Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Published byNatalie Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life."— Presentation transcript:

1 HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life

2 Contents What does "HIPS" mean anyway? Introduction to Intrusions Types of Intruders Consequences of Intrusion Detection Approaches Statistical Anomaly Detection Introduction to HIPS in Kaspersky Anti-Virus HIPS Components Packages in HIPS source code

3 What is an intrusion? Any set of actions that attempt to compromise: Confidentiality Integrity Availability Of a computer resource.

4 Types of Intruders There are three classes of intruders: Masqueraders An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account. Misfeasor A legitimate user who accesses data, programs or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. Clandestine An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit actions.

5 Consequences of Intrusion Intruder may attempt following: Read privileged data Perform unauthorized modification to data Disrupt the system settings

6 Detection Approaches To discriminate between anomaly or attack patterns (signatures) and known intrusion detection signatures. A technique often used in the Intrusion Detection Systems (IDS) and many anti-malware systems such as anti-virus and anti-spyware etc. The network or system information scanned against a known attack or malware signature database. If match found, an alert takes place for further actions. Signature-based

7 Detection Approaches Involves the collection of data relating the behavior of legitimate users over a period of time. Statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. Statistical anomaly detection

8 Statistical Anomaly Detection Categories Threshold Detection Involves counting the numbers of occurrences of specified event type over an interval of time

9 Statistical Anomaly Detection Categories (Continued) Profile-Based Anomaly Detection Focuses on characterizing the past behavior of individuals users or related groups of users and then detecting significant deviations. Examples of parameters: Counter Interval time

10 10 HIPS in KasperSky

11 HIPS Explained What does "HIPS" mean anyway? It stands for Host Intrusion Prevention System. In essence it's a program that alerts the user to a malware program such as a virus that may be trying to run on the user's computer, or that an unauthorized user such as a hacker may have gained access to the user's computer.

12 HIPS Explained HIPS controls specific system events: File Creation or Deletion System registry manipulation Network traffic

13 HIPS Components Group Policy Manager and Application Rules Manager Trusted Low restricted High restricted Untrusted According to source code : CHipsRuleManager

14 HIPS Components Adequate permissions and restrictions are preset for each group Trusted applications are not restricted in their rights and abilities Low restricted applications are denied to perform actions which can be dangerous for the system High restricted applications are only allowed to perform the actions which cannot make any harm Untrusted can practically perform no system actions.

15 HIPS Components

16 Basics of rules in HIPS Subject the application or group which triggers the definite event Object to which the application or group is trying to get access Action allow, deny or prompt for action

17 HIPS Components Firewall and Network Rules Block traffic Allow traffic Prompt for action According to source code : CHipsRuleManager CAlock CNetRMSettings CNetRulesTaskState

18 HIPS Components System Watcher The System Watcher component in Kaspersky Anti-Virus collects data about the actions performed by applications on your computer and gives this information to other components for improved protection According to source code : cEHSysWatch cSystemWatcherData cSysWatchEventHandler System Watcher Functionalities Exploit prevention Heuristic analysis Rolling back malware actions Application control

19 System Watcher Functionalities Exploit prevention This functionality protects computer from malicious programs that use vulnerabilities in the most common applications. Controls executable files started from vulnerable applications and web browsers. Controls suspicious actions of vulnerable applications. Monitors previous program. Tracks a source of a malicious code. Prevents using application vulnerabilities.

20 System Watcher Functionalities Heuristic analysis System Watcher uses heuristic analysis to detect actions which partially match to patterns of dangerous activity. If such actions are detected the application will ask a user to select an action to be performed with a suspicious program Depending on the selected protection mode you can set the following actions: Select action automatically (if automatic protection mode is enabled). In this case System Watcher will automatically apply an action recommended by Kaspersky Lab specialists. Prompt for action (if interactive protection mode is enabled). In this case System Watcher will inform you of a detected suspicious activity and will prompt for action: allow or block the activity. Select action: Delete. Terminate the malware (all malware processes will be terminated). Ignore (no actions will be applied to the malware).

21 System Watcher Functionalities Rolling back malware actions Information about suspicious actions in the system is collected not only for the current session, but also for previous sessions. This makes it possible to roll back all actions performed by the application if the application is subsequently recognized as malicious.

22 System Watcher Functionalities Application Control Module Applications Activity module with which you can view information about installed and running applications (such as information about an application's status and the level of trust attributed to it).

23 Packages in HIPS source code

24 Classes inside the HIPS in KasperSky CHipsRuleManager \Hips\Task\hipsrulemanager.h _ CPrague \Hips\hips_base_serializer\CPrague.h CNetRMSettings \Hips\Task\NetRMSettings.h CAlock \Hips\Task\NetRulesManager.h CNetRulesTaskState \Hips\Task\NetRulesManager.h cAutoLockerCS \Hips\swdrv\swdrv.cpp cSystemWatcherData \Hips\gui\SwCsWrap\SwCsWrap.cpp cCS \Hips\swdrv\swdrv.cpp cSysWatchEventHandler \Hips\SystemWatcher\syswatch_eventhandler.h cEHSysWatch \Hips\EventHandler\eh_syswatch.h SharpStr2WcharStr \Hips\gui\SwCsWrap\SwCsWrap.cpp CHipsDataSerializer \Hips\hips_base_serializer\HipsDataSerializer.h WcharStr2SharpStr \Hips\gui\SwCsWrap\SwCsWrap.cpp CHipsLocalCash \Hips\Task\hipsmanager.h CHipsManager \Hips\Task\hipsmanager.h

25 Thank you for your attention. Any Questions? Life’s Live in Code Life

Download ppt "HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life."

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Lecture 13 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 13 Intrusion Detection modified from slides of Lawrie Brown.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
CSA 223 network and web security Chapter one

CSA 223 network and web security Chapter one
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.

Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.

Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.

Similar presentations

Ads by Google