Other vendor products claim they have IDS which kinda works like HIPS. What is the difference between the two.? For example Kaspersky proactive defense & A-Squared Anti-mallware Intrusion Detection Systems compared to Comodo's Host Intrusion Prevention Systems & Behavioral analysis? (B)
I'll tell you the truth, even the professionals themselves don't have a standard definition for the term IDS.
When you read the literaure, often when they say IDS, they mean NIDS.
NIDS =network based intrusion detection systems, there are rules that observe *network* traffic and protocols and warns ("emails/IMS/whatever" the system admin that something is going on.
Kind of like your personal firewall alerting on an outbound connection but more subtle and complex matching rules (also it runs not on the host machine - PC itself but on the routers, network gateways etc). This is only deployed on large corporate networks, irrelevant to home users.
There are other terms like IPS (intrusion prevention systems), but it's semantics really.
For the home user, what you need to understand is this.
The newer approaches move away from analyzing code before execution, to analyzing and blocking behavior on the fly.
There are generally two approaches to this - which i call "dumb" and "smart" (this is not saying that "smart" is better, it's just descriptive of the intelligence built in)
The "dumb" approach is the main focus of Idefense+ and many other products. The system basically "goes off", when any single individual event (or detected behavior) occurs and gives the user the choice to allow it or not.
So for example, the HIPS might warn the user a certain registry key is being set, a certain process is starting, a driver is being installed etc. The user then decides whether to allow it or not.
The system itself just reports what happens, it does not give a recommendation on whether the change is dangerous or not. Of course, what is monitored is indeed sometimes dangerous (why else would it be monitored?), but often it is not as well.
The problem here is that the user has to decide, and most users don't know enough to allow or not. Some approaches like whitelisting of known safe processes help reduce the number of decisions faced by the users but this is still too difficult for many.
Another approach is what i call "smart" behavior blocker. Here the system doesn't just alert on any one event or behavior, but builds in some kind of intelligence in the system so it tries to determine whether the process is indeed malicious or not based on many factors, including the sequence of behavior.
So a process setting a autostart registry key alone might not be flagged, but one that does that followed by opening up a port, outbound connection and replacement of explore.exe would indeed be flagged as highly dangerous, because these behavior in combination is characteristic of malware.
here's a description of one of them
""To scrutinize the behavior of all processes, ***** uses kernel level monitors which watch every file operation (creation, copy, deletion, etc.), every process creation, modification and termination, every network communication (inbound and outbound) and every interaction with critical components of the operating system (registry, etc.). At the core of ***** is a process behavior analysis engine coupled with a set of specific pre-defined security rules which describe what is unacceptable from a process behavior analysis. The rules cover a wide range of events related to file operations, network operations, and interactions with the operating system. Every event from every process is efficiently analyzed by ****. When a rule is triggered, **** can terminate the detected malicious process."
Unlike Antiviruses that rely on code-based detection, such behavior blockers (which may also use code-based scanning as one citeria) , can detect unknown malware, because what they are flagging is generic behavior and not code sections.
They are also less noisy then their dumb cousins that alert on pretty much everything.
The negative point of course is that such behavior blockers can indeed be fooled. E.g if i knew the software looked for a process to do X, then Y , then Z, I would not do Z and do Z2 instead. It's not so crude, but you get the idea.
Dumb hips can never be fooled because they play safe and alert on *everything*.
This is theory only of course, in practice the line is a bit grey. For example some events are considered so dangerous, that any process causing this event will always trigger an alert for both "smart" and "dumb"
Kaspersky proactive defense by default is closer to the "smart" end of the spectrum, but can be tweaked to the dumb end (alert on everything).
A-Squared Anti-mallware Intrusion Detection Systems is marketed to be closer to the smart end as well . Also see Mamutu by the same company.
Threatfire is definitely on the smart end, but has options to make it function like a "dumb" hips.
Comodo 3 has this new heuristic with a claimed 60% detection of unknown malware , this is possibly an aspect of the "smart" HIPS. One wonders though what the FP rate of this new heuristic is, one can easily get high detection hit rates if one doesn't care about FP rates.-edited by mod to remove empty spaces-