Author Topic: Differences between Comodo's HIPS & Other Products Intrusion Detection Systems  (Read 30391 times)

Offline ultragunner

  • Comodo Loves me
  • ****
  • Posts: 143
Other vendor products claim they have IDS which kinda works like HIPS. What is the difference between the two.?  For example Kaspersky proactive defense & A-Squared Anti-mallware Intrusion Detection Systems compared to Comodo's Host Intrusion Prevention Systems & Behavioral analysis? :THNK (B)

 

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 13525
    • Video Blog
Very simple.


They all work with

Default Allow..... then try to catch the baddies...and they only catch the baddies they know (even so called heuristic is a glorified signature based default allow system)

we work with

Default Deny... your name is not in the list you are not coming in...


Melih

Offline ultragunner

  • Comodo Loves me
  • ****
  • Posts: 143
Thanks for the clarification.   (B) (J) (R)

I like the explanation, simple & to the point. :BNC

 

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
It's similar to the way Prevx2 works and it's CIPS.All files categorized as,known malware,known safe or unknown (exercise caution).It's a highly effective method when implemented properly. :Beer

Offline ultragunner

  • Comodo Loves me
  • ****
  • Posts: 143
By the way I heard you have already relesed release candiadate version3. should I change to it ? or stick to version 2.4 for now??   I kinds afraid of beta version even release candidate... :THNK

 

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 13525
    • Video Blog
wait till next week so that u can use the final..

Melih

Offline ultragunner

  • Comodo Loves me
  • ****
  • Posts: 143
Great nEws indeed.  I think version 3 will rule over the competition, Online armor, Agnitum outpost pro included. :BNC (B) (L) (R) (S) (V).  PS. I think you guys are great & I will do my best to promote comodo here in my country.  Telling everyone it is an execllent product (B)

 

Offline MorphOS REBOL

  • Comodo's Hero
  • *****
  • Posts: 1162
Great to hear about the FINAL release.

But, Melih, it seems, you got a new son?

 (:TNG)

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 13525
    • Video Blog

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
wait till next week so that u can use the final..

Melih


Guess that answers your thread on whether or not version 3 will be released next week. (:WIN)

Offline OmegaWolf747

  • Newbie
  • *
  • Posts: 7
  • Throw back your head and howl!
    • Omega Wolf Howls
Very simple.


They all work with

Default Allow..... then try to catch the baddies...and they only catch the baddies they know (even so called heuristic is a glorified signature based default allow system)

we work with

Default Deny... your name is not in the list you are not coming in...


Melih

Are Firefox and Thunderbird allowed by default?
Toshiba Satellite X205-S7483, Intel Centrino Core2 Duo 1.66 GHz, 2 GB SDRAM, nVidia GeForce 8700M GT 256 MB VRAM, RealTek HD Audio, x2 120 GB HDD, Windows Vista Home Premium 32bit, Avast Antivirus 4.7.1098, Comodo Firewall 3.0, Firefox 2.0.0.12, Thunderbird 2.0.0.9, Pidgin 2.3.1

Offline Luketan

  • Computer Security Testing Group
  • Comodo Loves me
  • *****
  • Posts: 195
Other vendor products claim they have IDS which kinda works like HIPS. What is the difference between the two.?  For example Kaspersky proactive defense & A-Squared Anti-mallware Intrusion Detection Systems compared to Comodo's Host Intrusion Prevention Systems & Behavioral analysis? :THNK (B)

I'll tell you the truth, even the professionals themselves don't have a standard definition for the term IDS.

When you read the literaure, often when they say IDS, they mean NIDS.

NIDS =network based intrusion detection systems, there are rules that observe *network* traffic and protocols and warns ("emails/IMS/whatever" the system admin that something is going on.

Kind of like your personal firewall alerting on an outbound connection but more subtle and complex matching rules (also it runs not on the host machine - PC itself but on the routers, network gateways etc). This is only deployed on large corporate networks, irrelevant to home users.

There are other terms like IPS (intrusion prevention systems), but it's semantics really.

For the home user, what you need to understand is this.

The newer approaches move away from analyzing code before execution, to analyzing and blocking behavior on the fly.

There are generally two approaches to this - which i call "dumb" and "smart" (this is not saying that "smart" is better, it's just descriptive of the intelligence built in)

The "dumb" approach is the main focus of Idefense+ and many other products. The system basically "goes off", when any single individual event (or detected behavior) occurs and gives the user the choice to allow it or not.

So for example, the HIPS might warn the user a certain registry key is being set, a certain process is starting, a driver is being installed etc. The user then decides whether to allow it or not.

The system itself just reports what happens, it does not give a recommendation on whether the change is dangerous or not. Of course, what is monitored is indeed sometimes dangerous (why else would it be monitored?), but often it is not as well.

The problem here is that the user has to decide, and most users don't know enough to allow or not. Some approaches like whitelisting of known safe processes help reduce the number of decisions faced by the users but this is still too difficult for many.

Another approach is what i call "smart" behavior blocker. Here the system doesn't just alert on any one event or behavior, but builds in some kind of intelligence in the system so it tries to determine whether the process is indeed malicious or not based on many factors, including the sequence of behavior.

So a process setting a autostart registry key alone might not be flagged, but one that does that followed by opening up a port, outbound connection and replacement of explore.exe would indeed be flagged as highly dangerous, because these behavior in combination is characteristic of malware.

here's a description of one of them

""To scrutinize the behavior of all processes, ***** uses kernel level monitors which watch every file operation (creation, copy, deletion, etc.), every process creation, modification and termination, every network communication (inbound and outbound) and every interaction with critical components of the operating system (registry, etc.). At the core of ***** is a process behavior analysis engine coupled with a set of specific pre-defined security rules which describe what is unacceptable from a process behavior analysis. The rules cover a wide range of events related to file operations, network operations, and interactions with the operating system. Every event from every process is efficiently analyzed by ****. When a rule is triggered, **** can terminate the detected malicious process."

Unlike Antiviruses that rely on code-based detection, such behavior blockers (which may also use code-based scanning as one citeria) , can detect unknown malware, because what they are flagging is generic behavior and not code sections.

They are also less noisy then their dumb cousins that alert on pretty much everything.

The negative point of course is that such behavior blockers can indeed be fooled. E.g if i knew the software looked for a process to do X, then Y , then Z, I would not do Z and do Z2 instead. It's not so crude, but you get the idea.

Dumb hips can never be fooled because they play safe and alert on *everything*.

This is theory only of course, in practice the line is a bit grey. For example some events are considered so dangerous, that any process causing this event will always trigger an alert for both "smart" and "dumb"

Kaspersky proactive defense by default is closer to the "smart" end of the spectrum, but can be tweaked to the dumb end (alert on everything).

A-Squared Anti-mallware Intrusion Detection Systems is marketed to be closer to the smart end as well . Also see Mamutu by the same company.

Threatfire is definitely on the smart end, but has options to make it function like a "dumb" hips.

Comodo 3 has this new heuristic with a claimed 60% detection of unknown malware , this is possibly an aspect of the "smart" HIPS. One wonders though what the FP rate of this new heuristic is, one can easily get high detection hit rates if one doesn't care about FP rates.

-edited by mod to remove empty spaces-
« Last Edit: November 28, 2007, 08:01:31 PM by Soyabeaner »

Offline Luketan

  • Computer Security Testing Group
  • Comodo Loves me
  • *****
  • Posts: 195
It's similar to the way Prevx2 works and it's CIPS.All files categorized as,known malware,known safe or unknown (exercise caution).:Beer

False. Prevx does a lot more behaviorial analysis. CPF 3 is mainly similar to SSM type software, with whitelisting via digitally signed files.

The new "heuristic" is perhaps the closest thing it has compared to Prevx.

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 13525
    • Video Blog
I think you will find that we do one of most sophisticated analysis in the market place compared to other hips!

thanks
Melih

Offline Luketan

  • Computer Security Testing Group
  • Comodo Loves me
  • *****
  • Posts: 195
I think you will find that we do one of most sophisticated analysis in the market place compared to other hips!

thanks
Melih

Big claim. Considering that your heuristic was just added suddenly without any testing in any public test version....

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek