Anti-Virus Programs ◦ Need to be updated constantly – Might be too late ◦ React rather than protect Firewalls ◦ Can block traffic but needs to allow some through ◦ Attacks can still get in Intrusion Detection Systems ◦ Scans the network for signs of intrusion ◦ Merely reports – Requires user action to stop attacks ◦ IDS evasion techniques are becoming common
Software based heuristic approach ◦ Similar to IDS but has added functionality to block Sandbox ◦ Runs mobile code in isolated environment and looks at the result Hybrid ◦ Uses multiple detection methods and blocks imminent attacks Kernel Based Protection ◦ Agent installed between user application and kernel ◦ Malicious system calls are blocked.
Network based ◦ Inline hardware systems ◦ Uses signature, anomaly, and proprietary detection methods ◦ Traffic normalization – removes protocol ambiguities to ensure the NIPS sees the same thing as the end host Cons? ◦ High rate of false positives ◦ What if NIPS goes down?
Host based ◦ Installed on host computer ◦ Hooks onto kernel and looks at all system calls ◦ If system call isn’t normal, it is blocked. ◦ Use of “interceptors” - StormWatch File system Network Configuration Execution space Cons? ◦ Resource intensive – checking all calls, sandboxing