SubscribeIntrusion Prevention Systems from Olga Gorshkova, PR Director, S.N. Safe&Software Ltd.
Viruses, Trojans, worms, hacker attacks, spyware, adware etc. are the most widely spread threats to PC security and data integrity nowadays. IT security software developers actively offer new solutions and technologies which in most cases are much more efficient than traditional antivirus and firewall protection.
Security software classes
Today it-security solutions for home PCs can be divided into classes.
- Antiviruses malicious code detection with help of signature databases or heuristic analyzer (decision about program maliciousness is based on code analysis according to several set indexes).
- Personal firewalls analyzing PC traffic along the OS perimeter.
- Sandboxes/Virtualization systems protect PC system by running software in a simulated system - a sandbox. Every harmful action that a malware may do is done in the simulated system and does not affect the real host system files.
- Up-to-date Host Intrusion Prevention software (HIPS) monitors the activity of programs and Operating System. If a program tries to do a potentially harmful activity, HIPS will stop the program before it affects the system and ask user whether to continue program execution or block it.
All these solutions protect user PC from certain threats and can be a good combination for complex PC protection from a variety of malware. The main advantage of HIPS software is an option of detecting and blocking new malware types and modifications which are yet not detected by signature antivirus technology or missed by firewall (when malware conceals as useful utility). Thus intrusion prevention software is an essential element in complex PC protection.
Intrusion Prevention Technology
Intrusion prevention solutions usually operate in more or less the same way. Let us review basic HIPS technology by the example of Safe'n'Sec® intrusion prevention system. HIPS technology is based on system calls intercepting and intellectual analysis at the Operating System level. (See pict.1)
Intercepting system calls and analyzing system applications activity HIPS makes a decision about the malicious actions of application and blocks the attack at initial stage. Spyware is blocked before any damage to the system or data is done.
While OS startup System Interceptor is among the first processes to load and builds in the chain of system calls. This module intercepts system calls of all applications and transfers full information about the system call and the application that generated this call to the iTrust Engine module. The latter identifies application by its unique properties and transfers this data to Rules Engine module.
This module analyzes information according to the predefined rules and makes a report. The report is transferred to Intelligent Decision Maker module which analyses all data about application actions. As a result System Interceptor either blocks denied calls or allows execution of "non-dangerous" calls at the system level. HIPS solutions possess a number of advantages meeting the lacks of traditional security software.
HIPS vs. antivirus
Antivirus whether signature or heuristic-based effectively protects your PC from well known viruses or those which have once damaged users computers. Signature updates are released with some delay and it takes time to conduct tests of an update. Intrusion prevention solutions proactively protect PC from unknown malware detecting and blocking all malicious actions before any damage to computer system is done.
Heuristic-based antivirus solutions are usually developed for specific operation system & system configuration. HIPS are universal software in this sense. These systems provide efficient protection against viruses, computer worms, trojans, spyware, hacker and fishing-attacks, unskilled actions of novice users etc.
HIPS vs. firewall
Firewall controls & analyses traffic at computer system entry but not activity inside PC environment. Meanwhile malicious applications, spyware for ex., often use standard ports like e-mail or Internet to get into computer environment. Such malware can be integrated in a useful utility and as such freely enters PC via e-mail or Internet. Firewall fails to detect and block it.
Malicious software can also be uploaded at your PC when you download some software from free CDs (magazines covermounting). Intrusion prevention software offers preventive protection which divides malicious actions from normal. No matter where the malware comes from - outside or inside your PC HIPS block any dangerous activity and allow all positive actions.
HIPS vs. sandbox
Sandbox software doesn't detect whether application is malicious or not. Some sandboxes may ask user whether unknown program should be run in isolated environment or should be added to trusted applications list. In most cases after running in a sandbox the program is allowed to OS system. HIPS precisely detect whether the program activity is malicious or not and give user advice what to do with such program (deny or allow).
Summary
Combination of traditional antivirus or firewall solutions and new proactive protection technologies provides complex protection and thus the most effective level of computer security. The combination of behavioral and signature technologies allows to control a broad range of events related to various computer threats detection and prevention (see the list below).
Intrusion Prevention Systems on Security Software Map
| (LAN) Firewall | Personal Firewall | Anti-Spyware, Anti-Adware, etc. | AntiVirus | Host-Intrusion Prevention Software | |
| Installs On | Server | Client | Server and/or Client | Server and/or Client | Client |
| Effective Against | Network Attacks | Host Attacks,Spyware | Specific Malware | Known Viruses | Any Potential Damage |
| Protective Action | Stop Traffic | Stop traffic / Terminate Application | Wipe Malicious Files / Applications | Cure / Quarantine / Wipe Infected Files | Block Particular Action Attempted By Application Or Block Malicous Application Completely. |
| Protective Action Is Applied When | Traffic Is Abnormal | Traffic is Abnormal | Malware Is Detected | File Is Damaged | Risk Of Damage Exists |
| Monitors | Network Traffic | Network Traffic | Application Code / Traffic | Application Code | Application Behavior |
| Check Method | Traffic Analysis | Traffic Analysis | Signature Match / Traffic Analysis | Signature Match | Behavior Analysis |
| Checks Running Applications | No | On Alarm | At Launch | At Launch | Constantly |
| Checks E-mail, Downloads, Webpages | No | No | Yes | Yes | No |
| Checks Static Files On HDD | No | No | Yes | Yes | No |
| System Load | Neglectible | Moderate To Neglectible | Heavy To Moderatre | Heavy To Moderate | Neglectible |
| Requires Frequent Updates | No | No | Yes | Yes | No |
| Requires User Attendance | Seldom / Not At All | Seldom / Not At All | Often | Seldom | Seldom |
| Risks, Limitations and Drawbacks | Host-Based Attacks | Leaks, Custom Attacks | New Malware | Zero-Day Viruses | False Alarms |
| Layer Of Security | Outermost | Outer | Inner | Inner | Inttermost |
| Required For Multi-Layer Security | Absolutely | Recommended | Recommended | Absolutely | Highly Recommended |
| Examples | IPX, Lan, Firewall, SonicWALL | Norton Personal Firewall, Zone-Alarm Pro Agnitum Outpost | Microsoft Antispyware CA, eTrust Pestpatrol, Ad-Adaware | Symantec Norton AV, McAfee VirusScan, Kaspersky, AVP | S.N. Safe&Software, Safe 'n' Sec Panda TruPrevent Pro PrevX |
S.N. Safe&Software Ltd is exhibiting at Infosecurity Europe 2007, Europe's number one dedicated Information security event. Now in its 12th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,600 visitors from every segment of the industry.
Held on the 24th - 26th April 2007 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk
