This is from the Gartner HIPS model "Understanding Strengths and Weaknesses of Host-Based Intrusion Prevention Styles" (revised November 2005) In this model, HIPS is interpreted in the broad sense taking the term "Host Intrusion Prevention System" literally, refering to pretty much any kind of security measure that runs on the hosts machine (as opposed to at the Gateway). This means Antivirus (cell 5), Firewalls (cell 1) are HIPS as well. All HIPS hence falls into 9 possible styles in a 3x3 matrix. The terms are quite intimidating (and may not be that descriptive anyway) but it is fairly easy to understand the styles without remembering the names (which are mostly made up by them on the spur of the moment and some was changed later anyway). The rows refer to when the HIPS works. "Network-level HIPS examine the incoming (and, ideally, outgoing) network traffic stream to provide protection against malicious code with the goal of detecting, blocking and removing the malicious code before it ever gets onto the machine" "Application-level HIPS examine the characteristics of an application's code on the machine with the goal of detecting, blocking and removing malicious code before it is executed." Execution level HIPS "examine the characteristics of executing code with the goal of detecting, blocking and removing the ability of executing malicious code to damage to the system. This level represents the last line of defense, because the malicious code has entered the system and is now executing." The columns are pretty self-explainatory, involving whitelisting, blacklisting, and the last is probably the most complicated and interesting method which involves the system somehow understanding that the unknown code is bad and blocking it (heuristic ,emulation, etc). For example, Sandboxing would be passive behaviorial containment (cell 9) which allows code to run, but protects system intergrity. It is considered passive as little or no attempt is made at behaviorial profiling More active containment might or might not involve sandboxing or virtualization, but the key point is they try to profile or watch the code over time and determine if it is bad. "Some HIPS providers (such as Sana Security) monitor the application over time and look for changes in activities and divergence from normal patterns of memory access, systems access and so on, and typically they require a learning period to baseline normal behavior. Other behavioral containment providers (such as WholeSecurity) heuristically inspect executing applications against a large set of good and bad application behaviors to determine and stop malicious intent without requiring a learning period." From the Wilder's point of view I suppose this is what some people here called Behavior blockers (as opposed to classic hips). Also the guy who posted recently about the fact that only Micropoint Proactive Defense Software or Panda TruPrevent Style HIPS is the real HIPS would actually be talking about Style 9 HIPS (active containment). Here at Wilders Security forum, it is generally believed that the term HIPS should only be used for execution level HIPS. (And maybe some might argue that only column 3 is what counts as real HIPS, depending on how one interprets detecting unknown code) So for example even though some AVs use emulation or advanced heuristics for scanning files (cell 6) "Here, the solution must inspect the application's code, look at the types of system calls and application programming interfaces (APIs) that are used, contextually understand the activities that the application would perform if it was executed and block potentially malicious code" "This can be achieved by exercising the application's code paths using a simulated environment (for example, Internet Security Systems [ISS] Proventia Desktop) or by using reverse-engineering techniques to inspect code to determine malicious characteristics before the application is allowed to be saved or executed on the machine." But we do not consider them as HIPS, not to mention even more conventional signature based methods (cell 5). In particular, I believe that people here tend to like SSM/PG style HIPS which probably best fits into cell 7 (application control, which appears to be a term used here a lot) and sometimes cell 8 (resource shielding). Resource shielding according to Gartner refers to both AV memory scanning, as well as signatures of known bad behavior (buffer overflows techniques can be caught this way), also think how Prevx has certain behavior set only to "Prevent" even in Expert mode (though this might be a limitation of the technique of only preventing). It's a pity the actual documents can't be posted (googling will get you some powerpoints), and I quoted as much as I dared (probably too much, moderators please check) it's very interesting reading though from a different point of view from an enterprise resource viewpoint (The notes list examples of each style of HIPS but most are only for corporate/enterprise use). This model is fairly well known, with Prevx and Panda both writing about how their solutions stands in relationship to this model. Any thoughts? Do you agree or disagree? How useful do you think the model is? Sources "Understanding the Nine Protection Styles of Host-Based Intrusion Prevention" MacDonald. Gartner. 27 May 2005 "Best Practices for Implementing Host-Based Intrusion Prevention Systems" MacDonald. Gartner. ,20 November 2006 "Host-Based Intrusion Prevention: Myths and Realities", MacDonald. Gartner. 27 November 2006 "Understanding Strengths and Weaknesses of Host-Based Intrusion Prevention Styles", MacDonald. Gartner. 30 January 2006 "How TruPrevent Works" PandaResearch ,24 May 2007 An Analysis of Approaches to Host Intrusion Prevention Prevx, 16 December 2005.