| 引用本文: |
-
李海洋,吕志强,郭峰,胡俊杰,韩迎龙,高子博.HIDTraInsp: 一种基于URB异常识别的HID攻击检测方法[J].信息安全学报,已采用 [点击复制]
- lihaiyang,LV Zhiqiang,GUO Feng,HU Junjie,HAN Yinglong,GAO Zibo.HIDTraInsp: A HID attack detection method based on URB anomaly recognition[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| HID设备(Human Interface Device)是应用十分广泛的一个USB(Universal Serial Bus)设备类,但如今一些HID设备已经沦为攻击者实施恶意指令执行、敏感数据窃取等攻击活动的工具,尤其是Teensy、BadUSB和USB Rubber Ducky以及它们的众多变种。这类攻击被称为HID攻击,它利用USB协议漏洞和操作系统漏洞能够实现多种恶意攻击活动,具有隐蔽性强、攻击速度快、威胁范围广和检测难度大等特点,现有的研究成果难以应对其复杂多变的攻击形式。本文中,我们首次从HID设备流量的角度来分析HID攻击技术,构建HID攻击模型:HID模拟按键注入攻击流量模型、利用自定义HID接口注入或泄漏数据的RawHID攻击流量模型和通过控制设备LED闪烁泄漏数据的FlickerHID攻击流量模型。我们首先从USB设备的URB(USB Request Block)队列中提取HID设备的数据帧流量,经过对比分析攻击流量和用户流量,得到攻击流量的异常特征。然后,提出基于异常规则匹配和基于异常流量识别的攻击检测方法,并称为HIDTraInsp,该方法通过识别异常设备、异常接口、异常行为,并利用HID报告信息熵、报告频谱、报告相似度和报告流量模式这四种异常特征识别异常流量模式,成功实现HID攻击的检测。本文从底层流量视角,全面刻画了HID攻击的全貌,检测方法覆盖目前已知的所有HID攻击,尤其是较好地解决了利用HID接口后门泄漏数据的RawHID攻击方式检测难的问题。经过攻击对抗实验和用户测试验证,准确率达到98%。 |
| 关键词: USB安全 HID攻击 URB队列 HID报告 流量异常识别 HID攻击检测 |
| DOI: |
| 投稿时间:2025-01-14修订日期:2025-02-27 |
| 基金项目: |
|
| HIDTraInsp: A HID attack detection method based on URB anomaly recognition |
|
lihaiyang1, LV Zhiqiang2, GUO Feng2, HU Junjie2, HAN Yinglong2, GAO Zibo2
|
| (1.Institute of information engineering,CAS;2.Institute of Information Engineering, Chinese Academy of Sciences) |
| Abstract: |
| HID devices (Human Interface Device) are a widely used USB (Universal Serial Bus) device class. However, some HID devices have become tools for attackers to execute malicious commands and steal sensitive data, especially Teensy, BadUSB, USB Rubber Ducky, and their many variants. This type of attack is called HID attack, which can achieve a va-riety of malicious attack activities by exploiting USB protocol vulnerabilities and operating system vulnerabilities. It has the characteristics of strong concealment, fast attack speed, wide threat range, and high detection difficulty. Existing research results are difficult to cope with its complex and changeable attack forms. In this paper, we analyze HID attack technology from the perspective of HID device traffic for the first time and construct HID attack models: HID simulated key injection attack traffic model, RawHID attack traffic model that uses custom HID interface to inject or leak data, and FlickerHID attack traffic model that leaks data by controlling the device LED flashing. We first extract the data frame traffic of the HID device from the URB (USB Request Block) queue of the USB device, and obtain the abnormal charac-teristics of the attack traffic by comparing and analyzing the attack traffic and user traffic. Then, we propose an attack detection method based on abnormal rule matching and abnormal traffic identification, and call it HIDTraInsp. This method successfully detects HID attacks by identifying abnormal devices, abnormal interfaces, abnormal behaviors, and using four abnormal characteristics: HID report information entropy, report spectrum, report similarity, and report traffic pattern. This method identifies abnormal traffic patterns and successfully implements the detection of HID attacks. This article comprehensively depicts the overall picture of HID attacks from the perspective of underlying traffic. The detec-tion method covers all currently known HID attacks, especially better solving the problem of difficulty in detecting RawHID attacks that use the HID interface backdoor to leak data. After attack confrontation experiments and user testing verification, the accuracy reached 98%. |
| Key words: USB security HID attack URB queue HID report Traffic anomaly identification HID attack detection |
