Protection Without Detection: A Threat Mitigation Technique

Document Type





intrusion detection, thread avoidance, host security




Electrical and Computer Engineering | Information Security


Networking systems and individual applications have traditionally been defended using signature-based tools that protect the perimeter, many times to the detriment of service, performance, and information flow. These tools require knowledge of both the system on which they run and the attack they are preventing. As such, by their very definition, they only account for what is known to be malicious and ignore the unknown. The unknown, or zero day threat, can occur when defenses have yet to be immunized via a signature or other identifier of the threat. In environments where execution of the mission is paramount, the networks and applications must perform their function of information delivery without endangering the enterprise or losing the salient information, even when facing zero day threats. In this paper we, describe a new defensive strategy that provides a means to more deliberately balance the oft mutually exclusive aspects of protection and availability. We call this new strategy Protection without Detection, since it focuses on network protection without sacrificing information availability. The current instantiation analyzes the data stream in real time as it passes through an in-line device. Critical files are recognized, and mission-specific trusted templates are applied as they are forwarded to their destination. The end result is a system which eliminates the opportunity for propagation of malicious or unnecessary payloads via the various containers that are inherent in the definition of standard file types. In some cases, this method sacrifices features or functionality that is typically inherent in these files. However, with the flexibility of the template approach, inclusion or exclusion of these features becomes a deliberate choice of the mission owners, based on their needs and amount of acceptable risk. The paper concludes with a discussion of future extensions and applications.