HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life

Contents What does "HIPS" mean anyway? Introduction to Intrusions Types of Intruders Consequences of Intrusion Detection Approaches Statistical Anomaly Detection Introduction to HIPS in Kaspersky Anti-Virus HIPS Components Packages in HIPS source code

What is an intrusion? Any set of actions that attempt to compromise: Confidentiality Integrity Availability Of a computer resource.

Types of Intruders There are three classes of intruders: Masqueraders An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account. Misfeasor A legitimate user who accesses data, programs or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. Clandestine An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit actions.

Consequences of Intrusion Intruder may attempt following: Read privileged data Perform unauthorized modification to data Disrupt the system settings

Detection Approaches To discriminate between anomaly or attack patterns (signatures) and known intrusion detection signatures. A technique often used in the Intrusion Detection Systems (IDS) and many anti-malware systems such as anti-virus and anti-spyware etc. The network or system information scanned against a known attack or malware signature database. If match found, an alert takes place for further actions. Signature-based

Detection Approaches Involves the collection of data relating the behavior of legitimate users over a period of time. Statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. Statistical anomaly detection

Statistical Anomaly Detection Categories Threshold Detection Involves counting the numbers of occurrences of specified event type over an interval of time

Statistical Anomaly Detection Categories (Continued) Profile-Based Anomaly Detection Focuses on characterizing the past behavior of individuals users or related groups of users and then detecting significant deviations. Examples of parameters: Counter Interval time

10 HIPS in KasperSky

HIPS Explained What does "HIPS" mean anyway? It stands for Host Intrusion Prevention System. In essence it's a program that alerts the user to a malware program such as a virus that may be trying to run on the user's computer, or that an unauthorized user such as a hacker may have gained access to the user's computer.

HIPS Explained HIPS controls specific system events: File Creation or Deletion System registry manipulation Network traffic

HIPS Components Group Policy Manager and Application Rules Manager Trusted Low restricted High restricted Untrusted According to source code : CHipsRuleManager

HIPS Components Adequate permissions and restrictions are preset for each group Trusted applications are not restricted in their rights and abilities Low restricted applications are denied to perform actions which can be dangerous for the system High restricted applications are only allowed to perform the actions which cannot make any harm Untrusted can practically perform no system actions.

HIPS Components

Basics of rules in HIPS Subject the application or group which triggers the definite event Object to which the application or group is trying to get access Action allow, deny or prompt for action

HIPS Components Firewall and Network Rules Block traffic Allow traffic Prompt for action According to source code : CHipsRuleManager CAlock CNetRMSettings CNetRulesTaskState

HIPS Components System Watcher The System Watcher component in Kaspersky Anti-Virus collects data about the actions performed by applications on your computer and gives this information to other components for improved protection According to source code : cEHSysWatch cSystemWatcherData cSysWatchEventHandler System Watcher Functionalities Exploit prevention Heuristic analysis Rolling back malware actions Application control

System Watcher Functionalities Exploit prevention This functionality protects computer from malicious programs that use vulnerabilities in the most common applications. Controls executable files started from vulnerable applications and web browsers. Controls suspicious actions of vulnerable applications. Monitors previous program. Tracks a source of a malicious code. Prevents using application vulnerabilities.

System Watcher Functionalities Heuristic analysis System Watcher uses heuristic analysis to detect actions which partially match to patterns of dangerous activity. If such actions are detected the application will ask a user to select an action to be performed with a suspicious program Depending on the selected protection mode you can set the following actions: Select action automatically (if automatic protection mode is enabled). In this case System Watcher will automatically apply an action recommended by Kaspersky Lab specialists. Prompt for action (if interactive protection mode is enabled). In this case System Watcher will inform you of a detected suspicious activity and will prompt for action: allow or block the activity. Select action: Delete. Terminate the malware (all malware processes will be terminated). Ignore (no actions will be applied to the malware).

System Watcher Functionalities Rolling back malware actions Information about suspicious actions in the system is collected not only for the current session, but also for previous sessions. This makes it possible to roll back all actions performed by the application if the application is subsequently recognized as malicious.

System Watcher Functionalities Application Control Module Applications Activity module with which you can view information about installed and running applications (such as information about an application's status and the level of trust attributed to it).

Packages in HIPS source code

Classes inside the HIPS in KasperSky CHipsRuleManager \Hips\Task\hipsrulemanager.h _ CPrague \Hips\hips_base_serializer\CPrague.h CNetRMSettings \Hips\Task\NetRMSettings.h CAlock \Hips\Task\NetRulesManager.h CNetRulesTaskState \Hips\Task\NetRulesManager.h cAutoLockerCS \Hips\swdrv\swdrv.cpp cSystemWatcherData \Hips\gui\SwCsWrap\SwCsWrap.cpp cCS \Hips\swdrv\swdrv.cpp cSysWatchEventHandler \Hips\SystemWatcher\syswatch_eventhandler.h cEHSysWatch \Hips\EventHandler\eh_syswatch.h SharpStr2WcharStr \Hips\gui\SwCsWrap\SwCsWrap.cpp CHipsDataSerializer \Hips\hips_base_serializer\HipsDataSerializer.h WcharStr2SharpStr \Hips\gui\SwCsWrap\SwCsWrap.cpp CHipsLocalCash \Hips\Task\hipsmanager.h CHipsManager \Hips\Task\hipsmanager.h

Thank you for your attention. Any Questions? Life’s Live in Code Life