Test2
From CastleCopsWiki
| Level | Explanation | Example | Blacklist(block known bad guys) | Behavior (block bad behavior | White list (allow only the known good guys) | Community based (shared knowledge) |
|---|---|---|---|---|---|---|
| Network level | Inbound protection Outbound protection | Firewall | (1) | (2) | (3) | (4) |
| Threat gate entry | Data Intrusion (P2P, Internet, DVD/CD,USB, Floppy,etc) OS Intrusion (registry, ini files, XP vulnerable areas) | Sandbox AntiSpyware program | (5) (9) | (6) (10) | (7) (11) | (8) (12) |
| Application level | Startup monitor Process Modification Process Termination Data Injection Global hook Memory Access | Classic HIPS | (13) | (14) | (15) | (16) |
| Data level | Access level content level | Data firewall Antivirus | (17) (21) | (18) (22) | (19) (23) | (20) (24) |
Contents |
[edit] Notes
This security model classifies security software along two dimensions.
Firstly, the horizontal rows (network level, Threat gate entry, Application level, Data level), takes into account at which stage the protection applies to. For example the first layer of protection occurs at the network level. The next layer of protection concerns itself with the different threat gates (through internet, through CD/DVD floppy etc). For example you could sandbox the browser to prevent anything malicious from getting through etc. Assuming that the malware gets pass these two layers, it might then be caught by application layer, which watches process behavior. Lastly at the data level, access control or content controls might work to prevent theft or modification.
Secondly, the vertical column (Blacklist, Behavior, Whitelist, Community based), classifies the protection layer according to how it is implemented. Blacklists only catch known bad guys with near zero false positives. Behavior based tries to detect only certain behavior using heuristics with much higher false positive. Whitelists only allow known hence are the most troublesome to use. In general the level of protection increases when moving from blacklists to behavior to White lists, but with increased intrusiveness. Community based methods leverage community sharing to help make decisions, depending on the quality of this information it can help increase protection and usability.
[edit] Network level
First layer of protection. Almost all are firewalls. Some HIPS provide only outbound protection (e.g DSA). While Hardware firewalls provide only inbound protection.
(1) Blink? / Sygate IDS
(2)
(3) Comodo firewall, Kerio firewall, CHX-I , Zone alarm etc
(4) Blink?
[edit] Threat gate entry
(5)
(6)
(7) Sandboxie ,GESwall, Coreforce
(8)
(9)
(10)
(11) Many resident shields of antispyware such as Windows Defender,Spyware terminator, Winpatrol, many HIPS with registry control or Monitor of sensitive areas
(12)
[edit] Application level
(13)
(14) Cyberhawk
(15) Most classic hips including Processguard, SSM, Neoava Guard ,Eqsecure
(16) Prevx1, Cyberhawk
[edit] Data level
(17)
(18) Sensiveguard
(19) Data Sentry, HIPS such as neoava guard,prosecurity, esecure
(20)
(21) Antivir, AVAST, AV
(22)
(23)
(24)
