- The paper introduces a privacy-preserving detection framework using keystroke timing features, achieving ROC-AUC above 0.9 against most attack types.
- It employs lightweight models, such as Random Forests and LSTMs, optimized for real-time performance with minimal keystroke windows.
- The study reveals that robust detection relies on diverse adversarial models rather than increased classifier complexity.
Keystroke Dynamics for HID Injection Detection: Systematic Characterization and Evaluation
Introduction
The paper "QUACK! Making the (Rubber) Ducky Talk: A Systematic Study of Keystroke Dynamics for HID Injection Detection" (2604.15845) presents a comprehensive analysis of keystroke dynamics as a behavioral mechanism for detecting USB Human Interface Device (HID) injection attacks. These attacks—epitomized by devices such as the USB Rubber Ducky—exploit the implicit trust of conventional operating systems in peripheral input streams, allowing adversaries to inject synthetic keystrokes that trigger illegitimate actions without triggering classical endpoint detection countermeasures. The authors argue that previous work predominantly targets user authentication and device fingerprinting, which neither generalizes to human-vs-automation discrimination nor preserves user privacy. This study advances the state of the art by reframing the detection of malicious keystroke injections into a privacy-preserving, lightweight learning task independent of user identity.
System and Threat Model
The research posits a threat scenario wherein adversaries with physical access insert a malicious HID peripheral (e.g., a USB Rubber Ducky) to deliver payloads as plausible keystroke sequences. This attack vector is highly relevant for both opportunistic intrusions and supply-chain threats. As illustrated in (Figure 1), genuine user-generated keystroke sequences are interleaved with machine-generated inputs. The detection framework, deployed at the OS input pipeline, extracts only timing-based features—hold time (HT) and flight time (FT)—from streaming keystrokes, never accessing semantic key content. This design enforces user privacy while limiting attack surfaces to behavioral signatures.
Figure 1: System and threat model depicting attacker injection via USB Rubber Ducky and real-time extraction of timing-based features for HID input discrimination.
The attacker models are classified into three escalating classes:
- Naive: Minimal-effort randomization (e.g., uniform or PRNG-based timing generators).
- Statistical: Higher-order context-based statistical generators preserving inter-key dependencies.
- Adaptive: Generative adversarial networks (GAN)-based synthesizers trained to emulate the temporal structure of human typists.
The evaluation investigates both single-generator exposures and mixed-generator generalization, enabling systematic stress-testing under recursively stronger adversarial assumptions.
Methodology
The pipeline (Figure 2) encompasses synthetic dataset construction, training/evaluation of binary discriminators, and extensive intra- and cross-distribution generalization studies. All models are lightweight, including Random Forests (RF), Support Vector Machines (SVM), CNNs, and (bi-)LSTMs, reflecting real-world deployment constraints. The analysis eschews feature sets incorporating input semantics, enforcing strict privacy and user-agnosticism.
Figure 2: Methodology pipeline encompassing dataset synthesis, model training, and cross/evaluation across adversarial input classes.
Synthetic keystroke sessions are generated by replacing HT and FT with artificial values according to each attacker model, maintaining the alignment of Virtual Key (VK) code sequences purely to isolate behavioral features. Generator diversity within dataset families ensures realistic adversarial variability, with GANs specifically trained to maximize deception against timing-based discriminators.
Experimental Results
Single-Generator Evaluation
RF models exhibit ROC-AUC above 0.9 for almost all adversarial generators at a window size of 70 keystrokes (Figures 3–5), indicating a favorable accuracy-latency trade-off for early attack interception.
Figure 3: ROC-AUC training curve on the Naive Dataset displays performance saturation for weakly structured attacks.
Figure 4: ROC-AUC curve on Statistical Dataset shows high detectability for context-aware adversaries.
Figure 5: ROC-AUC on Adaptive Dataset; sophisticated GAN-based attacks offer slight decreases in separability but are consistently detected above threshold for practical sequence lengths.
There is clear evidence that model dependence is less critical than coverage of distinct generator classes. Bidirectional LSTMs yield no empirical advantages over RFs given minimal sequential structure in naive generators.
Generalization and Mixed-Generator Training
Single-generator-trained models generalize robustly only within structurally similar adversarial classes (Figure 6). Balanced (BC) and unbalanced (UC) mixed training configurations are benchmarked to assess operational robustness in more heterogeneous adversarial landscapes (Figure 7).





Figure 6: Example of intra- and cross-family transferability (Naive dataset) among generators; notable clustering effect by generator statistical structure.
Figure 7: Balanced mixed-generator configuration; robust intra-family performance but diminished cross-family generalization unless coverage is optimized.
Introducing structured diversity in training (by upweighting generators with wide cross-family reach) allows detectors to obtain uniformly high ROC-AUC across all adversaries except the most deceptive empirical/conditional models.
Performance as a function of keystroke observation window is shown in Figures 8 and 9. ROC-AUC increases rapidly with window size up to 70–100 keystrokes, at which point performance saturates.
Figure 8: ROC-AUC versus keystroke window size in balanced configurations, demonstrating rapid convergence to maximum performance by 70 keystrokes.
Figure 9: ROC-AUC versus keystroke window size in unbalanced configurations; robust detection across variable generator prevalence.
Inference cost, reported in Figure 10, is consistently low for the RF model, with inference time remaining stable even as the feature dimension increases, validating suitability for real-time deployment.

Figure 10: Single-sample inference time for the RF detector is low and scales gently with sequence length, supporting continuous background processing.
Discussion
The results substantiate several critical claims:
- Detection is feasible under stringent privacy and resource constraints: By restricting features to timing only (HT, FT) and adopting lightweight classifiers, continuous human-vs-machine discrimination is practical, with ROC-AUC typically exceeding 0.9 for well-chosen generator mixtures.
- Generative diversity, not model complexity, is the dominant adversary variable: Exposure to structurally distinct generator classes, rather than arbitrarily increased adversarial complexity (e.g., sophisticated GANs), is necessary and sufficient for robust detection. Overparameterized detectors confer marginal benefit.
- Early detection is achievable with limited context: The accuracy-latency Pareto frontier stabilizes at approximately 70–100 keystrokes, balancing attack interruption with operational usability constraints.
- Most sophisticated attacks are not always the hardest to detect: GAN-based adversaries are not strictly more evasive than simpler conditional empirical generators, which occasionally produce more ambiguous signatures.
- No monotonic evasion improvement from attack sophistication: Increasing the attacker's statistical modeling capacity does not produce inevitable evasion enhancements; structurally diverse attacks can be more problematic than merely "smarter" ones.
Implications and Future Developments
Practically, these results lay a foundation for deployable, privacy-preserving HID injection defense in commodity OSes without need for semantic instrumentation or long-term user profiling. Theoretically, the findings challenge the assumption that adversarial generative power necessarily induces more effective attacks, emphasizing instead the role of model class coverage and training regime composition. Future work may extend to detecting context-conditioned GANs in few-shot scenarios or integrating multimodal behavioral streams (e.g., mouse or touchscreen data), but must maintain vigilance against privacy regression.
Applying these principles to broader AI security contexts, robust anomaly detection will increasingly turn on adversarial diversity rather than pure complexity, streamlining system design and reducing computational burden.
Conclusion
This work demonstrates that reliable, early detection of USB HID injection attacks is achievable using modest classifiers operating strictly on keystroke timing features. Robustness depends primarily on representative coverage of structurally distinct attacker models, not detector complexity or inclusion of semantic information. These insights yield deployable, privacy-compliant solutions for modern computing environments. Future developments may focus on refining generator class hierarchies and integrating these detectors with holistic system-level defense frameworks.