB-Based} Attacks},
booktitle = {22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)},
year = {2019},
isbn = {978-1-939133-07-6},
address = {Chaoyang District, Beijing},
pages = {89--103},
url = {},
publisher = {USENIX Association},
month = sep