What is HIPS?

HIPS as stated previously means Host Based Intrusion Prevention System.

The term developed from Intrusion Detection Systems, which detected intrusions into a computer, but did not stop the intrusion prior to it occurring....Ie IDS's were reactive.

The security techies wanted to prevent intrusions before they happened, and that's where IPS's were born. Host based IPS's (HIPS) are one extension of that.

But what sort of programs they allude to exactly... I suppose that's open for debate.

There's a number of white papers etc on the internet on IPS's (at enterprise level), but I only read enough to get the general gist of them.

 

They actually study the behavior or most known applications in a lab. After compiling data on how the applications behave in a given enviroment, they write code defining those characteristics and develop software that prevents any behavior outside that which is deamed normal. The brand we use, ISS Proventia actually sits just inside the firewall, scans all inbound and outboud traffic for potentially harmfull data. From the inside, IPS' scan applications and ensure they are not infected with anything that would make them perform uncharacteristicly.

Having said this; most IPS applications are two part. The first portion is responsible for handling inbound / outbound traffic, the second handles applications and the way they interact with the network / desktop.

"HIPS technology is extremely accurate. It works by enforcing a set of basic software conventions that never changes called the Application Binary Interface (ABI). The ABI sits one step beyond the application program interface (API) and defines the API plus the machine language for a particular CPU family. Because these conventions are universal among compiled applications, it is nearly impossible to hijack an application without violating the ABI. "




Trekk

 

This post has been interesting reading. I have a question. I have PG and Online Armor. Would Anti-Executable add any protection?

 

As far as I can tell, it doesn't add any protection, expecially if you put PG in "Blocked new and changed applications" mode. In this mode, both products will block all new applications. What you can do to add additional protection, if you so desire, is to add, for example, Registry Protection (e.g. RegDefend, Safe N' Sec), or file system protection (Prevx Home). Both of these products add more behavioral protection to what you already have - sort of like an additional interior line of defense.

Rich

 

Thank you Rich for the reply. Online Armor is supposed to add registry protection.

 

Your're welcome WilliamP. Yes, Mike has indicated that he is planning to add registry protection in future versions.

Cya,
Rich

 

Or you could try products like ShadowUser or Deepfreeze, which reset your computer to the exact bit & byte where SU/DF was installed (or last activated)...but these sorts of products arent for everyone

 

Hi,

What is an HIPS?

The answer needs simple words, and mostly to take into consideration the origin of this terminology: from IDS to HIPS.

***From IDS to IPS:

At the beginning was IDS solutions which were designed to protect a network environment from attacks and intrusions.
Unfortunately, IDS have too much disadvantages and weakneasses: general signatures, falses positives, not easy to manage and configure, consume too much time and resources and have been ridiculized by some worms (Slammer, Nimda) etc...
Then from this need came IPS: generally, an IPS combines firewall features (packets filtering) with IDS features (packets data analysis).
If we use an analogy, we can compare an IDS to a basic alarm (warns for any intrusion) and IPS to a sophisticated alarm with video (can allow which is safe and block which is suspect).
IPS are more easy to manage and can block attacks automatically (not the case with IDS).

***From IPS to HIPS:

The market distinguishs two kinds of IPS: Network IPS and Host IPS.
The difference between them concerns their implementation and their target.

*NIPS are designed to:
-be implemented on a specific network perimeter,
-to protect this perimeter by preventing network attacks (DOS etc) and threats (worms) with traffic monitoring and deep data inspection and analysis.

*HIPS are designed to:
-be implemented on a specific host (machine, OS, server),
-protect this host from threats and attacks (buffer overflow etc) by monitoring host's behavioral activities.

A NIPS can protect a private network where each machine is eady protected by an HIPS.

***How an HIPS works?

Generally, once installed, the HIPS uses a learning mode phase for the configuration: it creates a fingerprint database of the normal system's and users behavior.
This method or approach is called "anomaly detection" (whte/safe list): each behavior which violates the policy is automatically blocked.
The other approach is called "misuse detection": it's a black list of known attacks.

HIPS can use many methods like activity monitoring (process, services etc), file monitoring (changes, size etc), integrity checking etc.
A good windows HIPS is implemented on the kernel level of the OS and has consequently the ability to catch suspect behaviours from ring 3/user land to ring O/kernel land.

The next link sumarizes how they work and providesa list of well know HIPS (Prevx, Blink or THreatSentry can also be included in this klist):
http://www.vigilar.com/sol_intrusion_detection_host_ips.html

Generall; it's really not recommended to try thess HIPS (for a home user) because they implements specific devices drivers and changes TCP/IP parameters.
Even when they have the ability to run on windows home users systems, they often need specific libraries: ThreaSentry is an example: http://www.privacyware.com/intrusion_prevention.html

***ProcessGuard, SSM, Viguard, OA, Prevx, SnS are they HIPS?

If we take into consideration how corporate HIPS work, the PG and his friends are HIPS.
But they're designed to run on single home users environment: that's why "personal HIPS" or "desktop IPS" terminologies are certainly more appropriated.
If we have a look at their web sites: SafenSec is called HIPS (seems to have been renamed recently), Prevx as an HIPD/IPS, AntiHook as an Desktop intrusion and prevention system.
The position of these products on the market place is CLEAR.
It's not the same for ProcessGuard (what's that? a kernel sandbox? an anti-rootkits?), Viguard (considered as an AV in France and as an IDS in USA (download.com site), Anti-executables is called "proactive protection", but any security soft which does not use a signature database is a proactive protection; SSM as an "application firewall" but it's just one of its features ETC...

The consumer needs a terminology for each product, and publishers should certainly clarify the position of their products in the security busieness (.......)

Just a final word about Firwalls which integrates IDS features.
The advantage of IDS features on personall firewalls (Kerio, McAffe, BlackIce etc) for the user is really limited.
Look'Stop, Jetico or Outpost don't have (or don't communicate) IDS features and they're excellent firewalls (but publishers try to differenciate their products from others).
Generally specific devices drivers and libraries (Winpcap for windows systems for instance; http://www.winpcap.org/ ) are required.
There's open source IDS but they're unfortunately not easy to install and configure (Snort, Samhain).
EasyGuard is very easy to use (Winpcap is necessary), it juts installs a driver which is not recognized by Windows: http://www.easy-guard.com/
On a single home user system, an IDS is absolutely not needfull.


Regards

 

Here's my interpretation:

When you see the phrase IDS (by itself) it used to mean basically a network traffic only completely passive signature based IDS. Now when you see the term IDS because of Gartner it usually means an active network only signature based IDS. It should be noted that not all behaviour related to an IDS signature can be actively 'blocked'; quite often the result from both a passive and active IDS seeing traffic is the same. When you see the phrase IPS (by itself) it usually means an active network signature based IDS, but with a massively reduced signature base.

This bit about false positives is totally misleading and has been bounced around by various IPS vendors to sell their products.
(See http://www.ranum.com/security/computer_security/editorials/deepinspect/ )

As stated, when you see the word HIPS it usually means nothing to do with network traffic and is more to do with some kind of automated or user controlled software sandboxing. And as stated, some use broad hardcoded blacklisting of attack vectors more than a user's configuration to stop attacks, which makes such software hardly proactive and more AV-like.

Totally true. Your firewall if configured even somewhat decently, will drop most if not all of these types of incoming attacks. The outbound signatures will usually only match when you have something well-known and/or archaic. eg. Netbus connection attempt, Slammer propagation attempt outbound, etc