Abstract: Disclosed are systems and methods for generating rules for detecting modified or corrupted external devices connected to a computer system. An exemplary method includes analyzing data associated with the external device connected to the computer system based on stored data associated with one or more other devices; identifying at least one anomaly associated with the analyzed data that indicates the detected external device is modified or corrupted; generating at least one rule in response to the identified anomaly, wherein the at least one rule is based on the external device; and storing the at least one rule in a database accessible to the computer system.