A method may include running virtual sessions on a virtualization server corresponding to a published application for client devices associated with respective users. The client devices may have user input devices associated therewith, and the virtual sessions may be responsive to user input device traffic from different virtual drivers at the client devices over respective virtual channels. The method may further include collecting USB traffic relating to file copying based upon the traffic from the virtual drivers during the virtual sessions, determining baseline user input traffic patterns for the collected USB traffic and a normal usage pattern for the published application, monitoring traffic over the virtual channels at the virtualization server during a new virtual session for a given client device and detecting an anomaly therein relative to the baseline user input traffic patterns and the normal usage pattern, and generating an anomaly alert.