Page 180 - DCAP516_COMPUTER_SECURITY
P. 180
Computer Security
Notes 14.3 Types of Intrusion Prevention System
14.3.1 Host-based
A Host-based IPS (HIPS) is one where the intrusion-prevention application is resident on that
specific IP address, usually on a single computer. HIPS compliments traditional finger-print-
based and heuristic antivirus detection methods, since it does not need continuous updates to
stay ahead of new malware. As ill-intended code needs to modify the system or other software
residing on the machine to achieve its evil aims, a truly comprehensive HIPS system will notice
some of the resulting changes and prevent the action by default or notify the user for permission.
Extensive use of system resources can be a drawback of existing HIPS, which integrate firewall,
system-level action control and sandboxing into a coordinated detection net, on top of a
traditional AV product.
This extensive protection scheme may be warranted for a laptop computer frequently operating
in untrusted environments (e.g. on cafe or airport Wi-Fi networks), but the heavy defenses may
take their toll on battery life and noticeably impair the generic responsiveness of the computer
as the HIPS protective component and the traditional AV product check each file on a PC to see
if it is malware against a huge blacklist.
Alternatively if HIPS is combined with an AV product utilising whitelisting technology then
there is far less use of system resources as many applications on the PC are trusted (whitelisted).
HIPS as an application then becomes a real alternative to traditional antivirus products.
14.3.2 Network-based
A network-based IPS is one where the IPS application/hardware and any actions taken to prevent
an intrusion on a specific network host(s) is done from a host with another IP address on the
network (This could be on a front-end firewall appliance.).
Network Intrusion Prevention Systems (NIPSs) are purpose-built hardware/software platforms
that are designed to analyze, detect and report on security related events. NIPS are designed to
inspect traffic and based on their configuration or security policy, they can drop malicious
traffic.
14.3.3 Content-based
A Content-based IPS (CBIPS) inspects the content of network packets for unique sequences,
called signatures, to detect and hopefully prevent known types of attack such as worm infections
and hacks.
Protocol Analysis
A key development in IDS/IPS technologies was the use of protocol analyzers. Protocol analyzers
can natively decode application-layer network protocols, like HTTP or FTP. Once the protocols
are fully decoded, the IPS analysis engine can evaluate different parts of the protocol for
anomalous behavior or exploits. For example, the existence of a large binary file in the User-
Agent field of an HTTP request would be very unusual and likely an intrusion. A protocol
analyzer could detect this anomalous behavior and instruct the IPS engine to drop the offending
packets.
Not all IPS/IDS engines are full protocol analyzers. Some products rely on simple pattern
recognition techniques to look for known attack patterns. While this can be sufficient in many
174 LOVELY PROFESSIONAL UNIVERSITY
