Google company
The utility runs as a systemd service and can operate in monitoring and attack prevention modes. In the monitoring mode, possible attacks are identified and activity related to attempts to use USB devices for other purposes for input substitution is recorded in the log. In protection mode, when a potentially malicious device is detected, it is disconnected from the system at the driver level.
Malicious activity is determined based on a heuristic analysis of the nature of the input and the delays between keystrokes - the attack is usually carried out in the presence of the user and, in order for it to go undetected, simulated keystrokes are sent with minimal delays atypical for normal keyboard input. To change the attack detection logic, two settings are proposed: KEYSTROKE_WINDOW and ABNORMAL_TYPING (the first determines the number of clicks for analysis, and the second the threshold interval between clicks).
The attack can be carried out using an unsuspicious device with modified firmware, for example, you can simulate a keyboard in
Source: opennet.ru