HIPS - host-based intrusion prevention
Traditional Anti-Virus software was pattern based: it looked for specific
sequences of executable code to identify virus threats. The virus writers
got smarter, and introduced viruses that scrambled their code as
they propagated, defeating the AV efforts. See Virus Research and Defense Bok Review for a detailed
look at this whole area.
HIPS instead tries to look at what the program does, either by
intercepting system calls or watching packets or other
system activity. These may be rule based
or may assign scores for certain activity. The problem, of course,
is that a program you need to run may generate activity that a HIPS
program finds suspicious. This gotcha has so far kept HIPS at the
high end of the food chain; home users and small businesss don't
usually have the resources to deal with something this complex. A
buffer overflow probably indicates malicious code, but it may also
just be bad programming. A hardware inventory tool would probably
make any HIPS call foul, and so on.
Anything HIPS does is really something that should be in the OS
itself, and probably will be in future years. Today, kernels are
too much obedient servants, blindly doing the bidding of any program
that asks. We have only the very beginning of security in the kernel;
most of what we do today is added on. This will change - it has to.
Hardware will also play its part in the security picture, but
less trusting kernels are necessary.
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Tony Lawrence
Find me on Google+
© 2012-07-13 Tony Lawrence