Content Threat Removal

Last updated August 30, 2023

Content Threat Removal (CTR) is a cybersecurity technology intended to defeat the threat posed by handling digital content in the cyberspace.^[1] Unlike other defenses, including antivirus software and sandboxed execution, CTR does not rely on being able to detect threats. Similar to Content Disarm and Reconstruction, CTR is designed to remove the threat without knowing whether it has done so and acts without knowing if data contains a threat or not.

Detection strategies work by detecting unsafe content, and then blocking or removing that content. Content that is deemed safe is delivered to its destination. In contrast, Content Threat Removal assumes all data is hostile and delivers none of it to the destination, regardless of whether it is actually hostile. Although no data is delivered, the business information carried by the data is delivered using new data created for the purpose.

Threat

Advanced attacks continuously defeat defenses that are based on detection. These are often referred to as zero-day attacks, because as soon as they are discovered attack detection mechanisms must be updated to identify and neutralize the attack, and until they are, all systems are unprotected. These attacks succeed because attackers are skilled in finding new ways of evading detection. Polymorphic code can be used to evade the detection of known unsafe data and sandbox detection allows attacks to evade dynamic analysis.^[2]

Method

A Content Threat Removal defence works by intercepting data on its way to its destination. The business information carried by the data is extracted and the data is discarded. Then entirely new, clean and safe data is built to carry the information to its destination.

The effect of building new data to carry the business information is that any unsafe elements of the original data are left behind and discarded. This includes executable data, macros, scripts and malformed data that trigger vulnerabilities in applications.

While CTR is a form of content transformation, not all transformations provide a complete defence against the content threat.^[3]

Applicability

CTR is applicable to user-to-user traffic, such as email and chat, and machine-to-machine traffic, such as web services. Data transfers can be intercepted by in-line application layer proxies and these can transform the way information content is delivered to remove any threat.^[4]

CTR works by extracting business information from data and it is not possible to extract information from executable code. This means CTR is not directly applicable to web browsing, since most web pages are code. It can, however, be applied to content that is downloaded from, and uploaded to, websites.

Although most web pages cannot be transformed to render them safe, web browsing can be isolated and the remote access protocols used to reach the isolated environment can be subjected to CTR.

CTR provides a solution to the problem of Stegware.^[5] It naturally removes detectable steganography and eliminates symbiotic and permutation steganography through normalisation.^[6]

Related Research Articles

In programming and information security, a buffer overflow or buffer overrun is an anomaly whereby a program writes data to a buffer beyond the buffer's allocated memory, overwriting adjacent memory locations.

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Steganography is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video. The word steganography comes from Greek steganographia, which combines the words steganós, meaning "covered or concealed", and -graphia meaning "writing".

<span class="mw-page-title-main">Intrusion detection system</span> Network protection device or software

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data that appears to be a legitimate part of the site which contains information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as "baiting" a suspect.

Information extraction (IE) is the task of automatically extracting structured information from unstructured and/or semi-structured machine-readable documents and other electronically represented sources. In most of the cases this activity concerns processing human language texts by means of natural language processing (NLP). Recent activities in multimedia document processing like automatic annotation and content extraction out of images/audio/video/documents could be seen as information extraction

Steganalysis is the study of detecting messages hidden using steganography; this is analogous to cryptanalysis applied to cryptography.

A digital watermark is a kind of marker covertly embedded in a noise-tolerant signal such as audio, video or image data. It is typically used to identify ownership of the copyright of such signal. "Watermarking" is the process of hiding digital information in a carrier signal; the hidden information should, but does not need to, contain a relation to the carrier signal. Digital watermarks may be used to verify the authenticity or integrity of the carrier signal or to show the identity of its owners. It is prominently used for tracing copyright infringements and for banknote authentication.

Anti–computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.

<span class="mw-page-title-main">Computer security software</span> Computer program for information security

Computer security software or cybersecurity software is any computer program designed to influence information security. This is often taken in the context of defending computer systems or data, yet can incorporate programs designed specifically for subverting computer systems due to their significant overlap, and the adage that the best defense is a good offense.

<span class="mw-page-title-main">Network forensics</span>

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

<span class="mw-page-title-main">Security information and event management</span> Computer security

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

<span class="mw-page-title-main">Cinavia</span>

Cinavia, originally called Verance Copy Management System for Audiovisual Content (VCMS/AV), is an analog watermarking and steganography system under development by Verance since 1999, and released in 2010. In conjunction with the existing Advanced Access Content System (AACS) digital rights management (DRM) inclusion of Cinavia watermarking detection support became mandatory for all consumer Blu-ray Disc players from 2012.

A steganography software tool allows a user to embed hidden data inside a carrier file, such as an image or video, and later extract that data.

<span class="mw-page-title-main">Mobile security</span> Security risk and prevention for mobile devices

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

Lastline, Inc. is an American cyber security company and breach detection platform provider based in Redwood City, California. The company offers network-based security breach detection and other security services that combat malware used by advanced persistent threat (APT) groups for businesses, government organizations and other security service providers. Lastline has offices in North America, Europe, and Asia.

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.

Yuval Elovici is a computer scientist. He is a professor in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev (BGU), where he is the incumbent of the Davide and Irene Sala Chair in Homeland Security Research. He is the director of the Cyber Security Research Center at BGU and the founder and director of the Telekom Innovation Laboratories at Ben-Gurion University. In addition to his roles at BGU, he also serves as the lab director of Singapore University of Technology and Design’s (SUTD) ST Electronics-SUTD Cyber Security Laboratory, as well as the research director of iTrust. In 2014 he co-founded Morphisec, a start-up company, that develops cyber security mechanisms related to moving target defense.

References

↑ Wiseman, Simon (September 2017). "Content security through transformation". Computer Fraud and Security. Elsevier. 2017 (9): 5–10. doi:10.1016/S1361-3723(17)30097-0.
↑ Keragala, Dilshan (January 2016). "Detecting Malware and Sandbox Evasion Techniques". SANS Institute.
↑ Wiseman, Simon (May 2017). "Content Security through Transformation – Problem Statement". doi:10.13140/RG.2.2.13179.92969.{{cite journal}}: Cite journal requires |journal= (help)
↑ EPapplication 1721234,Wyatt, Graham Richard&Dean, Timothy Barry,"Threat mitigation in computer networks",published 2006-11-15, assigned to Qinetiq Ltd. , since refused.
↑ Wiseman, Simon (December 2017). "Stegware – Using Steganography for Malicious Purposes". doi:10.13140/RG.2.2.15283.53289.{{cite journal}}: Cite journal requires |journal= (help)
↑ Wiseman, Simon (September 2017). "Defenders Guide to Steganography". doi:10.13140/RG.2.2.21608.98561.{{cite journal}}: Cite journal requires |journal= (help)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Wiseman, Simon (September 2017). "Content security through transformation". Computer Fraud and Security. Elsevier. 2017 (9): 5–10. doi:10.1016/S1361-3723(17)30097-0.

[2] Keragala, Dilshan (January 2016). "Detecting Malware and Sandbox Evasion Techniques". SANS Institute.

[3] Wiseman, Simon (May 2017). "Content Security through Transformation – Problem Statement". doi:10.13140/RG.2.2.13179.92969.{{cite journal}}: Cite journal requires |journal= (help)

[4] EPapplication 1721234,Wyatt, Graham Richard&Dean, Timothy Barry,"Threat mitigation in computer networks",published 2006-11-15, assigned to Qinetiq Ltd. , since refused.

[5] Wiseman, Simon (December 2017). "Stegware – Using Steganography for Malicious Purposes". doi:10.13140/RG.2.2.15283.53289.{{cite journal}}: Cite journal requires |journal= (help)

[6] Wiseman, Simon (September 2017). "Defenders Guide to Steganography". doi:10.13140/RG.2.2.21608.98561.{{cite journal}}: Cite journal requires |journal= (help)

[1]

[2]

[3]

[4]

[5]

[6]