HIPS Pro's & Con's

Just thought, seeing as there's a lot of debate about <edit : > Home PC User - Host Intrustion Prevention Systems (HIPS) at the moment, that I'd write up a list of what I think are pro's and con's of HIPS and see what you can add to the lists. I'll edit these lists as people add to them (and put the persons name beside the item they suggested). Might be a simple way for people to see both sides of the story in relation to HIPS.

PRO's
1. Signatureless (don't require constant updates)
2. A relatively new industry (ie much more development to come)
3. Able to prevent bad events before they happen
4. Flexible approach (Can do numerous things not limited to AV style activities)
5. Helps a user learn more about their computer
6. Gives a user more control of their computer
7. Offers another layer of protection (After AV & Firewall)
8. A number of HIPS are working to overcome most of the CON's listed below
-----------------------------------added---------------------------------
9. HIPS addes the 'what,when,where,how' to the AV's 'who' <Richrf>
-ie behavioural approach vs signature ref : Con 7
10. Malware authors have to find a way round both AV AND HIPS <Richrf> ref : Con 8

CON's
1. Signatureless <usually> (ie most can't make decisions for you)
- aren't intelligent <usually>
2. A relatively new industry (ie much more research required)
3. Able to also prevent good events before they happen. Leads to :
- Numerous 'false positive' Popups
- Popups often of a technical nature
- User can get popup fatigue
4. Flexibility usually = too complicated for most home users to want to try
5. Takes time to learn how most HIPS products/computers internals work
6. Installations are often a weak point of HIPS
------------------------------------added---------------------------------
7. No integrated rule breaking analysis (ie program x breaks rules b,g,p&r, therefore is likely to be malware) <whereisthebeef> ref : Pro 9
8. Malware authors will find a way around HIPS <whereisthebeef> ref : Pro 10

Just a couple of comments on the above :

A number of the Pro's can also be considered Con's.

CON 1 A 'signature' in relation to true behaviour based HIPS can as easily be "BehaviourX=Signature for Malware type X" as much a script signature

CON 3 - a configurable HIPS, properly configured, should rarely throw up any unexpected alerts.

 

1. Signatureless (don't require constant updates) Yes they do, it is done behind the scenes though. As malware changes, the signiture files change. Ours is updated frequently. You also have to remember the people who create these solutions are constantly trying to find vulns in M$ systems so they can prevent them on HIPS.

6. Installations are often a weak point of HIPS - If by installations you mean configuration, then I agree. The actual installs are easy, its the setting up of acceptable applications, port blocking / allowing etc that can do you in.

Trekk

 

I'm looking at this conversation and I suspect there is a fundamental disconnect in terms of the nature of HIPS that the typical Wilders users like Vikorr are familar with and the enterprise level IDP/HIPS that Trekk is talking about.

Despite the name, I think we are talking about fairly different beasts here.

 

That is entirely possible.

 

Hi Vikorr,

The way I look at it, any security approach can use the same technologies (e.g. whitelisting/blacklisting, signatures, heuristics, etc. The primary advantage of the new behaviorally-based applications, are that they actually take bahavior into account. Therefore they are very much complementary to traditional approaches which are primarily signature-based, including heuristic-based signatures.

To me, it is almost completely redundant to use 1,2 ... 10 signature-based security applications, especially if the primary one (e.g. KAV) has almost all the signatures that one needs. It would be somewhat complementary to add heuristic signatures to the mix , or different signature based scanning techniques. But ultimately, all signature-based systems are based upon "known signatures" of one type or another. If the signature (similar to a photo ID), is not known then the signature-based system cannot possibly identify.

With the new behaviorally-based systems, it is possibly to add completely non-redundant security that is complementary to existing technologies. So instead of just trying to ID some malware based upon "how it looks", it is also possible to ID based upon "what it is doing",and "when, where, how, it is doing it", So, in a sense, we are adding the "when, where, and how", to the "who". I believe that this is a much more comprehensive way of approach security.

Regards,
Rich

 

Yes, that is why behaviorial blockers used to be my prefered term, rather than HIPS which is more ambigious.

I would say that even attempts to monitor behavior is considered a kind of signature. Enterprise HIPS/IDS do exactly this. They have specific signatures targetting specific vulerabilities. On the flip side they have specific parimeters for what is considered normal behavior and flag what isn't.

They don't necessarily care about the ID of the malware itself , but what it does. This is just an extension of network IDS.

The problem is "HIPS" products targetted at the home user, are extremly noisy, particularly because they are not focused. A weak analogy would be like someone coming up with a registry monitor but not providing any default rulesets

Similarly, we have products monitoring all sorts of behaviors, but without attempting to really weed out what is likely to be malicious.

This problem is compounded by the fact that the home user doesnt have the support of a IT staff to handle technical problems immediately.

Another problem I think is that many products available to the user work piecemeal monitoring only looking at one behavior at a time. Regdefend monitors only the registy, but sometimes you need to look at the whole context, process x is trying to change registry y, is that good or bad? Adding the information that it had tried to communicate on port 135 plus the fact that it is attempting to change the host files, will add more certainty that it is malicious.

So you could have signatures in HIPS, as long as they are signatures based on behavior. In fact, I think without using such an approach, home based HIPS are doomed to failure.

Of course, you will soon get the same cat and mouse game, of people trying to work around behaviorial signatures, but on a different level as traditional attempts to evade antivirus signatures via packing/encryption/polymorphism etc.

 

Yep, I was actually refering to Enterprise IPS solutions. I had not considered they may be refering to home users. My experience with this solution has only been in an enterprise solution.

Trekk

 

It is true, that ultimately, there is some program code of some sort that acts as a "signature" for what is being looked for.

Yes, this is what I think is the key difference. The "signature" (i.e., the piece of program code) is looking at "what the program is doing" as opposed to "what it looks like".

Certainly, the method of presenting alerts to users will change over time, so that the alerts may occur with less frequency (via heuristics and "hard coded" signatures), and are more meaningful. With that said, even now, I very rarely receive alerts from ProcessGuard, RegDefend, and WormGuard. Mostly, when I am installing/updating an application. There is some need for some "initiation" into the process, but I find this no different from learning how to handle false positives from current security systems. Once I understood what was going on, I am able to handle the few alerts that I do get, with great ease.

Yes, this gets into the the pros and cons of generalized products vs. point-specific. I would say that users have different tastes in this respect.

Yes, and in many respects the current "whitelists" and hash signatures that are embedded in some of these behaviorally-based products are these types of signatures. In the future, I am sure they will continue to get "smarter".

Almost certainly will be true, once behaviorally-based products become more popular. The "bad guys" will have to try to fool the system into thinking that they are practicing "good behavior". Should be interesting.

Regards,
Rich

 

Hi, whereisthebeef

A much to easy and simple way to explain something.

As you say it is Ambiguous, and very confusing, also it sound to me like something for a babys cough.

Take Care,
TheQuest

 

When people talk about suites , my impression is that most of these components are normally indepedence pieces of technology (perhaps obtained by slotting in technology bought from another company), unified by the same GUI. No informational sharing occurs. When the antispyware component of a firewall detects a spyware component, it doesn't tell the firewall to automatically block that component does it?

The only advantage of security suites currently is that you are certain no conflicts will occur, but other then that they aren't superior.

A unified behavior detection system will be different and superior. Trying to decide whether a singular behavior is suspicious is often a futile task.

Right now, it makes no difference whether you get registry monitoring from a specialised piece or from a all in one package, because most all in one HIPS, don't really make use of the advantages a unified system does (except maybe Prev1 and Safe n sec I think), but if you want really intelligence decision making, you really have to go torwards such systems.

Whitelists based on hashes of known legit apps go someway towards reducing false positives but I think more specific targetted behavior rules are still the way to go to really reduce popup fatiage.

That will sadly always be the case, HIPS technology can be beaten, and is no better than other forms of technology, just different. Vendors will still have to spend resources updating them much like antiviruses or at least keeping up with security annoucnements.The better ones will have access to unpublicised exploits....

Unless you make no attempt to discrimate and monitor everything willy,nilly (the current situation) and leave the user to handle them

 

The issue arises - and I think this is where some people may have problems with products that watch multiple behaviors - when two, resident products have overlapping functions. Whether or not they are considered "suites", their functionally may conflict, at the most inopportune time, i.e., when some malcious malware has been detected. In this regard, some users may prefer, what they consider, best-of-breed, point-specific products as opposed to multi-functional products. Both approaches have their pros and cons.

.

Yes, this is certainly one of the advantages of multi-functional products, i.e. that each function can pass on information to other functions, creating a more intelligent system. Problems will arise, when an individual function is "weak" or weaker than what can be purchases separately in another product. This issue already exists, as users survey current offerings (e.g. ProcessGuard, Online Armor, Safe N'Sec, Prevx, AntiHook, RegDefend, etc.)

Being different, is a very important aspect of security technology. It puts added "pressure" on the bad guys to "break through". Similar strategies are used in all kinds of security deployment. The primary goal of vendors and users is not to make something "impenetrable" (this is probably an impossible goal), but rather make it "too expensive" (time, money, resources, etc.) to make it worthwhile.

 

Have to go off to work (shiftwork - just woke up), so I'll have a look and add anything I need to after work.

And heya Trekk...I was indeed refering only to HIPS for home users. I realise the enterprise level stuff is quite different (with a rather different price tag too, heheh)

 

(hehe) Yep...sorry bud, I was stuck in Enterprise mode and didnt consider the application to home users.

Trekk