Five vendors with HIPS products are battling for market domination: McAfee, Cisco Systems, Sana Security, WholeSecurity, and eEye Digital Security.
The dominant technology for HIPSs is behavioral analysis, which uses various methods to examine the kinds of actions taken by a program or application. Actions that appear malicious, such as attempting a buffer overflow or opening a network connection, will trigger the HIPS agent. Behavioral analysis can catch malicious programs without the need for signatures, making it ideal for zero-day attack detection.
Behavioral analysis agents sit between the applications and OS kernel where they monitor system and API calls to file, network, and registry sources. They correlate system call behavior to a set of rules that define inappropriate behavior and can make real-time decisions whether to allow or deny an operation. Entercept, Cisco, and Sana sell behavioral analysis HIPS software.
WholeSecurity and eEye take a different approach to HIPS technology. Rather than intercept system calls, WholeSecurity's Confidence Online uses Windows APIs to learn how processes should behave. It then uses dozens of detection modules to examine active processes on an endpoint for behaviors that might indicate a malicious program. For instance, modules will check if the program attempts to log keystrokes, perform screen captures, or open a communications channel.
With Confidence Online, each potentially malicious behavior is assigned a score. Once these are tallied, the total score can trigger a response mechanism. Responses include alert-only, which sends a report to the management console; disable, which prevents the process from running unless the machine is rebooted or the user manually restarts the process; and permanently quarantine, which prevents the process from running ever again. Only administrators can unquarantine a program.
