本論文的重點是在電腦作業系統內建構一個稱為USBIPS的安全架構,以防禦惡意的USB周邊設備,其中包括三項主要研究,目的是為了探索惡意行為的本質,並對於以USB為媒介的入侵手法建立持續性的防護。首先,我們提出一種基於行為的偵測機制,置重點於偵測以USB為媒介或與USB結合運用的攻擊行為。 其次,我們提出了一種基於白名單的USB存取控制方法的創新思維。最後,我們開發並實現了一套端點偵測與回應(EDR)系統,並構建了第一個以USB入侵防護為主的通用安全架構。 藉由集中式的威脅分析架構,此系統可以進行持續性的防護,並能偵測未知的惡意行為。透過解決關鍵的安全與效能挑戰,本論文中的這些研究成果,不僅使現今常用的作業系統足以抵禦來自不受信任的USB周邊設備攻擊,也為後續的研究工作開創了一條寬敞大道。;USB-based attacks have increased in complexity in recent years. Modern attacks now incorporate a wide range of attack vectors, from social engineering to signal injection. To address these challenges, the security community has responded with a growing set of fragmented defenses. No matter what vector a USB-based attack operated, the most important risks that most people and enterprises care about are service crashes and data loss. The host operating system is responsible for managing USB peripherals; however, malicious ones can crash a service or steal data from the OS, such as BadUSB attacks. Although some methods work as a USB firewall, such as USBFILTER and USBGuard were proposed to defend against malicious USB peripherals, they still cannot stop the intrusions in the real world.
The focus of this dissertation is on building a security framework called USBIPS within operating systems to defend against malicious USB peripherals, which includes three major efforts to explore the nature of malicious behaviors and to build persistent protection from USB-based intrusions. We first present a behavior-based detection mechanism focusing on the attacks combined with USB peripherals. We then introduce a novel idea of a whitelisting-based method for USB access control. We finally develop an Endpoint Detection and Response (EDR) system to build the first generic security framework for USB-based intrusion protection. Withing the centralized threat analysis framework, the protection works persistently and could have the capability to detect unknown malicious behaviors. By addressing key security and performance challenges, these works pave the way for hardening modern operating systems against attacks from untrusted USB peripherals.
