Description:FIELD OF INVENTION
[0001] The present disclosure relates generally to cybersecurity technology, and more particularly to a hardware-based intermediary device for real-time inspection and filtering of Universal Serial Bus (USB) input to protect against malicious attacks.

BACKGROUND
[0002] In modern cybersecurity practices, a significant vulnerability exists due to the lack of hardware-level protection against malicious input through USB-connected devices, particularly keyboards. Current security systems heavily rely on host-based software such as antivirus programs, endpoint detection and response (EDR) tools, and intrusion detection systems. These solutions operate at the operating system (OS) level, which inherently limits their effectiveness when the OS itself is compromised or bypassed. This vulnerability creates a gap that can be exploited by advanced persistent threats (APTs), ransomware, and key injection attacks, which use USB Human Interface Devices (HIDs) to deliver malicious payloads often undetected by software defenses.
[0003] The reliance on software-based security measures poses several challenges in protecting systems from USB-based threats. Antivirus programs and intrusion detection systems, while effective against known malware signatures, struggle to detect novel or sophisticated attacks that exploit zero-day vulnerabilities. Additionally, these software solutions are reactive in nature, often requiring frequent updates to maintain their effectiveness against evolving threats. Moreover, they are dependent on the integrity of the operating system, which can be compromised by rootkits or firmware-level malware.
[0004] USB ports, being ubiquitous and essential for connecting peripherals, present a significant attack surface for cybercriminals. Malicious actors can exploit these ports to introduce malware, exfiltrate data, or gain unauthorized access to systems. The ease of use and widespread adoption of USB devices make them an attractive vector for various types of attacks, including BadUSB attacks, where seemingly harmless peripherals are reprogrammed to act as malicious HIDs. These attacks can bypass traditional security measures by mimicking legitimate keyboard input, making them particularly challenging to detect and prevent.
[0005] The economic impact of USB-based security threats is substantial. According to recent cybersecurity reports, the average cost of a data breach has reached $4.35 million in 2022, with many of these breaches originating from compromised endpoints, including those exploited through USB vulnerabilities. This underscores the critical need for robust, hardware-based security solutions to protect against such threats.
[0006] Existing solutions like software-based antivirus or USB port control tools attempt to mitigate such risks, but they have significant limitations. These tools are often reactive and dependent on the system's integrity. Once malware gains control of the host or embeds itself at the firmware level, these software-based defenses become ineffective.
[0007] The increasing sophistication of cyber threats necessitates a more robust approach to USB security. Traditional methods of securing USB ports, such as using software-based port control are often impractical in modern work environments where USB connectivity is essential for productivity. Additionally, these methods do not address the core issue of distinguishing between legitimate and malicious USB input at the hardware level. The lack of a comprehensive, hardware-based solution that can provide real-time threat detection and prevention for USB HIDs leaves a significant gap in cybersecurity defenses.
[0008] Therefore, there is a need to overcome the problems discussed above. A solution is required that it can provide hardware-level protection against malicious USB input, particularly from keyboards and other HIDs. This solution should be capable of performing real-time, inline behavioral and signature-based threat analysis on USB input data, independent of the host operating system's integrity. It should act as a secure gatekeeper between USB devices and the host system, enabling proactive inspection, validation, and filtering of USB input at the physical layer. Such a solution would provide a tamper-resistant, OS-independent security barrier against sophisticated keyboard-based attacks, addressing the critical vulnerability in current cybersecurity practices.

OBJECTS OF THE INVENTION
[0009] The primary objective of the present disclosure is to provide a hardware-based security mechanism that operates inline between a USB input and the host device.
[0010] Yet another objective of the present disclosure is to provide interception and analyze all USB input at the physical layer, independently of any software running on the host.
[0011] Yet another objective of the present disclosure is to provide a dual-layer detection security mechanism i.e. signature-based and behavioral profiling.
[0012] One more objective is to provide real-time threat detection and real time multi-modal alert system.
[0013] A further objective is to provide an autonomous learning of user-specific behavior, a tamper-resistant, OS-independent security barrier against sophisticated keyboard-based attacks.

SUMMARY OF THE INVENTION
[0014] According to one aspect of the present disclosure, a hardware-based security system for protecting a host device against threats from Human Interface Devices (HIDs) is provided. The system comprises at least one USB host interface configured to connect with the HIDs, at least one USB passthrough interface configured to forward verified inputs to the host device, a microcontroller operatively connected to the USB host interface and the USB passthrough interface, and a memory for securely storing a trusted repository. The microcontroller comprises a threat detection module and a firmware validation module and is configured to intercept and analyze the HIDs inputs independently of software running on the host system in real time. The threat detection module is configured to perform behavioral analysis on the HIDs inputs to detect threats. The firmware validation module is configured to perform signature-based analysis by comparing a digital hash of the HIDs firmware identity with the trusted repository stored in the secure memory to provide hardware-level tamper-resistance.
[0015] The hardware-based security system includes at least one alert indicator configured to inform a user when a threat or anomaly is detected. The indicator can be an audible alarm, an alert blink light, or a display, providing visual or auditory feedback to the user about potential security risks.
[0016] The behavioral analysis of user profiles in the hardware-based security system includes one or more key transition timings, hold durations, keystroke injection speeds, high speed injections, machine learning models trained on normal user behavior, anomaly detection algorithms, heuristic rule-based analysis or repeated exploit key sequences to detect human-mimicking malware. This comprehensive analysis enables the system to identify a wide range of potential threats.
[0017] The microcontroller in the hardware-based security system is configured to autonomously learn user-specific behavior for enhancing its adaptability over time and enabling real-time interception and inspection of the HIDs input before it reaches the host device. This autonomous learning process comprises collecting user input data over time, analyzing the collected data to identify patterns, updating a user behavior model based on the identified patterns, and adjusting threat detection parameters based on the updated model.
[0018] The microcontroller in the hardware-based security system is configured to implement a whitelist or blacklist of approved or blocked HIDs based on their unique identifiers. Additionally, it periodically updates the trusted repository in the memory with new firmware hashes from authenticated sources or newly verified HIDs, ensuring the system remains up-to-date with the latest security information.
[0019] The microcontroller in the hardware-based security system is configured to perform real-time analysis of USB protocol compliance. Upon detecting a threat or protocol violation, it can perform one or more actions such as blocking data transmissions to the host system, securely logging events, disconnecting the suspicious HID, quarantining the HID's data, sending an alert to a remote security monitoring system, or initiating the host system lockdown. These measures provide a robust response to potential security threats.
[0020] According to another aspect of the present disclosure, a method for protecting a host device against threats from Human Interface Devices (HIDs) is provided. The method comprises intercepting, by a microcontroller, inputs from HIDs connected to a USB host interface; performing, by a threat detection module of the microcontroller, behavioral analysis of the intercepted inputs in real time, independently of software running on the host device; performing, by a firmware validation module of the microcontroller, signature-based analysis by comparing a digital hash of the HIDs firmware identity with a trusted repository stored in a memory; detecting, by the microcontroller, threats based on the behavioral analysis and firmware identity comparison; forwarding, by the microcontroller, verified inputs to the host device through a USB passthrough interface; and alerting, by at least one indicator, a user when a threat or anomaly is detected.
[0021] In the method for protecting a host device, performing behavioral analysis includes analyzing one or more of key transition timings, holding durations, keystroke injection speeds, high speed injections, statistical analysis of keystroke patterns, machine learning models trained on normal user behavior, anomaly detection algorithms, heuristic rule-based analysis or repeated exploit key sequences to detect human-mimicking malware. This comprehensive analysis allows for the detection of a wide range of potential threats.
[0022] The method for protecting a host device further includes the microcontroller autonomously learning user-specific behavior. This is accomplished by collecting user input data over time, analyzing the collected data to identify patterns, updating user behavior based on the identified patterns, and adjusting threat detection parameters based on the updated details. This adaptive learning process enhances the system's ability to detect anomalies specific to each user.
[0023] The method for protecting a host device also includes performing real-time analysis of USB protocol compliance. Upon detecting a threat or protocol violation, the method involves performing one or more actions such as disconnecting the suspicious HID, quarantining the HID's data, sending an alert to a remote security monitoring system, or initiating the host system lockdown. These measures provide a comprehensive response to potential security threats.
[0024] The present disclosure offers several advantages including proactive protection against malware, ransomware, and keystroke injection attacks at the hardware level, independent of the host system's software. It provides real-time threat detection through both signature-based and behavioral analysis, enhancing security beyond traditional software-based solutions. The system's ability to autonomously learn user behavior and adapt over time improves its effectiveness in identifying potential threats.
[0025] The foregoing paragraphs have been provided by way of general introduction and are not intended to limit the scope of the following claims. The described embodiments, together with further advantages, will be best understood by reference to the following detailed description taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF DRAWINGS
FIG. 1 illustrates a block diagram of a hardware-based security system for protecting a host device against threats from HIDs in accordance with the present disclosure.
FIG. 2 illustrates an exemplary view of microcontroller components in accordance with FIG. 1.
FIG. 3 illustrates an exemplary flowchart of the working of the system in accordance with the present disclosure.
FIG. 4 illustrates a flowchart of a method of the present disclosure in accordance with the present disclosure.
DETAILED DESCRIPTION OF THE INVENTION
[0026] Aspects of the present disclosure are best understood by reference to the description set forth herein. All the aspects described herein will be better appreciated and understood when considered in conjunction with the following descriptions. It should be understood, however, that the following descriptions, while indicating preferred aspects and numerous specific details thereof, are given by way of illustration only and should not be treated as limitations. Changes and modifications may be made within the scope herein without departing from the spirit and scope thereof, and the present disclosure herein includes all such modifications.
[0027] Referring now to the drawings, and more particularly to FIGS. 1 and 2, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments. These figures encompass components and their interconnections to provide an understanding of the system's functionality.
[0028] A hardware-based security system (100) for protection against threats from Human Interface Devices (HIDs) (300) is shown in FIG. 1. The system (100) comprises at least one USB host interface (110) configured to connect with the HIDs (300), at least one USB passthrough interface (120) configured to forward verified inputs to the host device (200), a microcontroller (130) operatively connected to the USB host interface (110) and the USB passthrough interface (120), and a memory (140) for securely storing a trusted repository. The microcontroller (130) comprises a threat detection module (132) and a firmware validation module (134) and is configured to intercept and analyze the HIDs (300) inputs independently of software running on the host device (200) in real time.
[0029] The USB host interface (110) serves as the connection point for HIDs (300) such as keyboards, mice, and other input devices. Some key characteristics include hot-swappable connections, power delivery to connected devices, and data transfer speeds up to 480 Mbps for USB 2.0 or 5 Gbps for USB 3.0. The USB host interface (110) provides a standardized way to connect and communicate with a wide range of HIDs (300). The USB passthrough interface (120) acts as a bridge between the security system (100) and the host device (200). The verified and safe inputs pass through to the USB passthrough interface (120) to host device (200).
[0030] The microcontroller (130) serves as the central processing unit of the security system (100), coordinating all security functions. The microcontroller (130) runs specialized firmware to intercept, analyze, and filter HID inputs in real-time before they reach the host. It includes high-speed data processing, low latency, and the ability to run complex security algorithms. The microcontroller (130) interfaces with both the USB host interface (110) and passthrough interface (120) to monitor all traffic. It can be programmed with custom threat detection rules and firmware validation checks. The microcontroller (130) provides the processing power and flexibility needed to implement robust HID security measures.
[0031] The memory (140) stores the trusted repository containing known-good firmware signatures and other security data. It uses encryption and tamper-resistance measures to protect this sensitive information. The memory (140) can be periodically updated with new threat signatures. The trusted repository and security parameters are stored in encrypted, write-protected memory that is difficult for attackers to access or modify. The inline hardware implementation means that HIDs (300) cannot communicate directly with the host, forcing all traffic through the security system (100). This hardware-enforced isolation is more robust than software-based protections that can potentially be circumvented. The system (100) may incorporate physical unclonable functions (PUFs) for device authentication and key generation. It can implement secure key management using a hardware security module (HSM) for cryptographic operations. The system (100) may feature a secure element for storing sensitive data and performing security-critical operations in an isolated environment. The trusted repository includes digital hashes of verified HID firmware, which are periodically updated to reflect new entries from authenticated sources. The memory (140) may be implemented using technologies such as secure flash memory, EEPROM, or other non-volatile storage solutions.
[0032] As shown in FIG. 2, the microcontroller (130) comprises a threat detection module (132) and firmware validation module (134). The threat detection module (132) analyzes HID inputs for suspicious patterns or behaviors indicative of attacks. The threat detection module (132) can detect anomalies like abnormally fast typing speeds, repeated function key presses, or known malicious key sequences. The module may employ techniques such as statistical analysis, machine learning models, and heuristic rule sets. It can be updated with new threat signatures and detection algorithms. It includes real-time analysis, low false positive rates, and the ability to detect novel attack patterns. The threat detection module (132) performs behavioral analysis on HID inputs to identify potential attacks or malware. Behavioral analysis of user profiles includes one or more key transition timings, hold durations, keystroke injection speeds, high speed injections, machine learning models trained on normal user behavior, anomaly detection algorithms, heuristic rule-based analysis or repeated exploit key sequences to detect human-mimicking malware.
[0033] In simple words, it performs pattern recognition, timing analysis, and heuristic evaluation to identify malicious keystroke sequences or abnormal input behavior. These actions such as keystroke timing, input speeds, and repeated patterns may indicate automated or malicious activity. The module can be trained on normal user behavior to detect anomalies. It may use machine learning models, statistical analysis, or rule-based heuristics to classify inputs as benign or suspicious. Unusually consistent timings may indicate a software-generated keystroke injection attack. This module can also analyze key hold durations, looking for unnaturally brief or lengthy presses. Extremely rapid keystroke injection speeds, far beyond human typing abilities, are another red flag. The detection algorithms may incorporate machine learning models trained on typical human input patterns to spot anomalies. The behavioral analysis provides protection against sophisticated attacks that mimic human input patterns to evade simpler detection methods.
[0034] The module may implement keystroke dynamics biometrics to create unique typing profiles for individual users. It can utilize time series analysis techniques to detect temporal anomalies in input patterns. The module may incorporate contextual analysis to consider factors like application focus and system state when evaluating input behavior.
[0035] The firmware validation module (134) verifies the integrity and authenticity of connected HID firmware. It calculates cryptographic hashes of device firmware and compares them against known-good values in the trusted repository. The module can detect unauthorized firmware modifications or counterfeit devices. It supports common cryptographic algorithms like SHA-256 for hashing. It includes the ability to validate firmware during device enumeration and periodic re-checks during operation. The firmware validation module (134) prevents attacks leveraging compromised or malicious HID firmware.
[0036] The firmware validation module (134) conducts signature-based analysis by comparing cryptographic hashes of HID firmware against a trusted repository. This allows it to detect unauthorized firmware modifications or counterfeit devices. The module calculates a hash (e.g. SHA-256) of the firmware image on a connected HID and checks if it matches a known good value. The trusted repository of valid firmware hashes can be periodically updated. This signature-based approach provides a way to verify the integrity and authenticity of HID firmware.
[0037] The microcontroller (130) can perform real-time analysis of USB protocol compliance, watching for violations that may indicate malicious activity. Upon detecting a threat or protocol violation, the system can take various protective actions. These may include immediately blocking all data transmissions to the host device (200) to prevent potential malware infection. The system (100) can log detailed information about the event for later forensic analysis. In severe cases, it may electrically disconnect the suspicious HID to fully isolate it. The system (100) could send an alert to a centralized security monitoring platform. For critical systems, it may have the capability to trigger a host device (200) lockdown.
[0038] In some embodiments, the microcontroller (130) may include higher processing power for faster threat detection, integration of artificial intelligence algorithms for improved anomaly detection, or support for additional security protocols such as encryption of HID data during processing. The microcontroller (130) may include additional features such as data encryption, compliance monitoring, or support for USB-C protocols.
[0039] In some embodiments, the system (100) may include visual indicators like LEDs to alert users of detected threats or anomalies. The LEDs could use different colors or blinking patterns to indicate various security states or threat levels. A small LCD display could provide more detailed status information or instructions to the user. Audible alarms or buzzers offer another option for notifications. The alert indicators provide a way to immediately inform users of potential security issues, even if the host device (200) is compromised. The system (100) may implement a multi-modal alert system combining visual, auditory, and haptic feedback for comprehensive user notification. It can feature customizable alert thresholds and notification preferences to suit different user needs and environments. The system may include a secure display with a trusted execution environment to show sensitive security information without risk of tampering or interception.
[0040] In some embodiments, the security system (100) can maintain whitelists of approved HIDs based on their unique identifiers like Vendor ID, Product ID, and serial number. Similarly, it may use blacklists to block known malicious or suspicious devices. These lists can be periodically updated from trusted sources to add newly verified devices or block emerging threats. The trusted repository in secure memory can be expanded to include cryptographic signatures for validated HID firmware versions. Regular updates ensure the system (100) can authenticate new legitimate devices while blocking the latest threats.
[0041] In some embodiments, the system (100) can autonomously learn and adapt to individual users' typing and input behaviors over time. It may start with a baseline model of typical human input and then gradually tune its detection parameters based on observed patterns for each user. This could involve collecting timing data on keystroke intervals, common key sequences, average typing speeds, and other metrics specific to the user. The behavioral model is periodically updated to account for gradual changes in the user's habits. This adaptive learning allows the system (100) to maintain high detection accuracy while minimizing false positives as it becomes attuned to each user's unique input characteristics. The system (100) may utilize unsupervised learning algorithms to identify clusters of similar input behaviors and detect outliers. It can implement incremental learning techniques to continuously refine its behavioral models without requiring complete retraining. The adaptive system (100) may incorporate feedback mechanisms to allow users to manually flag false positives or negatives, further improving detection accuracy.
[0042] FIG. 3 illustrates the flowchart of inline threat detection module implemented by the hardware-based security system (100). The flowchart depicts the sequential steps and decision-making process involved in analyzing and securing USB input data from Human Interface Devices (HIDs) (300). The process begins with the reception of keyboard data via the USB host interface (110). This initial step represents the interception of all input data from connected HIDs (300) before it reaches the host device (200).
[0043] In the next step, a parse and verify process is applied. In this step, data is converted and verified by the system (100). Following data reception, the system (100) validates the data format and origin. Then the pattern of the data is checked to see if it follows the predefined pattern. In these steps, behavioral analysis and firmware validation processes are applied.
[0044] These steps symbolize the behavioral analysis conducted on the input data, including checks for injection speed, pattern recognition, and other indicators of potentially malicious activity and checking the firmware hash against the trusted store. This represents the firmware validation process, where the system (100) verifies the integrity of the connected HID's (300) firmware to detect any unauthorized modifications.
[0045] The next step indicates the flagging of anomalies and logging of suspicious activities. This step is crucial for maintaining a record of potential security events and enabling later forensic analysis.
[0046] FIG. 3 shows a decision point where the system (100) determines whether a threat has been detected based on the preceding analyses. This decision leads to two possible outcomes: either a threat is detected, in which case it will block the transmission to the host and trigger an LED/BLE alert, or no threat is detected, allowing the data to pass through. These actions represent the system (100)'s immediate response to prevent potential harm and notify the user or security personnel of the detected threat.
[0047] If no threat is detected, it will show the final step of forwarding the data to the host. This represents the system (100) allowing verified and safe inputs to pass through to the host device (200).
[0048] With reference to FIGS 1-3, FIG. 4 is a flow chart illustrating a method for protecting a host device (200) against threats from Human Interface Devices (HIDs) (300).
[0049] At step 402, the method includes the USB host interface (110) receiving data packets from the connected HID (300). The microcontroller (130) continuously polls the USB host interface (110) for incoming data. Once data is received, the microcontroller (130) buffers it for further analysis.
[0050] At step 404, the method includes a threat detection module (132) of the microcontroller (130) performing behavioral analysis of the intercepted inputs in real-time, independently of software running on the host device (200). Concurrently, at step 406, the method includes a firmware validation module (134) of the microcontroller (130) performing signature-based analysis by comparing a digital hash of the HIDs (300) firmware identity with a trusted repository stored in memory (140).
[0051] At step 408, in this method step, the system detect threats or any suspicious activity in the system. The behavioral analysis performed by the threat detection module (132) examines various aspects of HID (300) input patterns. This includes analyzing the timing between key presses to detect unnaturally consistent intervals that may indicate automated input. The module also looks at key hold durations, flagging suspiciously brief or lengthy presses. It can identify extremely rapid keystroke injection speeds that exceed human capabilities. Statistical analysis may be applied to overall keystroke patterns to spot anomalies. The module may employ techniques such as statistical analysis, machine learning models, and heuristic rule sets. The system (100) may incorporate machine learning models trained on typical user behavior to better distinguish between human and automated inputs.
[0052] Further in step 408, for analyzing validation of the device and checking for suspicious device or threat, the firmware validation module (134) performs to verify the integrity and authenticity of connected HID (300) firmware. It calculates cryptographic hashes of device firmware and compares them against known-good values in the trusted repository. The module can detect unauthorized firmware modifications or counterfeit devices. It supports common cryptographic algorithms like SHA-256 for hashing. It includes the ability to validate firmware during device enumeration and periodic re-checks during operation. The firmware validation module (134) prevents attacks leveraging compromised or malicious HID (300) firmware. It may implement a secure boot process to verify the integrity of the security system's own firmware before execution. The module can utilize digital signatures and public key infrastructure (PKI) for firmware authentication. It may support firmware version control to ensure only approved versions are allowed to operate.
[0053] At step 410, if no threats are identified after all the analysis steps, the microcontroller (130) allows the input data to pass through. It forwards the verified and safe inputs to the host device (200) via the USB passthrough interface (120), ensuring normal operation for legitimate user inputs.
[0054] At step 412, the method includes, if any suspicious activities or deviations from expected behavior are detected in the previous steps, the system flags. It then securely logs detailed information about the event, including timestamps, device identifiers, and the nature of the detected anomaly. In this step, the microcontroller (130) determines whether a threat has been detected. This decision considers the outcomes of the signature-based scanning, behavioral analysis, and firmware validation processes. In this step, if a threat is identified, the microcontroller (130) immediately prevents the suspicious data from being forwarded to the host device (200) through the USB passthrough interface (120). This action stops potential malware or malicious commands from reaching and affecting the host device (200) and triggers LED/BLE alert. The system (100) activates the alert indicator (150), which could be an audio signal or an LED light or a display. This provides immediate visual or audio notification to the user about the detected threat.
[0055] To handle false positives and minimize user disruption, the system implements a multi-tiered approach. For low-confidence threats, it may temporarily quarantine the input and prompt the user for verification. For medium-confidence threats, it may block the input but allow the user to override the decision with additional authentication. High-confidence threats are blocked without user intervention. The system also learns from user feedback to improve its accuracy over time.
[0056] In some embodiments, the method includes the microcontroller (130) autonomously learning user-specific behavior that enhances its adaptability and accuracy over time. It collects detailed input data including keystroke timings, common key sequences, and typical usage patterns for each user. This data is analyzed to identify distinct behavioral characteristics. The system (100) then updates its internal user behavior model, gradually refining its understanding of what constitutes normal input for that specific user. Detection parameters are dynamically adjusted based on the evolving model. This allows the system (100) to maintain high threat detection sensitivity while reducing false positives as it becomes attuned to each user's unique input style.
[0057] In some embodiments, the method involves analyzing one or more of key transition timings, holding durations, keystroke injection speeds, high speed injections, statistical analysis of keystroke patterns, machine learning models trained on normal user behavior, anomaly detection algorithms, heuristic rule-based analysis or repeated exploit key sequences to detect human-mimicking malware.
[0058] In some embodiments, the method involves performing real-time analysis of USB protocol compliance to identify potential violations or suspicious behavior. If a threat or protocol violation is detected, the system (100) can take immediate protective action. This may include disconnecting the suspicious HID (300) to isolate it from the host device (200). The system (100) can quarantine any potentially malicious data received from the device. It may send alerts to a remote security monitoring system to notify administrators of the threat. In critical scenarios, the method allows for initiating a full host device (200) lockdown to prevent any further potential compromise.
[0059] In some embodiments, the hardware-based security system (100) can be extended to protect against a wide range of HID-based threats beyond just keyboards and mice. It can secure other USB input devices like game controllers, drawing tablets, and biometric scanners. The system (100) may incorporate specialized detection algorithms for each device type. For example, it could analyze stylus movement patterns on drawing tablets or look for anomalies in biometric data streams. The firmware validation can be expanded to cover a broader range of HID types. This comprehensive approach provides protection across the full spectrum of potential HID attack vectors.
[0060] In some embodiments, the security system (100) can be designed with modularity and extensibility in mind. This allows for easy updates and expansion of capabilities over time. The microcontroller (130) firmware can be field-upgradable to add new threat detection algorithms or support for new HID types. The secure memory (140) could be expandable to accommodate larger trusted repositories as more devices are added. Additional hardware modules could be incorporated to extend functionality, such as adding network connectivity for centralized management. This flexible architecture ensures the system (100) can evolve to address emerging threats and changing security needs.
[0061] In some embodiments, the system (100) may utilize field-programmable gate arrays (FPGAs) for hardware-accelerated processing of security algorithms. It can implement a secure communication channel with the host device (200) for transmitting security alerts and receiving policy updates. The system (100) may feature redundant components and fail-safe mechanisms to ensure continued protection even if individual components fail.
[0062] Future enhancements to the system may include integration with artificial intelligence-driven threat intelligence platforms, enabling real-time updates of threat signatures and behavioral models. Additionally, the system could be adapted to support emerging USB standards and new types of HIDs, ensuring its relevance in evolving technological landscapes.
[0063] It should be understood that the present disclosure is not limited to the precise configurations described above. Various changes, modifications, and variations may be made in the arrangement, operation, and details of the methods and systems of the present disclosure without departing from the scope of the invention.
, C , Claims:1. A hardware-based security system (100) for protecting a host device (200) against threats from Human Interface Devices (HIDs) (300), comprising:
at least one USB host interface (110) configured to connect with the HIDs (300);
at least one USB passthrough interface (120) configured to forward verified inputs to the host device (200);
a microcontroller (130) operatively connected to the USB host interface (110) and the USB passthrough interface (120); and
a memory (140) for securely storing a trusted repository;
wherein the microcontroller (130) comprises a threat detection module (132) and a firmware validation module (134) and is configured to intercept and analyze the HIDs inputs independently of software running on the host device (200) in real time;
wherein the threat detection module (132) is configured to perform behavioral analysis on the HIDs inputs to detect threats; and
wherein the firmware validation module (134) is configured to perform signature-based analysis by comparing a digital hash of the HIDs firmware identity with the trusted repository stored in the secure memory (140) to provide hardware-level tamper-resistance.

2. The hardware-based security system (100) as claimed in claim 1, comprising at least one alert indicator (150) configured to inform a user when a threat or anomaly is detected, wherein the indicator (150) is an audible alarms, an alert blink light or a display.

3. The hardware-based security system (100) as claimed in claim 1, wherein the behavioral analysis of user profiles includes one or more key transition timings, hold durations, keystroke injection speeds, high speed injections, machine learning models trained on normal user behavior, anomaly detection algorithms, heuristic rule-based analysis or repeated exploit key sequences to detect human-mimicking malware.

4. The hardware-based security system (100) as claimed in claim 1, wherein the microcontroller (130) is configured to autonomously learn user-specific behavior for enhancing its adaptability over time and enabling real-time interception and inspection of the HIDs input before it reaches the host device (200), wherein autonomously learning user-specific behavior comprises collecting user input data over time, analyzing the collected data to identify patterns, updating a user behavior model based on the identified patterns, and adjusting threat detection parameters based on the updated model.

5. The hardware-based security system (100) as claimed in claim 1, wherein the microcontroller (130) is configured to implement a whitelist or blacklist of approved or blocked HIDs based on their unique identifiers and periodically updating the trusted repository in the memory (140) with new firmware hashes from authenticated sources or newly verified HIDs.

6. The hardware-based security system (100) as claimed in claim 1, wherein the microcontroller (130) is configured to perform real-time analysis of USB protocol compliance and upon detecting a threat or protocol violation perform one or more of block data transmissions to the host device, securely log events, disconnecting the suspicious HID, quarantining the HID's data, sending an alert to a remote security monitoring system, or initiating the host device lockdown.

7. A method for protecting a host device (200) against threats from Human Interface Devices (HIDs) (300), comprising:
intercepting, by a microcontroller (130), inputs from HIDs (300) connected to a USB host interface (110);
performing, by a threat detection module (132) of the microcontroller (130), behavioral analysis of the intercepted inputs in real time, independently of software running on the host device (200);
performing, by a firmware validation module (134) of the microcontroller (130), signature-based analysis by comparing a digital hash of the HIDs firmware identity with a trusted repository stored in a memory (140);
detecting, by the microcontroller (130), threats based on the behavioral analysis and firmware identity comparison;
forwarding, by the microcontroller (130), verified inputs to the host device (200) through a USB passthrough interface (120); and
alerting, by at least one indicator (150), a user when a threat or anomaly is detected.

8. The method as claimed in claim 7, wherein performing behavioral analysis includes analyzing one or more of key transition timings, holding durations, keystroke injection speeds, high speed injections, statistical analysis of keystroke patterns, machine learning models trained on normal user behavior, anomaly detection algorithms, heuristic rule-based analysis or repeated exploit key sequences to detect human-mimicking malware.

9. The method as claimed in claim 7, wherein microcontroller autonomously learns user-specific behavior by collecting user input data over time, analyzing the collected data to identify patterns, updating user behavior based on the identified patterns, and adjusting threat detection parameters based on the updated details.

10. The method as claimed in claim 7, further comprising performing real-time analysis of USB protocol compliance and upon detecting a threat or protocol violation, performing one or more of disconnecting the suspicious HID, quarantining the HID's data, sending an alert to a remote security monitoring system, or initiating the host device lockdown.