HUMAN Blog

HUMAN’s Threat Mitigation Language: What It Is, What It Isn’t, and How It's Changing the Game

The malvertising ecosystem is vast and volatile, with malicious actors constantly evolving their tactics in order to evade detection.

This constant game of cat and mouse has long highlighted the need for a truly proactive approach to malvertising that can predict new attack types before they’re able to execute and wreak havoc on your website and user experience.

HUMAN Malvertising Defense uses a proprietary Threat Mitigation Language (TML) to define behaviors and apply custom, context-aware logic for telemetry gathering and executing of advanced threat neutralization techniques. TML facilitates quick categorization of potentially harmful threats, including key indicators, behavioral traits, and other identifying metadata, for pairing with appropriate mitigation strategies.

TML allows us to not only dynamically identify and block new attack variants, but unlike protection approaches that rely on blocklisting, it also means that a threat does not need to be known to be stopped.

What is TML?

TML is HUMAN’s unique threat mitigation language consisting of a set of instructions executed by the Malvertising Defense script, running in-browser and which is used to govern our protection methodology and define:

  • What a threat is and how it is relevant to our customers
  • How to classify and categorize those threats
  • How to mitigate those threats

Under this framework, each unique malvertising attack is identified and classified in three ways: by threat class, attack variant, and origin. 

Threat Classification cleanAD TML

This provides the HUMAN team and our customers a more complete understanding of how bad actors target their victims and what defines an ad as harmful, allowing for greater potential for research into new preventative measures, as well greater collaboration with the platforms and publishers we protect.

Reliable and Adaptable Security

Because our Malvertising Defense script can behaviorally detect novel attacks happening in real-time (even threats originating outside of advertising, e.g. malicious chrome extensions) when a new threat enters the ecosystem we can quickly identify, classify, and mitigate based on the telemetry gathered by the script.  

Once the threat is classified, the TML index allows us to build resilient protections to stop future variants before they execute, based on the progression of similar attack types in the past.

TML also provides for redundancy (or being able to detect bad ads based on more than one malicious behavior) in order to identify shifting attack patterns. 

For example, if malicious activity A and malicious activity B are detected in a harmful ad, and later malicious activity A is no longer detected, this means the ad has updated its attack vector. 

Further mitigations can then quickly be configured to harden protection and restore redundancy.

This kind of dynamic protection allows us to identify malicious ads in real-time, trigger alerts, deploy telemetry gathering, and execute swift protection updates, while also informing our team and customers about the evolution of attacks after they have been detected.

Using all these techniques in unison has allowed us to create a security solution that is rigid enough to ensure safe, stable environments, and yet flexible enough to allow for swift, custom responses to new attacks.

An Anti-malvertising Tool Reimagined

HUMAN’s behavioral approach to malvertising detection, coupled with our threat mitigation language, render many of the traditional evasion techniques ineffective by detecting malicious JavaScript, stopping the sources of attacks, and constructing hardened protections that provide comprehensive protection, even when attackers rotate domains, delivery mechanisms, obfuscation methods, and cloaking approaches.

This innovative approach reduces the need for blocklists and frees up time and resources spent playing whack-a-mole with attackers that are constantly changing their techniques and points of attack.

Along with this, Malvertising Defense blocks malicious activity at runtime, while allowing the ad creative to render.

This removes the need for re-auctioning ad space and means you still get paid for the ads, creating a financial disincentive for malvertisers to continue attacking your site.

An Effective Threat Model

While it is designed to tackle the problem of malvertising, HUMAN is capable of monitoring any third-party code running on the page - and it accomplishes this in a way that is powerful, but also highly efficient.

Key to HUMAN's effectiveness is its ability to distinguish between a poor quality ad and ads that are actually breaking rules and harming your web page and users.

In general, our approach to this has been to define our threat model for ads as those with behaviors seeking to intentionally circumvent normal processes and protocols in an effort to impact and harm the end-user experience.

Using this definition, we use TML to set parameters on specific sets of behaviors and malicious actions that identify an ad as harmful, while maintaining the speed, functionality, and overall revenue of your site.

Looking Forward

While traditional anti-malvertising tools are limited to only analyzing code within specific creatives, Malvertising Defense analyzes trillions of lines of code and browser interactions across the entirety of web pages every month. All of this data means we are continually adapting and enhancing our ability to identify and block harmful ads.