Malicious USB peripherals (e.g., BadUSB) pose severe risks of service crashes and data exfiltration, yet existing USB firewalls (e.g., USBGuard) offer limited protection. This paper proposes USBIPS—the first native, Windows-oriented USB intrusion prevention framework. Our approach addresses the problem through three core contributions: (1) a lightweight, runtime behavior–based mechanism for detecting malicious USB activities; (2) an OS-native, whitelist-driven access control model tightly integrated with the Windows kernel; and (3) a persistent endpoint detection and response (EDR) architecture, incorporating real-time telemetry and centralized threat analytics. Evaluated on a Linux kernel prototype—serving as a proof-of-concept—USBIPS achieves sub-3% CPU overhead and zero false positives while delivering real-time protection. It effectively blocks both known and zero-day USB attacks, reducing service crash rates and data theft success rates by orders of magnitude.

USB-based attacks have increased in complexity in recent years. Modern attacks incorporate a wide range of attack vectors, from social engineering to signal injection. The security community is addressing these challenges using a growing set of fragmented defenses. Regardless of the vector of a USB-based attack, the most important risks concerning most people and enterprises are service crashes and data loss. The host OS manages USB peripherals, and malicious USB peripherals, such as those infected with BadUSB, can crash a service or steal data from the OS. Although USB firewalls have been proposed to thwart malicious USB peripherals, such as USBFilter and USBGuard, they cannot prevent real-world intrusions. This paper focuses on building a security framework called USBIPS within OSs to defend against malicious USB peripherals. This includes major efforts to explore the nature of malicious behavior and build persistent protection from USB-based intrusions. We first present a behavior-based detection mechanism focusing on attacks integrated into USB peripherals. We then introduce the novel idea of an allowlisting-based method for USB access control. We finally develop endpoint detection and response system to build the first generic security framework that thwarts USB-based intrusion. Within a centralized threat analysis framework, it provides persistent protection and may detect unknown malicious behavior. By addressing key security and performance challenges, these efforts help modern OSs against attacks from untrusted USB peripherals.