What is HIPS?

There is not always agreement as to what (H)IPS means:

---------------------------------------------
Intrusion prevention: IDS' 800-pound gorilla
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci892744,00.html

While the phrase "intrusion-prevention system" has entered the security lexicon, it's still too early to say exactly what an intrusion-prevention system is because companies use the term a half-dozen different ways. Some use the term to describe next-generation IDS systems that can block certain kinds of attacks. Others use the term more broadly and include firewalls, for instance, in the intrusion-prevention category, since firewalls can block certain attacks.
--------------------------------------------

What is host-based intrusion prevention?
http://www.secureworks.com/techResourceCenter/hackers-sidestep-front-door.html

A host-based intrusion prevention system (HIPS) is a layer of security that augments, but does not replace, firewalls, anti-virus software,...
------------------------------------------

There is a lot of marketing hype...

If by intrusion prevention is meant the former, then Online Armor qualifies (firewall to come).

If the latter, then those programs which don't have a firewall are also HIPS. In the end, they all attempt to prevent intrusion.

Lots of marketing hype...

It starts with what your definition of "prevention" is. Kerio offers 3 types of prevention in its Firewall version 4:

-----------------------------------
http://www.kerio.com/kpf_ids.html

"Introduced in July 2005, Kerio Personal Firewall becomes the first consumer-class product to offer three levels of intrusion prevension system (IPS) - Network Intrusion Prevention System (NIPS), Host-based Intrusion Prevention System (HIPS), and Behavior Blocking."

"The idea behind Intrusion Prevention Systems (IPS) is to detect and prevent unauthorized access to the computer."

"NIPS: Kerio's Network Intrusion Prevention System scans the packet headers and embedded data of traffic flowing through the firewall for signatures of known attacks."

"HIPS: Modern-day worms, that hackers create to hijack computers, try to mask themselves as part of a legitimate application... However, as soon as the worm-injected code performs the first OS call monitored by Kerio Personal Firewall, its host-based intrusion prevention system will stop it and prevent it from executing and compromising the computer."

"Behavior Blocking: Behavior Blocking sets the rules of behavior for each application such as Microsoft Outlook."
-----------------------------------------------

So, what kind of "prevention" programs are out there? One example:

Those Preventing access to the HD, such as:

-->ISP programs on the server that filter out viruses/trojans from email before user downloads

-->program that prevents the downloading of an executable without permission.

At least four anti-execution programs are in use today:

1) ProcessGuard
2) Anti-Executable
3) Online Armor
4) Abtrusion Protector

It would be interesting to know if these programs alert at an attempt to download an executable. I'm familiar with 2) which does alert. If those who use any of the others could check -- If there is an alert, then that program is true IPS by Kerio’s definition - "preventing unauthorized access to the computer."

On the other hand: some malware has gotten onto the system (Host) but is prevented from installing/loading drivers, etc. Tests such as firewall leaktests demonstrate this: you permit the test.exe file to download, run it, and see what your program does.

Even here, there are different types of prevention. Using the leaktest, firehole.exe as an example:

ProcessGuard: when you execute firehole.exe, in unpacks firedll.dll which attempts to create a global hook, which PG blocks.

Anti-Executable: when you execute firehole.exe, it blocks firedll.dll from unpacking.

Two different solutions to the problem. PG's marketing stresses the blocking of creating hooks as a big selling point. AE doesn't let the .dll unpack to even attempt to create a hook. Is one solution better? Moot point, perhaps, but clever marketing often creates the perception that one solution is better than another.


Behavior Blocking

"Basically, Kerio Personal Firewall monitors three things:
--> Is a particular application allowed to run?
--> Is a particular application allowed to be modified?
--> Is a particular application allowed to launch other applications?"

Are you less protected without behavior blocking? Are you confident enough with your installed applications to let them run w/o some type of behavior monitoring? Have you really considered the probability that some "thing" may somehow interfere with the running of one of your applications?

Does a HIPS program have to include behavior blocking? Then, programs that only provide anti-execution protection are not HIPS.

Each company’s marketing strategy will attempt to create a user base that is attracted to what it perceives is necessary protection.

Is ProcessGuard HIPS? I'm not sure when Process Guard began to be referred to on this forum as an HIPS product -- that term is not used on their web site, AFAIK.

What about lock-down programs: ShadowUser, Deep Freeze? They certainly prevent unauthorized access to the computer - well, on re-boot anyway. Would that be IPS?

As the perception of "what is necessary to protect against" grows, companies will attempt to shape the definition of HIPS, and we can expect a lot of skilled marketing in the near future.

The only protection you have from this marketing onslaught is to

1) Define what types of protection you really need. Don't let some company's marketing define it for you.

2) Familiarize yourself with the various products, then do your own testing!

Happy Computing!

-rich
________________
~~Be ALERT!!! ~~

 

I agree that the term itself (IPS) is a bit overused (which is why I stick to "generic protection" or "behavior blocker"), but wouldn't really over analyze it too much. I would say all of them do qualify as IPS, along with Prevx (all versions) and Safe'n'Sec.. basically anything that stops malware from infecting the system in the first place. That can be anything from a firewall (that goes beyond the classic definition and into the system) to the programs described above. Bottom line is that they can all prevent infection if used properly, you just have to find the one that you understand most and are most comfortable with. Execution protection may be the best way to go for some, but others may just end up allowing everything, so the additional prompts may be better.

Online Armor will, assuming the download appears to be automatic, and not user initiated.

Good post, seems like a good starting point for those that are curious about the subject

 

It's a mess really. People calling it IPS/HIPS/whatever. Even the stateful inspection debate was less messy.

On this forum I gather it usually means "Not based on AV/AT signature technology". Possibly because of marketing reasons, all new products have to claim they are not AVs , they are BETTER. Proactive, block all possible attacks etc.

Defining a new class of security products as a must have over firewalls and AVs is a very important marketing task.

Wouldn't you definition include antiviruses? Most people wouldn't include that.

I would say that if you go by HIPS - "Host based" , your definition would be correct. We are talking about preventing infection at the host (indidivual workstation) level rather than gateway which is generally routers+ enterprise AVs.

But at the home user , HIPS makes little sense, since every software you run is hosted based.

As mentioned before, most people here i gather understand HIPS negatively, that is it is not based on AV technology, or it doesn't use signatures. Even though AV technology is not really understood anyway.

But using this defintion the only thing becomes very murky, because it comes down to semantics over what signatures are. Very similar is when someone mentions heuristics.


I have another question. The term PROACTIVE has being thrown around.

What does it actually means?

As I originally understood, it meant as a constrast to REACTIVE, as in that the security vendor had to respond to new threats by doing something (generally analysing the threat and providing new signatures) to safeguard the system.

But in the hands of some here , Proactive seems to be interpreted, as
to catch malware 'as early as possible in the execution stream'.

This seems to have come about because of Diamond CS's harping on the difference between polling and hooking. Mainly to differenitate themselves from freeware products.

In my view this isn't really the correct use of the term. Hooking isnt really new, Avs have being using them for a while.

 

HIPS systems block malware etc by monitoring processes and applications behavior patterns. They assume on any given day an application will only do a limited number of things. The system looks for "rogue" applications or services that attempt to do things uncharacteristic of the known appication or process. Its all about behavior.

Trekk

 

yep...that's my thought too..it's a hype .. and just like Notok said: we used to call it behaviour blockers (remember Pelican or the russian developer which created finaly a kernel driven program but the connection was slow to enter his site...forgot the name though...)

Integrity checkers would be nice (something like finjan software, based on checksums and stuff) .. that's old and it could be improved and whatever but lets see what Wayne (DCS) comes up with when upgrading pg ...

I am positive the ones that purchase the newest hips now...will be having two hips (and a headache) .. but at least they have the popups

grtz.

 

Fair enough.

Rich

 

What a noob, you obvously mean SSM. if you want to act the Grand old Man around here it pays to have a better memory.

And before that there was tiny trojan trap and Abtrusion protector and ....

But i agree, we used to call them behavior blockers.

The point is HIP/IDS/behavior blockers whatever come into vogue every couple of years and the rallying cry as always is "Antivirus signatures suck".

Many of the newcomers think it's a new idea (A thread dated July 26 2005 is fingered as setting the tone as to what HIPS means?). But it isn't really. There are very good reasons why it hasn't caught on much.

 

Popups give you a warm and fuzzy feeling that they are doing work. And by answering prompts you are doing positive work to keep your system clean.

I see answering such popups as a devotion/ prayer to the malwareGods to ask for protection.

 

LMAO that's the name yes system safety monitor ... great app, enjoyed a lot and learned a lot from it...

and I certainly don't want to act as great old monk or whatever

try monkey

 

Keeping this non personal...There are very good reasons why it hasnt caught on much? LOL! I have worked for several of the largest corporations in the US and believe me buddy, it has caught on. Its just not as publicized as AV software etc. The difference is this....AV software scans and prevents attacks when they hit the mail server, or eventually the desktop. If no new def is availible you had to trust that whatever AV software you were using was covering your back. HIPS takes it to the next level, it operates independant of the AV software and simply verifies applications requesting access, are exactly what they say they are.


Example....Lets say you have an app that does an SQL query to the same DB everytime it runs, somehow you become infected with a form of a virus, malware etc. Without the AV companies having knowledge, issueing a *.dat and or an engine upgrade, you would perform as if nothing was happening WHILE the virus did its thing. HIPS would, in theory, prevent a file from an infected system from gaining access to areas it TYPICALLY would not be using. Kind of like saying when you open Calc.exe your system all the sudden opens port 135 ( w32.blaster.worm) and starts throwing packets. This would not be typical of the application, and would be intercepted by the HIPS.

The only companies who DONT use HIPS, are the ones who blindly assume AV companies are 100 percent perfect, 100 percent of the time I on the other hand, would rather do anything I can to make sure that everything I can possibly do has been done to save my company millions of dollars in downtime.

Ps. Infinity doesnt act the "Grand old man", this forum is to help each other; not to flame, belittle and boast of ones skills. And from what I have seen thus far, hes doing just that.

Trekk!

 

LMAO that's the name yes system safety monitor ... great app, enjoyed a lot and learned a lot from it...

and I certainly don't want to act as great old monk or whatever

try monkey

Hey - nothing wrong with Old Monks

Only kidding Infinity

 

I'm well aware that some companies have started utilised software restrictions ,Net based IDS etc.

My statement was in the context of home users which this forum is about.

It's far easier to make users bow to restrictions , to do a whitelisting of allowed applications etc to securely lockdown workstations. They don't really have much say after all they should be doing their jobs not running some unauthorised app.

To make a homeuser submit to such inconvience is not workable. And of course the best IDS based system requires a qualified analyst to be watching the alerts. In your example of cal.exe how many common users would be able to figure that out?

In large corporates there are IT help desks to apply for help, whenever some cryptic message comes up, who do the home users have to turn to?

That was a joke, and infinity took it as one.

 

I saw your post 30 mins ago and something remained in my crazy head...

have a great eve Old Monk

 

I dont think Ron took it as one lol

And no, homeusers will never have the level of protection the Enterprise does. All we can do is hope the ISP's do more content filtering etc on packets before they reach our desktops. That would really be the way to stop attacks. And yes, I know your going to say to much "real" information would be removed prior to arrival


In your example of cal.exe how many common users would be able to figure that out?

Answer - Very Few Maybe education is the key to this.

Trekk

 

A type of Whitelist application has its uses in some home situations:

1) Several users on one computer - one person is the "administrator"

2) Single user who has carefully set up a security plan and trusts the already-installed applications.

For 1) - several incidents I'm aware of. Most recently, a home where mom and dad and three kids use one computer. Dad is the "administrator" and the kids let him download programs, etc. One day, one kid opened an email attachment supposedly with a picture file. It had the old double extension trick, and as an executable, was blocked from running because not on the white list. A similar incident in another home, where the Osama bin Laden trojan (pics.scr) was blocked from running in an email attachment.

While the parents know to use good judgment, the whitelist program protects against certain types of accidents.

As far as alerts - PG would not be a useful product in this situation because the only alert Dad wants them to see is "This is blocked from running" - there is no other choice - they call Dad.

For 2) - the several single users I know who use a whitelist program follow the same principle: your installed applications are trusted, and they don't want to be bothered by an alert such as posted yesterday about Opera wanting to make a mouse hook. All they want from a whitelist program is protection for the inadvertent accident, where an unauthorized executable is prevented from downloading/running.

This may or may not be workable in a home environment, but is just one consideration out of many solutions.

A product is only as useful as it fits in with a well-thought out security plan. In the two families above, the kids for the most part know good surfing habits, understand (most of the time!) about email, etc. In both cases, the parents have carefully taught their children good computing habits. That's really more important than, or at least complements, a security product, HIPS or whatever!

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Hi Rich,

thanks for that link. I had forgotten about kareldjag's many interesting posts on this subject!

-rich
________________
~~Be ALERT!!! ~~

 

nope .. I will not feel bad cause of forgetting a name

 

I'm just a simple user..., how about this:

These things that we simply call firewalls are actually application communications firewalls, common usage has shortened it to firewall. Software falling under HIPS/IPS/etc. are really just application activity firewalls. Virtually everything is isomorphic between the two domains, but instead of rules govering the communications allowed, there will be rules to govern the activities allowed for applications.

I realize that communications is a subset of activity, and maybe that's why you hear these folks are contemplating incorporation of firewalls as we typically view them into these products. Just a thought.

Anyway, that's how a simple guy like me looks at it.

Blue

 

HIPS means Host-based Intrustion Prevention System which therefore should cover any program running on a PC whose aim is to prevent compromise - this includes signature scanners (AV/AT software), integrity checkers, firewalls and process/registry control utilities. HIPS is intended to distinguish such measures from more general IDS/IPS which have been focused on monitoring network traffic for suspicious patterns.

It is therefore, IMHO, not an appropriate term to use for specific, non-signature based PC security software since it is more general. "Behaviour blocker" is another problem term - does it apply to blocking software (e.g. installing drivers/services) or people? (e.g. double-clicking on anonymous love letters).

"Process Control" or "Process Firewall" seems a better term for programs like Process Guard, System Safety Monitor and Tiny Firewall which offer control over what processes can do.

Are you talking about Ghost Security's RegDefend here, rather than any DCS products?

 

Hehe, the term was used well before then, too.. I had tried to start a thread in August of last year, cracks me up because the term wasn't really known at that time.. I think Prevx helped to build it up, though.

 

Similar to when Steve Gibson ? used the word Stealthed in regards to Firewall ports being closed....HIPS and Stealth sound marketable

 

Exactly. Like stated in posts earlier in this thread, it makes sense in a corporate network environment, by applying the term to home software, you get to give those people a sense of having the same security as the real pros. Throw the word "Technology" in there and you can just sit back and listen to the "Oooh"'s and "Ahhh"'s.

"Our specialized Bleeding Edge Host Based Intrustion Prevention Technology has been employed by some of the largest Fortune 1000 companies and Government Agencies in the field to secure the most critical of environments. Now you too can have this Highly Advanced Technology at home. Our Intelligent Design leverages the power of the Kernel to ensure your desktop is as safe as the mission critical systems of such agencies as the XYZ and companies like ACME, even against SuperWorms that YOUR antivrius WILL miss! Here's a bunch of complex but meaningless diagrams to prove our point, and show you just what this Exciting Intrustion Prevention Technology can do for YOU, just like it did for them! We are also excited to unveil our super secret Stealth Technology Features that are unique to our program. Don't know what it is? Neither do we, but look, it's shiny!"

(hehe, ok, I don't have that much against it, but had to put that out there anyway )

 

My two cents:

We live in a cheesey time where Acronyms have been Beaten Silly (BS). Parenthesis indicate a new acronym and now I have just BS'd my intro

It seems we have two things H.I Prevention and H.I. Detection. Who wants to be known as "detection" when you could be known as "Prevention".

Really the only prevention I see is a firewall the literally prevents nasties from intruding. Where as with most of the other stuff out there, the guest have already intruded but you not asking them to stay for dinner.