eEye's Blink agent doesn't intercept system calls, either. Rather, after examining thousands of attacks, eEye has determined the most common exploit methods used and condensed them into a rule set for Blink. As packets and frames come into the PC from the network stack, Blink matches them against its rule set. Based on the number and type of rules violated, the agent can then drop potentially harmful packets and log the action.
While eEye wants to differentiate Blink from its system call brethren, version 2.0 of the product hedges its bets by also including a buffer overflow protection module similar to those found on Entercept and other system call interceptors. The module examines program processes as they're loaded into the computer's memory. If a program attempts to overwrite a buffer, Blink will kill the process.
Other vendors, such as Sygate, Symantec, McAfee, and Check Point, are also bundling HIPS capability with other products. For instance, Check Point's Integrity 6.0 is an integrated security suite that includes a HIPS. The behavior-based analysis engine, called the Malicious Code Prevention (MCP) module, decompiles network traffic coming into the PC and looks for patterns that may indicate the presence of a buffer overflow. Buffer overflows are the most common exploit used by malware to install programs or gain control of a target machine.
HIPS vendors know their claims about stopping unknown attacks are seductive. To resist being seduced into a buying decision, remember to keep an eye on the drawbacks. At the top of the list are false positives. HIPSs may stop valid programs from running, which will generate help desk calls and require you to create exception lists for applications on your desktops. (One customer reported that his HIPS blocked his patching software.) Every HIPS product will cause false positives, especially on initial deployment, so be wary of any vendor that claims otherwise. During product evaluation, look for a management interface you can be comfortable with because you'll likely be spending a lot of time with it.
Another issue with HIPSs is that without signatures to identify zero-day attacks, administrators have to puzzle out for themselves whether processes are malicious or not. Reporting may not be as intuitive as the person manning the console would like.
