HIPS model

Discussion in 'other anti-malware software' started by LUSHER, Aug 3, 2007.

Thread Status:
Not open for further replies.
  1. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    hips.PNG

    This is from the Gartner HIPS model "Understanding Strengths and Weaknesses of Host-Based Intrusion Prevention Styles" (revised November 2005)

    In this model, HIPS is interpreted in the broad sense taking the term "Host Intrusion Prevention System" literally, refering to pretty much any kind of security measure that runs on the hosts machine (as opposed to at the Gateway). This means Antivirus (cell 5), Firewalls (cell 1) are HIPS as well.

    All HIPS hence falls into 9 possible styles in a 3x3 matrix. The terms are quite intimidating (and may not be that descriptive anyway) but it is fairly easy to understand the styles without remembering the names (which are mostly made up by them on the spur of the moment and some was changed later anyway).

    The rows refer to when the HIPS works.

    "Network-level HIPS examine the incoming (and, ideally, outgoing) network traffic stream to provide protection against malicious code with the goal of detecting, blocking and removing the malicious code before it ever gets onto the machine"

    "Application-level HIPS examine the characteristics of an application's code on the machine with the goal of detecting, blocking and removing malicious code before it is executed."

    Execution level HIPS "examine the characteristics of executing code with the goal of detecting, blocking and removing the ability of executing malicious code to damage to the system. This level represents the last line of defense, because the malicious code has entered the system and is now executing."

    The columns are pretty self-explainatory, involving whitelisting, blacklisting, and the last is probably the most complicated and interesting method which involves the system somehow understanding that the unknown code is bad and blocking it (heuristic ,emulation, etc).

    For example, Sandboxing would be passive behaviorial containment (cell 9) which allows code to run, but protects system intergrity. It is considered passive as little or no attempt is made at behaviorial profiling

    More active containment might or might not involve sandboxing or virtualization, but the key point is they try to profile or watch the code over time and determine if it is bad.

    "Some HIPS providers (such as Sana Security) monitor the application over time and look for changes in activities and divergence from normal patterns of memory access, systems access and so on, and typically they require a learning period to baseline normal behavior. Other behavioral containment providers (such as WholeSecurity) heuristically inspect executing applications
    against a large set of good and bad application behaviors to determine and stop malicious intent without requiring a learning period."

    From the Wilder's point of view I suppose this is what some people here called Behavior blockers (as opposed to classic hips). Also the guy who posted recently about the fact that only Micropoint Proactive Defense Software or Panda TruPrevent Style HIPS is the real HIPS would actually be talking about Style 9 HIPS (active containment).

    Here at Wilders Security forum, it is generally believed that the term HIPS should only be used for execution level HIPS. (And maybe some might argue that only column 3 is what counts as real HIPS, depending on how one interprets detecting unknown code)

    So for example even though some AVs use emulation or advanced heuristics for scanning files (cell 6)

    "Here, the solution must inspect the application's code, look at the types of system calls and application programming interfaces (APIs) that are used, contextually understand the activities that the application would perform if it was executed and block potentially malicious code"

    "This can be achieved by exercising the application's code paths using a simulated environment (for example, Internet Security Systems [ISS] Proventia Desktop) or by using reverse-engineering techniques to inspect code to determine malicious characteristics before the application is allowed to be saved or executed on the machine."

    But we do not consider them as HIPS, not to mention even more conventional signature based methods (cell 5).

    In particular, I believe that people here tend to like SSM/PG style HIPS which probably best fits into cell 7 (application control, which appears to be a term used here a lot) and sometimes cell 8 (resource shielding).

    Resource shielding according to Gartner refers to both AV memory scanning,
    as well as signatures of known bad behavior (buffer overflows techniques can be caught this way), also think how Prevx has certain behavior set only to "Prevent" even in Expert mode (though this might be a limitation of the technique of only preventing).

    It's a pity the actual documents can't be posted (googling will get you some powerpoints), and I quoted as much as I dared (probably too much, moderators please check) it's very interesting reading though from a different point of view from an enterprise resource viewpoint (The notes list examples of each style of HIPS but most are only for corporate/enterprise use).

    This model is fairly well known, with Prevx and Panda both writing about how their solutions stands in relationship to this model.

    Any thoughts? Do you agree or disagree? How useful do you think the model is?


    Sources

    "Understanding the Nine Protection Styles of Host-Based Intrusion Prevention" MacDonald. Gartner. 27 May 2005

    "Best Practices for Implementing Host-Based Intrusion Prevention Systems" MacDonald. Gartner. ,20 November 2006

    "Host-Based Intrusion Prevention: Myths and Realities", MacDonald. Gartner. 27 November 2006

    "Understanding Strengths and Weaknesses of Host-Based Intrusion Prevention Styles", MacDonald. Gartner. 30 January 2006

    "How TruPrevent Works" PandaResearch ,24 May 2007

    An Analysis of Approaches to Host Intrusion Prevention Prevx, 16 December 2005.
     
    Last edited: Aug 3, 2007
  2. wat0114

    wat0114 Guest

    It's Friday night, I'm kind of drunk now so it may be difficult for me to properly articulate my thoughts on this. However, I will make a valiant attempt.

    I do tend to agree with the quote. I have never thought of antivirus or network control (firewalls, packet filtering) components as forming part of the "HIPS structure". Rather, I view them as support components in the completion of an individually tailored, layered security package, with the column 3 HIPS as being the only model that I can presently accept as a true HIPS. Of course there are HIPS utilities that include either or both of the antivirus and network control functions; SSM (very basicnetwork control), ProSecurity (network control) and OnlineArmor (firewall in all versions and av if the + version is purchased), and likely some others I am unaware of.

    I can think of better dedicated firewalls than any of the firewall/network control components offered in the above mentioned HIPS, though I am fond of the antivirus (KAV) OA offers in its + version. So I would rather use the classic, execution control HIPS (column 3) and compliment it with other, individual firewall (Outpost Pro) and antivirus (NOD32) utilities.

    From what I have seen so far in the HIPS utilities I have used (the above three) it is clear that most of the development effort is focused on the execution control/application behavior aspects of the product.
     
  3. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    In my view,

    The problem with the columns of "White list" , "black list" and "unknown" is that the 3th column (unknown) could be folded into the white list + black list as well. After all what is heuristics but a very complicated blacklist of rules?

    I disagree. The only reason why people have this idea of HIPS because it is marketed as something extra or new, so the concept was understood has excluding what already existed (AV+firewall), despite the fact that the term was descriptively netural and that it actually came to describe an umbrella of different technologies and approaches.

    Even if you hold to the narrow view of HIPS, as more and more security products particularly AVs start to include different facets of HIPS , it gets somewhat unproductive to ask "do you have HIPS?", when the answer will definitely be yes. And yet saying yes to that question tells you nothing since even under the narrow definition of HIPS there are at least 3 different approaches (more even).

    I believe it's more productive to start talking about what general approach is taken as opposed to a wide label like HIPS, and that is where this model comes in handy .

    This whole question of what counts as HIPs is a waste of time really, since the term is too vague to be meaningful.
     
  4. wat0114

    wat0114 Guest

    It's all a moot point anyways. Whether we want to call a combination of a HIPS + av + firewall a HIPS, or we call an all-in-one product (Online Armor+) a HIPS, or we stick to the more customary convention of viewing them all as separate products is really not important, at least the way I see it.

    What is important is that the individual chooses exactly what they want to suit their comfort level, tweakage level and - especially in the case of the majority of Wilders members - their level of paranoia :)

    The model does, however, serve a decent purpose as a general guide for those looking to assemble a security package for their system(s).
     
  5. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    I think most HIPS designers and users would object to Execution-level being referred to as the last line of defense.

    "Last line of defense" implies increased vulnerability and that defenses have already failed to some extent. Which depends on the user's strategy.

    If those "earlier" lines of defense aren't as reliable or as appropriate to the user's environment, then why not make your stand with HIPS on the "last line"?

    I'm probably taking the tactical analogy too far, but if AV was like putting your troops in a vulnerable position where they only have 50% odds of success, and HIPS is like putting your troops in a position closer to home but with 90% odds of success...you wouldn't consider that the last line of defense, you'd consider it the best/sturdiest line of defense. Even if you layer your defenses and use both, you might trust the HIPS more than the AV...in which case, again, you won't be calling the HIPS a last line of defense if it's the main one you're relying on.
     
  6. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Of course it is "last", it occurs after all the rest.

    So?

    Are they really? Do you really believe that? The point is as we keep saying your need layers, each as it own strengths and weaknesses, some might not be as reliable but filter out most of the attacks at little cost, while others might be more accurate,reliable but would be more costly to do. That is why we combine approaches.


    I really think you are mis-interpreting this word "last". It is indeed last, because if it does not work, you are finished. That is undeniable.

    And if you want the tactical analogy, if you were defending a city, you would prefer if the attack was stopped at the outskirts of the city, then at the heart because of the changes of collateral damage.

    And HIPS styles, include not just AVs, but also network defenses!!!!
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi Lusher,

    It has been over 3,5 years now since I left the IT industry.The last company I worked for however (they launched Forrester Research in the Netherland), had an adapted diagram for security analyses.

    Problem with the Gartner model is that it is kind of theoretical and hard to checklist when you are settting up a security architecture.

    That is way they changed the 3x3 model in a 4x4 model.

    The one added in the horizontal line was hardening (or reducing the domain of which can be attacked). The one added to vertical dimension was policy management (see pic). Later on this model evolved to a 4x5 model, by splitting the network level in (network) access and EXTRUSION defense (so the flow of events of an attack could be better followed in this diagram, and extrusion prevention of customer data and other company sensitive files et cetera was often overlooked in security setups). The application layer was extended to triggers, because access to critical system files (registry / ini files / dynamic load libraries) should also be taken into account.

    This also made it easier to classify security applications. For instance the classical HIPS registry and startup files protection as the advanced parent - child execution control is in fact the prevention when it is triggered. Also AntiVirus solutions have heuristics, and tries to prevent at several levels. Avast free for instance has modules for P2P, Internet, Network et cetera which checks data when it enteres via such a threat gate (so offers also blacklist protection on the trigger layer), while Antivir free only checks at reads and writes, so it only offers protection at the execution layer (the file is already stored on your computer). Most security application offerprotection on several cells on this grid. The last layer of defense is EXTRUSION prevention and not execution prevention.
     

    Attached Files:

    Last edited: Aug 19, 2007
  8. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    While this holds true and I agree with it, it is partially wrong as well. Imagine that you are executing a trojan or a keylogger, extrusion prevention is your last layer yes. But if you execute a deadly virus who would just kill your hard-disk, there is not much outbound network prevention to be done here and wether you have the best one or not, it won't do you good since your computer will be fried.

    But then again most attacks these days use outbound communication after infecting the system so yes, for most cases extrusion prevention is the last layer of defense.

    Regarding the HIPS description and such as LUSHER said, it is because its a new term and exploited by many new companies or new products that people might think that the word HIPS refer to new products and exclude firewalls, heuristics engines in AV and so on. But then again everything could be classified as a HIPS, since its a "Host-Intrusion" so as long as nothing comes into your system or is executedm you could say: oh this program is good it should be a HIPS.

    I think that what really matters, is understanding where exactly is this HIPS protecting me, at the execution level? application level? network level? outbound/extrusion level?
    As soon as this will be clear, it will be a lot easier to choose the right set of programs to try to maximise protection.

    My 2 cents..
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Gen,

    You are right when you think of kill disk for instance. But this is used for safety analyses of buisness looking at the whole flow of events.

    Regards K
     
  10. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    Fair enough !
     
  11. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    No offense but I still prefer the original 3x3 model.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No problem,

    Just in practise it was very confusing talking about the last line of defense as Execution control, when in fact that was the outbound protection of your firewall and possibly the file protection you can setup with some software firewalls/HIPS like SensitiveGuard or CoreForce.

    Same happened to policy and rights management based Sandboxes. The 3x3 model gave endless discussion (policy management based Sandboxes also provide resource shielding and application inspection. Shielding in the sence of unabling an application to alter HKLM registry keys to prevent (other) applications from installing. Application inspection in the sense of denying the right off an application to INSTALL a driver, or denying all programs from a floppy drive to install or execute or trigger other programs. For IT-managers access/identification and authorization are always a basic element of the security and their ICT archirecture. For them it was weird not to see this in the model. These were reasons enough to add policy rights management as an extra level (customer regcognistion, interpretation confusion).
     
    Last edited: Aug 20, 2007
  13. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Kees. I'm not a IT manager, so everything you said sounds like "blah blah blah" to me....
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Lusher, no problem

    Difficult to apply the matrix

    Example 1:

    Just in practise it was very confusing talking about the last line of defense as Execution control, when in fact that was the outbound protection of your firewall and possibly the file protection (e.g. SensitiveGuard or CoreForce) or later called extrusion protection. Therefore extrusion protection was explicitely named.

    Example 2:

    Same happened to policy and rights management based Sandboxes. The 3x3 model gave endless discussion (policy management based Sandboxes also provide resource shielding and application inspection. Shielding in the sence of unabling an application to alter HKLM registry keys to prevent (other) applications from installing. Application inspection in the sense of denying the right off an application to INSTALL a driver, or denying all programs from a floppy drive to install or execute or trigger other programs. This was also reasons enough to add policy rights management as an extra level (customer regcognistion, interpretation confusion).


    Without bla bla, just arguments, be a sport try to : put Sandboxes in the correct cell or give outbound / extrusion prevention a logical place.

    Have fun
     
    Last edited: Aug 21, 2007
  15. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Not trying to be difficult Kees.

    Sometimes my brain just shuts down. And I do a lot of blah blah too myself.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Lusher,

    BZZZZZZ all systems down here too ;)
     
Loading...
Thread Status:
Not open for further replies.