D3-IDA

Detect
Input Device Analysis

Definition

Operating system level mechanisms to prevent abusive input device exploitation.

How it works

Input Device Hardening techniques filter certain commands, or disable related operating system functionality.

Analytics

All of these values can be analyzed and compared to a baseline:

Amount of input

Duration of a single input

Durations between inputs

Value of input

Context can also include:

User which is logged in, to include attributes such as physical location of the user

Date and time

System which is processing the input

Source device of input, to include its properties (eg. manufacturer), configuration (eg. keyboard layout) and behavioral attributes of this device (eg. first use)

Source system of input (local or remote system)

Other hardware devices attached to the system

Actions

Actions can include:

Disabling the source device

Sending an alert

Locking the current session (eg. system screen lock, or returning to an authentication screen in a web app) and requiring one or more methods of authentication to continue

Administratively disabling credentials for the account or the entire account -- the technique *Account Locking*

Examples

A malicious input device sends many keystrokes with approximately the same delay between each. This does not match the normal cadence of input, and the device is disabled.

Input to type the session user's name takes abnormally longer for each keystroke. The system is locked to the password prompt screen.

A system receives key press events from two different devices -- one device sends keystrokes after the other has been idle for a long time.

A system receives physical input in a user session, while that user has sent input from a device located out of the country in the past hour.

Network traffic is suddenly routed through a new external device, and nearly the same volume of network traffic is subsequently sent out the previously existing interface. The new external device is disabled, and an alert is raised to investigate the network configuration for a potential compromise.

Considerations

Given some example of legitimate behavioral input patterns, attackers could mimic those input patterns, a technique which has been used in popular culture in the creation of Deepfake videos and This Person Does Not Exist.

Artifact Relationships

This defensive technique relates to specific digital artifacts.

analyzes
Input Device Analysis
Input Device

References

Reference - Continuous authentication by analysis of keyboard typing characteristics - Bradford Univ., UK Reference - http://www.biometric-solutions.com/keystroke-dynamics.html - biometric-solutions.com