Existing detection methods for USB HID injection attacks, such as those employing Rubber Ducky devices, rely on content analysis or simplistic timing rules, rendering them susceptible to evasion and raising privacy concerns. This work proposes a lightweight human–machine discrimination approach that leverages only keystroke timing features, eliminating the need for user-specific behavioral modeling or access to input content. It pioneers the application of keystroke dynamics to user-agnostic attack detection, revealing a non-monotonic relationship between attack complexity and evasiveness, and quantifying the trade-off between detection timeliness and reliability. A machine learning model based solely on timing features achieves efficient and accurate detection across diverse attack scenarios, identifying practical operating points suitable for early-stage interception.

Modern computing systems inherently trust human input devices, creating an exploitable attack surface for adversarial automation. USB Human Interface Device (HID) emulation attacks, such as those enabled by the USB Rubber Ducky, exploit this assumption to inject arbitrary keystroke sequences while bypassing traditional defenses. Existing countermeasures rely on simple heuristics based on typing speed or timing regularity, which can be easily evaded through basic randomization. Keystroke dynamics analysis offers a more robust alternative by modeling temporal typing behavior. However, prior work frames this problem as behavioral authentication, verifying whether input originates from a specific user rather than detecting automated injection. An alternative approach is continuous monitoring via keylogging integrated with intrusion detection systems, but this requires access to input content, raising significant privacy concerns. In this paper, we provide the first systematic characterization of keystroke dynamics for human-vs-machine discrimination, independent of user identity. Guided by five research questions, we show that robust, privacy-preserving detection is achievable using lightweight models operating solely on timing features, eliminating the need for content access or user profiling. Our analysis reveals that attacker sophistication does not monotonically translate into improved evasion. Instead, robustness depends on exposure to structurally diverse generation strategies rather than increased model complexity. Finally, we quantify the trade-off between detection timeliness and reliability across varying keystroke sequence lengths, identifying practical operating points for early and effective attack interception.