|
Intrusion
Prevention Systems on the Security Software Map
Olga Gorshkova, PR Director, S.N. Safe&Software Ltd
Viruses, Trojans, worms,
hacker attacks, spyware, adware etc. are the most widely spread
threats to PC security and data integrity nowadays. IT security
software developers actively offer new solutions and technologies
which in most cases are much more efficient than traditional antivirus
and firewall protection.
Security software
classes
Today it-security solutions for home PCs can be divided into classes.
Antiviruses malicious code detection with help of signature databases
or heuristic analyzer (decision about program maliciousness is based
on code analysis according to several set indexes).
Personal firewalls analyzing PC traffic along the OS perimeter.
Sandboxes/Virtualization systems protect PC system by running software
in a simulated system - a sandbox. Every harmful action that a malware
may do is done in the simulated system and does not affect the real
host system files.
Up-to-date Host Intrusion Prevention software (HIPS) monitors the
activity of programs and Operating System. If a program tries to
do a potentially harmful activity, HIPS will stop the program before
it affects the system and ask user whether to continue program execution
or block it.
All these solutions protect
user PC from certain threats and can be a good combination for complex
PC protection from a variety of malware. The main advantage of HIPS
software is an option of detecting and blocking new malware types
and modifications which are yet not detected by signature antivirus
technology or missed by firewall (when malware conceals as useful
utility). Thus intrusion prevention software is an essential element
in complex PC protection.
Intrusion Prevention
Technology
Intrusion prevention solutions usually operate in more or less the
same way. Let us review basic HIPS technology by the example of
Safe'n'Sec® intrusion prevention system. HIPS technology is
based on system calls intercepting and intellectual analysis at
the Operating System level. (See pict.1)
Intercepting system calls
and analyzing system applications activity HIPS makes a decision
about the malicious actions of application and blocks the attack
at initial stage. Spyware is blocked before any damage to the system
or data is done.
While OS startup System
Interceptor is among the first processes to load and builds in the
chain of system calls. This module intercepts system calls of all
applications and transfers full information about the system call
and the application that generated this call to the iTrust Engine
module. The latter identifies application by its unique properties
and transfers this data to Rules Engine module. This module analyzes
information according to the predefined rules and makes a report.
The report is transferred to Intelligent Decision Maker module which
analyses all data about application actions. As a result System
Interceptor either blocks denied calls or allows execution of "non-dangerous"
calls at the system level.
HIPS solutions possess a number of advantages meeting the lacks
of traditional security software.
HIPS vs. antivirus
Antivirus whether signature or heuristic-based effectively protects
your PC from well known viruses or those which have once damaged
users computers. Signature updates are released with some delay
and it takes time to conduct tests of an update. Intrusion prevention
solutions proactively protect PC from unknown malware detecting
and blocking all malicious actions before any damage to computer
system is done. Heuristic-based antivirus solutions are usually
developed for specific operation system & system configuration.
HIPS are universal software in this sense. These systems provide
efficient protection against viruses, computer worms, trojans, spyware,
hacker and fishing-attacks, unskilled actions of novice users etc.
HIPS vs. firewall
Firewall controls & analyses traffic at computer system entry
but not activity inside PC environment. Meanwhile malicious applications,
spyware for ex., often use standard ports like e-mail or Internet
to get into computer environment. Such malware can be integrated
in a useful utility and as such freely enters PC via e-mail or Internet.
Firewall fails to detect and block it. Malicious software can also
be uploaded at your PC when you download some software from free
CDs (magazines covermounting). Intrusion prevention software offers
preventive protection which divides malicious actions from normal.
No matter where the malware comes from - outside or inside your
PC HIPS block any dangerous activity and allow all positive actions.
HIPS vs. sandbox
Sandbox software doesn't detect whether application is malicious
or not. Some sandboxes may ask user whether unknown program should
be run in isolated environment or should be added to trusted applications
list. In most cases after running in a sandbox the program is allowed
to OS system. HIPS precisely detect whether the program activity
is malicious or not and give user advice what to do with such program
(deny or allow).
Summary
Combination of traditional antivirus or firewall solutions and new
proactive protection technologies provides complex protection and
thus the most effective level of computer security. The combination
of behavioral and signature technologies allows to control a broad
range of events related to various computer threats detection and
prevention (see the list below).
Intrusion Prevention
Systems on Security Software Map
|
|
(LAN) Firewall
|
Personal Firewall
|
Anti-Spyware,
Anti-Adware, etc.
|
Antivirus
|
Host Intrusion Prevention
Software
|
|
Installs on
|
Server
|
Client
|
Server and/or Client
|
Server and/or Client
|
Client
|
|
Effective against
|
Network attacks
|
Host attacks, spyware
|
Specific malware
|
Known viruses
|
Any potential damage
|
|
Protective action
|
Stop traffic
|
Stop traffic / terminate application
|
Wipe malicious files / applications
|
Cure /
quarantine / wipe infected files
|
Block
particular action attempted by application or block malicous application
completely
|
|
Protective
action is applied when
|
Traffic is abnormal
|
Traffic is abnormal
|
Malware is detected
|
File is damaged
|
Risk of damage exists
|
|
Monitors
|
Network traffic
|
Network traffic
|
Application code / Traffic
|
Application code
|
Application behavior
|
|
Check method
|
Traffic analysis
|
Traffic analysis
|
Signature match / Traffic analysis
|
Signature match
|
Behavior analysis
|
|
Checks running applications
|
No
|
On alarm
|
At launch
|
At launch
|
Constantly
|
|
Checks
e-mail, downloads, web pages
|
No
|
No
|
Yes
|
Yes
|
No
|
|
Checks
static files on HDD
|
No
|
No
|
Yes
|
Yes
|
No
|
|
System load
|
Neglectible
|
Moderate to neglectible
|
Heavy to moderate
|
Heavy to moderate
|
Neglectible
|
|
Requires frequent updates
|
No
|
No
|
Yes
|
Yes
|
No
|
|
Requires user attendance
|
Seldom / Not at all
|
Seldom / Not at all
|
Often
|
Seldom
|
Seldom
|
|
Risks, limitations and drawbacks
|
Host-based attacks
|
Leaks, custom attacks
|
New malware
|
Zero-day viruses
|
False alarms
|
|
Layer of security
|
Outermost
|
Outer
|
Inner
|
Inner
|
Innermost
|
|
Required
for multi-layer security
|
Absolutely
|
Recommended
|
Recommended
|
Absolutely
|
Highly recommended
|
|
Examples
|
IPX LAN Firewall,
SonicWALL
|
Norton
Personal Firewall
Zone-Alarm Pro
Agnitum Outpost
|
Microsoft
Antispyware
CA eTrust PestPatrol
Lavasoft Ad-Aware
|
Symantec
Norton AV
McAfee VirusScan
Kaspersky AVP
|
S.N. Safe&Software Safe'n'Sec
Panda TruPrevent
Pro PrevX
|
|
