Modern computing systems inherently trust human input devices, creating an exploitable attack surface for adversarial automation. USB Human Interface Device (HID) emulation attacks, such as those enabled by the USB Rubber Ducky, exploit this assumption to inject arbitrary keystroke sequences while bypassing traditional defenses. Existing countermeasures rely on simple heuristics based on typing speed or timing regularity, which can be easily evaded through basic randomization. Keystroke dynamics analysis offers a more robust alternative by modeling temporal typing behavior. However, prior work frames this problem as behavioral authentication, verifying whether input originates from a specific user rather than detecting automated injection. An alternative approach is continuous monitoring via keylogging integrated with intrusion detection systems, but this requires access to input content, raising significant privacy concerns. In this paper, we provide the first systematic characterization of keystroke dynamics for human-vs-machine discrimination, independent of user identity. Guided by five research questions, we show that robust, privacy-preserving detection is achievable using lightweight models operating solely on timing features, eliminating the need for content access or user profiling. Our analysis reveals that attacker sophistication does not monotonically translate into improved evasion. Instead, robustness depends on exposure to structurally diverse generation strategies rather than increased model complexity. Finally, we quantify the trade-off between detection timeliness and reliability across varying keystroke sequence lengths, identifying practical operating points for early and effective attack interception.

翻译：现代计算系统天然信任人体输入设备，这为对抗性自动化攻击创造了可利用的漏洞。USB人机交互设备仿冒攻击（如USB Rubber Ducky发起的攻击）利用这一假设，通过绕过传统防御机制注入任意击键序列。现有防御措施依赖基于打字速度或时序规律性的简单启发式规则，而基本随机化策略即可轻易规避此类检测。击键动力学分析通过建模时序性打字行为提供更强健的替代方案，但现有研究将其框定为行为认证问题——验证输入是否源自特定用户，而非检测自动化注入。另一种方案是结合入侵检测系统进行持续监控的击键记录，但这需要访问输入内容，引发严重隐私担忧。本文首次系统刻画了独立于用户身份的击键动力学人机判别特征。通过五项研究问题引导，我们证明仅依赖时序特征运行的轻量级模型即可实现强健且隐私保护的检测，完全无需内容访问或用户画像。分析表明，攻击者复杂度提升并不必然转化为更优的逃逸能力，相较模型复杂度增加，鲁棒性更依赖于暴露于结构多样的生成策略。最后，我们量化了不同击键序列长度下检测及时性与可靠性间的权衡关系，识别出实现早期高效攻击拦截的实用操作节点。