CybersecurityNew computer attack mimics user's keystroke characteristics, evading detection

Published 6 June 2019

Researchers have developed a new attack called “Malboard,” which evades several detection products that are intended to continuously verify the user’s identity based on personalized keystroke characteristics. 

A paper published in Computers & Security nd Security journal , reveals a sophisticated attack in which a compromised USB keyboard automatically generates and sends malicious keystrokes that mimic the attacked user’s behavioral characteristics. 

Keystrokes generated maliciously do not typically match human typing and can easily be detected. Using artificial intelligence, however, this Malboard attack autonomously generates commands in the user’s style, injects the keystrokes as malicious software into the keyboard and evades detection. The keyboards used in the research were products by Microsoft, Lenovo and Dell.

“In the study, 30 people performed three different keystroke tests against the tested evasion against three existing detection mechanisms including KeyTrac, TypingDNA and DuckHunt. Our attack evaded detection in 83 percent-100 percent of the cases,” says Dr. Nir Nissim, head of the David and Janet Polak Family Malware Lab at Cyber@BGU, and a member of the BGU Department of Industrial Engineering and Management. ” Malboard was effective in two scenarios: by a remote attacker using wireless communication to communicate, and by an inside attacker, such as an employee, that physically operates and uses Malboard.” 

New detection modules proposed
BGU notes that both the attack and detection mechanisms were developed as part of the master’s thesis of Nitzan Farhi, a BGU student and member of the USBEAT project at the BGU Malware Lab.

“Our proposed detection modules are trusted and secured, based on information that can be measured from side-channel resources, in addition to data transmission,” Farhi says. “These include (1) the keyboard’s power consumption; (2) the keystrokes’ sound; and (3) the user’s behavior associated with his or her ability to respond to typographical errors.” 

“Each of the proposed detection modules is capable of detecting the Malboard attack in 100 percent of the cases, with no false positives,” Dr. Nissim adds. “Using them together as an ensemble detection framework will enssure that an organization is immune to the Malboard attack as well as other keystroke attacks.”

The researchers propose using this detection framework for every keyboard when purchased and daily at the outset, since sophisticated malicious keyboards can delay their malicious activity for a later time period. Many new attacks can detect the presence of security mechanisms and thus manage to evade or disable them. 

The BGU researchers plan to expand work on other popular USB devices, including computer mouse user movements, clicks, and duration of use. They also plan to enhance the typo insertion detection module and combine it with other existing keystroke dynamic mechanisms for user authentication since this behavior is difficult to replicate.

— Read more in Nitzan Farhi et al., “Malboard: A novel user keystroke impersonation attack and trusted detection framework based on side-channel analysis,” Computers & Security 85 (August 2019) (DOI: 10.1016/j.cose.2019.05.008)