USB Keystroke Injection Detection for Laptops

By /

USB Keystroke Injection Detection for Laptops

ISEF Category: Systems Software

Ready to Turn This Idea Into a Real Project?

This guide was put together with the help of AI research tools to give you a solid starting point. But a competitive science fair project lives in the details: refining your research question, fine-tuning your variables, analyzing your data, and presenting your findings like a seasoned scientist.

For next steps tailored to your interests, skill level, and timeline, work one-on-one with a MehtA+ mentor. Learn more about MehtA+ Science & Engineering Research Mentorship →

Subcategory: Cybersecurity  ·  Difficulty: Advanced  ·  Setup: University Lab  ·  Time: Full Year

The Hook

A fake keyboard can type faster than a person ever could. That makes a USB Rubber Ducky a sneaky way to launch commands on a laptop in seconds. Your project asks a simple question, can software spot that pattern before damage starts? You can turn typing rhythm into a security signal.

What Is It?

This project looks at a type of attack called HID injection. HID means human interface device, like a keyboard or mouse. A malicious USB device pretends to be a keyboard and sends keystrokes much faster, and more consistently, than a person usually can.

Think of normal typing like a jazz drummer. The timing has small pauses, bursts, and mistakes. A scripted attack sounds more like a machine metronome. Your detector watches those timing patterns and tries to tell human typing from automated injection.

A CRNN is a small neural network that mixes convolution, which finds short local patterns, with recurrent layers, which track order over time. In this project, you would use it in user space, meaning regular software rather than a kernel driver. That makes the idea easier to test on ChromeOS or Linux without changing the whole operating system.

Why This Is a Good Topic

This is a strong science fair topic because you can measure clear signals, compare real classes of input, and test false positives. It connects to a real security problem that affects schools, offices, and public kiosks. You can learn about event timing, feature extraction, classification, and evaluation metrics like precision and recall. You can also improve the project by testing different typing patterns, different models, or different device behaviors.

Research Questions

  • How does the choice of timing window change the detector's ability to separate human typing from HID injection?
  • What is the effect of using inter-keystroke intervals versus key-hold durations on classification accuracy?
  • Does a tiny CRNN outperform simpler models like logistic regression or random forest on the same timing features?
  • To what extent do different public payload styles change the detector's false negative rate?
  • Which timing features are most useful for distinguishing scripted keystrokes from real typing?
  • How does adding human typing variability from different users affect the detector's precision?

Basic Materials

  • Linux laptop or ChromeOS laptop with developer access.
  • Sandbox virtual machine for safe payload replay.
  • USB keyboard for collecting human typing data.
  • USB storage device for transferring harmless test scripts.
  • Python installed with data analysis libraries.
  • Keyboard event logger or key timing capture tool.
  • Spreadsheet software for organizing trials.
  • External mouse and monitor for easier lab workflow.

Advanced Materials

  • Linux workstation with root or developer access for timing capture experiments.
  • Virtual machine software such as VirtualBox or QEMU for isolated payload replay.
  • USB event sniffing setup for comparing user-space and device-level timing.
  • TensorFlow or PyTorch for building the CRNN.
  • Python packages for signal processing and model evaluation.
  • Secure test USB devices for controlled HID injection trials.
  • Version-controlled dataset storage for raw event logs.
  • Optional logic analyzer for validating device timing at the hardware level.

Software & Tools

  • Python: Cleans timing logs, builds features, and runs model comparisons.
  • Pandas: Organizes keystroke event tables and session metadata.
  • NumPy: Handles timing arrays and basic numerical transforms.
  • scikit-learn: Trains baseline classifiers and scores precision, recall, and ROC curves.
  • TensorFlow or PyTorch: Builds and tests the tiny CRNN model.

Experiment Steps

  1. Define the attack pattern you want to detect, then separate it from normal typing behavior.
  2. Choose the timing signals you will record, such as gaps between keys or press and release timing.
  3. Build a safe data collection plan that includes human typing samples and controlled replay samples.
  4. Design baseline models first, then compare them with the tiny CRNN on the same features.
  5. Plan your validation split so sessions, users, and payload types do not leak across train and test sets.
  6. Decide which error matters most, then tune the threshold for false alarms versus missed attacks.

Common Pitfalls

  • Mixing data from the same typing session into both training and testing, which inflates accuracy.
  • Recording human typing with a different keyboard than the one used for attack replay, which creates device bias.
  • Using only one person's typing style, which makes the detector overfit to that user.
  • Ignoring session timing and screen state, which lets background activity contaminate event logs.
  • Testing only on a single payload style, which hides how fragile the detector is against varied injection scripts.

What Makes This Competitive

A competitive version of this project would not stop at a single classifier score. You would compare several models, test on multiple users, and report error rates under different payload styles. Strong projects also explain why the timing features work, not just whether they work. If you can show a detector that stays useful across devices, users, and attack scripts, your project becomes much stronger.

Project Variations

  • Test whether the detector works better on text-entry payloads than on shortcut-heavy payloads.
  • Compare ChromeOS and Linux event logs to see whether one system exposes cleaner timing features.
  • Add a user-behavior layer, such as typing speed history, to see whether personalization lowers false alarms.

Learn More

  • PubMed: Search for review articles on keyboard timing biometrics, human input dynamics, and anomaly detection methods.
  • NIH National Library of Medicine: Use PubMed and related tools to find peer-reviewed papers on behavioral biometrics and device authentication.
  • MIT OpenCourseWare: Search for computer security and machine learning courses that explain detection, features, and evaluation.
  • NIST Computer Security Resource Center: Look for guidance on authentication, endpoint security, and attack models.
  • arXiv: Search for recent preprints on keystroke dynamics, HID injection detection, and lightweight neural networks.
Shopping Cart