Host Intrusion Prevention: Behavioral Analysis

Host Intrusion Prevention Technologies or better known as HIPS have been around for some time in the market. HIPS technologies work on the premise of providing end-point intrusion prevention against anomalous system behavior.

HIPS over the years has been developed for the anti-malware space in order to compliment existing technologies (signature and heuristics) and to improve detection capabilities. This was all part of a strategy to thwart 0-day malware by using a proactive, rather then a reactive approach to virus identification, therefore; this technology is not new to the market.

But, the ways in which the vendor goes about full-filling this model varies depending on the architecture involved. Interestingly enough there have been many misconceptions regarding the quality and effectiveness of HIPS technologies on the market today. In fact the only standard I have seen in terms of architecture has been defined by Gartner analyst Neil MacDonald.

For example rules based technologies work to a certain degree in terms of proactively defending against 0-day malware, however; often at times they require initial training and tuning before they can with confidence block an unknown threat; subsequently this results in high operating costs over-time. This is especially true given the existing complexity of diversified networks.

Most vendors on the market today have included HIPS in their technology portfolios, however; what’s missing in many offerings is behavioral analysis (very different then behavioral blocking or that of policy enforcement and control).

What is Behavioral Analysis and why is it important?

Behavioral analysis works on the premise of intelligently inspecting a running process and terminating it depending on it’s behavior (the closest thing in the computing world would be that of a neural network). In other words it’s looking at a process and it’s behavior in context and deciding if it should terminate or block that process. This is obviously not a static linear process, but a dynamic evolving process. Whereas behavioral blocking focuses on denying specific actions coming from a process relating to illegal behavior.

Similarly we have behaviroal analysis technologies included Panda TruPrevent Technologies:

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: