| Operating systems implicitly trust Universal Serial Bus (USB) Human Interface Devices (HIDs), allowing any device that enumerates as a keyboard to inject input without authentication. While this design enables plug-and-play usability, it creates a significant security risk, as malicious peripherals can execute unauthorized commands through automated keystroke injection. This paper presents HID-APP, a fully local, privacy-preserving endpoint defense that uses artificial intelligence to detect and mitigate malicious HID activity in real time on commodity systems. Upon device attachment, the system monitors per-device keystroke events and applies a two-phase detection pipeline combining behavioral analysis and semantic intent classification. The first phase performs low-latency screening using timing-based features and a lightweight recurrent model to distinguish automated injection from human typing. When suspicious behavior is detected, the system isolates the device and reconstructs recent input into command sequences. The second phase analyzes these sequences using compact transformer-based models to classify the intent as benign or malicious. Experimental evaluation with traces from multiple programmable HID attack platforms and a large human typing baseline demonstrates clear behavioral separation and high detection performance, with strong sensitivity to malicious payloads while maintaining low false alarms. The proposed approach operates entirely on-device, requires no specialized hardware or external services, and supports automated response actions such as logging, blocking, mitigation, and safe device removal. These results indicate that AI-driven behavioral and semantic analysis can provide an effective and deployable defense against malicious HID injection attacks. |
*** Title, author list and abstract as submitted during Camera-Ready version delivery. Small changes that may have occurred during processing by Springer may not appear in this window.