Page 224 - DCAP403_Operating System
P. 224
Unit 11: System Security
Alternatively if HIPS is combined with an AV product utilising whitelisting technology then Notes
there is far less use of system resources as many applications on the PC are trusted (whitelisted).
HIPS as an application then becomes a real alternative to traditional antivirus products.
Network-based
A network-based IPS is one where the IPS application/hardware and any actions taken to
prevent an intrusion on a specific network host(s) is done from a host with another IP address on
the network (This could be on a front-end fi rewall appliance.).
Network Intrusion Prevention Systems (NIPSs) are purpose-built hardware/software platforms
that are designed to analyze, detect and report on security related events. NIPS are designed
to inspect traffic and based on their configuration or security policy, they can drop malicious
traffi c.
Content-based
A Content-based IPS (CBIPS) inspects the content of network packets for unique sequences,
called signatures, to detect and hopefully prevent known types of attack such as worm infections
and hacks.
Protocol Analysis
A key development in IDS/IPS technologies was the use of protocol analyzers. Protocol analyzers
can natively decode application-layer network protocols, like HTTP or FTP. Once the protocols are
fully decoded, the IPS analysis engine can evaluate different parts of the protocol for anomalous
behavior or exploits. For example, the existence of a large binary file in the User-Agent field of an
HTTP request would be very unusual and likely an intrusion. A protocol analyzer could detect
this anomalous behavior and instruct the IPS engine to drop the offending packets.
Not all IPS/IDS engines are full protocol analyzers. Some products rely on simple pattern
recognition techniques to look for known attack patterns. While this can be sufficient in many
cases, it creates an overall weakness in the detection capabilities. Since many vulnerabilities have
dozens or even hundreds of exploit variants, pattern recognition-based IPS/IDS engines can be
evaded. For example, some pattern recognition engines require hundreds of different signatures
(patterns) to protect against a single vulnerability. This is because they must have a different
pattern for each exploit variant. Protocol analysis-based products can often block exploits with a
single signature that monitors for the specific vulnerability in the network communications.
Rate-based
Rate-based IPS (RBIPS) are primarily intended to prevent Denial of Service and Distributed
Denial of Service attacks. They work by monitoring and learning normal network behaviors.
Through real-time traffic monitoring and comparison with stored statistics, RBIPS can identify
abnormal rates for certain types of traffic e.g. TCP, UDP or ARP packets, connections per second,
packets per connection, packets to specific ports etc. Attacks are detected when thresholds are
exceeded. The thresholds are dynamically adjusted based on time of day, day of the week etc.,
drawing on stored traffi c statistics.
Unusual but legitimate network traffic patterns may create false alarms. The system’s effectiveness
is related to the granularity of the RBIPS rulebase and the quality of the stored statistics.
Once an attack is detected, various prevention techniques may be used such as rate-limiting
specific attack-related traffic types, source or connection tracking and source-address, port or
protocol filtering (black-listing) or validation (white-listing).
LOVELY PROFESSIONAL UNIVERSITY 217
