Lusher/hipsmodel

From CastleCopsWiki

This is from the Gartner HIPS model "Understanding Strengths and Weaknesses of Host-Based Intrusion Prevention Styles" (revised November 2005)

In this model, HIPS is interpreted in the broad sense taking the term "Host Intrusion Prevention System" literally, referring to pretty much any kind of security measure that runs on the hosts machine (as opposed to at the Gateway). This means Antivirus (cell 5), Firewalls (cell 1) are HIPS as well.

All HIPS hence falls into 9 possible styles in a 3x3 matrix. The terms are quite intimidating (and may not be that descriptive anyway) but it is fairly easy to understand the styles without remembering the names (which are mostly made up by them on the spur of the moment and some was changed later anyway).

The rows refer to when the HIPS works.

"Network-level HIPS examine the incoming (and, ideally, outgoing) network traffic stream to provide protection against malicious code with the goal of detecting, blocking and removing the malicious code before it ever gets onto the machine"

"Application-level HIPS examine the characteristics of an application's code on the machine with the goal of detecting, blocking and removing malicious code before it is executed."

Execution level HIPS "examine the characteristics of executing code with the goal of detecting, blocking and removing the ability of executing malicious code to damage to the system. This level represents the last line of defense, because the malicious code has entered the system and is now executing."

The columns are pretty self-explanatory, involving white listing, black listing, and the last is probably the most complicated and interesting method which involves the system somehow understanding that the unknown code is bad and blocking it (heuristic ,emulation, etc).

For example, Sandboxing would be passive behaviorial containment (cell 9) which allows code to run, but protects system intergrity. It is considered passive as little or no attempt is made at behaviorial profiling

More active containment might or might not involve sandboxing or virtualization, but the key point is they try to profile or watch the code over time and determine if it is bad.

"Some HIPS providers (such as Sana Security) monitor the application over time and look for changes in activities and divergence from normal patterns of memory access, systems access and so on, and typically they require a learning period to baseline normal behavior. Other behavioral containment providers (such as WholeSecurity) heuristically inspect executing applications against a large set of good and bad application behaviors to determine and stop malicious intent without requiring a learning period."

From the conventional point of view I suppose this is what many people called Behavior blockers (as opposed to classic hips). Micropoint Proactive Defense Software, Threatfire or Panda TruPrevent Style HIPS is Style 9 HIPS (active containment).

However it is generally believed that the term HIPS should only be used for execution level HIPS. (And maybe some might argue that only column 3 is what counts as real HIPS, depending on how one interprets detecting unknown code)

So for example even though some AVs use emulation or advanced heuristics for scanning files (cell 6)

"Here, the solution must inspect the application's code, look at the types of system calls and application programming interfaces (APIs) that are used, contextually understand the activities that the application would perform if it was executed and block potentially malicious code"

"This can be achieved by exercising the application's code paths using a simulated environment (for example, Internet Security Systems [ISS] Proventia Desktop) or by using reverse-engineering techniques to inspect code to determine malicious characteristics before the application is allowed to be saved or executed on the machine."

But we do not consider them as HIPS, not to mention even more conventional signature based methods (cell 5).

In particular, many people tend to like SSM/PG style HIPS which probably best fits into cell 7 (application control) and sometimes cell 8 (resource shielding).

Resource shielding according to Gartner refers to both AV memory scanning, as well as signatures of known bad behavior (buffer overflows techniques can be caught this way), also think how Prevx has certain behavior set only to "Prevent" even in Expert mode (though this might be a limitation of the technique of only preventing).

This model is fairly well known, with Prevx and Panda both writing about how their solutions stands in relationship to this model.

Sources

"Understanding the Nine Protection Styles of Host-Based Intrusion Prevention" MacDonald. Gartner. 27 May 2005

"Best Practices for Implementing Host-Based Intrusion Prevention Systems" MacDonald. Gartner. ,20 November 2006

"Host-Based Intrusion Prevention: Myths and Realities", MacDonald. Gartner. 27 November 2006

"Understanding Strengths and Weaknesses of Host-Based Intrusion Prevention Styles", MacDonald. Gartner. 30 January 2006

"How TruPrevent Works" PandaResearch ,24 May 2007

An Analysis of Approaches to Host Intrusion Prevention Prevx, 16 December 2005.