Host Intrusion Prevention System – HIPS

21 Oct, 2022 1923 Views
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

A Host Intrusion Prevention System (HIPS) is an advanced security technique designed to proactively identify and prevent malicious network intrusions. Host intrusion systems are intended to monitor a network’s entire traffic and dynamically prevent threats which can often be missed by more traditional antivirus and firewall solutions. As such, most modern networks will deploy one or more of these systems as part of a layered defense strategy.



Host Intrusion Prevention System Basic

HIPS represents a preemptive approach to network security and utilizes advanced techniques to detect and block attempts to breach a computers system. It utilizes several advanced techniques to scan network traffic and look for patterns in the data. If a possible breach is discovered, HIPS can take several different defensive actions depending on the type and severity of the detected activity. Defensive actions can include alerting the user and/or administrator and automatically dropping suspicious data streams. Through the next couple of sections we’ll explore the different methods that HIPS uses to examine network traffic.

Xcitium AEP provides several types of Host Intrusion Prevention, incorporating signature, baseline and stateful inspection. The Host Intrusion Prevention System (HIPS) layer looks for deviations from normal or baseline states in bandwidth, protocol usage and ports. Stateful inspection allows Xcitium AEP to look at the actual protocols contained in the data packets traversing the network. If an abnormal state is detected, HIPS can implement a predetermined set of actions to prevent the endpoint from being compromised and can alert the user or administrator as required. HIPS is just one layer of defense that makes up Xcitium’s Advanced Endpoint Protection solution.

host intrusion prevention system

Signature Method

With signature based methods, HIPS looks at the real-time data flow patterns and compares those patterns with known attack patterns that have already been detected in the wild. Xcitium Host Intrusion Prevention System (HIPS) performs full packet capture in real-time, meaning each packet is scanned bit-for-bit for known malicious patterns that could mean an impending attack. Examples could be as simple as multiple login request failures, system port scans or emails matching known malicious sources.

Profile/Baseline Method

The profile method involves HIPS collecting a data stream from a system in a controlled network environment. This controlled pattern of data flow is then used as a baseline which is compared against the traffic patterns of other machines. If the real-time data pattern is found to be suspiciously different from the baseline then preventative actions are taken. For example, if HIPS detected activity across a port that was not accessed in the control system, Host Intrusion Prevention System would take that as a malicious activity, generate an alert and take preventive action. Protection levels are further enhanced by employing artificial intelligence, allowing for fewer false alarms and detection of advanced persistent threats.

Stateful Protocol Method

Each data packet travelling over a network is wrapped with the header of the protocol being used to handle the packet, and each networking model adds its own type of header data. These protocols must follow the standards put forth in the Requests for Comments (RFC) document that describes in detail how a protocol should be implemented. The stateful protocol method examines each header and looks for inconsistencies between how the header is assembled vs. what the RFC defines it should be. The HIPS also has data on how protocols are implemented in normal operations, making sure that “normal” implementations are not being flagged as malicious activities. If HIPS detects a true deviation from the baseline and RFC profiles, HIPS can take preventative action as well as alerting users and administrators. For example, a TCP header that included the seldom used URG (urgent) mechanism may well be labeled as suspicious and alerts to administrators generated.

Xcitium AEP HIPS layers all three methods together in one high performance engine that maximizes detection while limiting the number of generated alerts. The Xcitium AEP HIPS provides a key security layer in the layered protection approach that combines multiple security technologies (Secure Auto-Containment™, device control, antivirus protection, machine learning, etc) to provide optimal endpoint protection.


Related Sources:

Endpoint Detection
Endpoint Detection and Response

Hidden Keylogger