Get APLawrence.com by RSSHIPS - host-based intrusion prevention
Traditional Anti-Virus software was pattern based: it looked for specific sequences of executable code to identify virus threats. The virus writers got smarter, and introduced viruses that scrambled their code as they propagated, defeating the AV efforts. See Virus Research and Defense Bok Review for a detailed look at this whole area.
HIPS instead tries to look at what the program does, either by intercepting system calls or watching packets or other system activity. These may be rule based or may assign scores for certain activity. The problem, of course, is that a program you need to run may generate activity that a HIPS program finds suspicious. This gotcha has so far kept HIPS at the high end of the food chain; home users and small businesss don't usually have the resources to deal with something this complex. A buffer overflow probably indicates malicious code, but it may also just be bad programming. A hardware inventory tool would probably make any HIPS call foul, and so on.
Anything HIPS does is really something that should be in the OS itself, and probably will be in future years. Today, kernels are too much obedient servants, blindly doing the bidding of any program that asks. We have only the very beginning of security in the kernel; most of what we do today is added on. This will change - it has to. Hardware will also play its part in the security picture, but less trusting kernels are necessary.
Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)
| Views for this page | ||||
|---|---|---|---|---|
| Today | This Week | This Month | This Year | Overall |
| 1 | 1 | 33 | 745 | 2,533 |
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Your ad here - $24.00 yearly!
SCO, OpenServer, UnixWare, software, servers, security, networks, installation, administration, troubleshooting, maintenance, Watchguard, firewalls, VPNs, e-mail. Visit us at http://opensystemscomputing.com and www.go2unix.com.
http://bcstechnology.net Full service Linux & UNIX systems integrator; Windows to UNIX/Linux Client-Server Specialist; Secure E-Mail & Website Hosting; Thoroughbred Software Developer; Custom Industrial Automation; Hardware & Electronics Experts; In Business Since 1985.
UBB Computer Services Support for Openserver, Unixware and Linux. Windows integration with Unix/Linux servers. Hardware, Backup and Networking issues. Located near Sacramento CA, we provide onsite support throughout Northern CA and Nationwide via remote access. We are a SCO Authorized Partner and a Microlite BackupEdge Certified Reseller.
Related Posts
Wed Sep 21 04:06:11 2005: Subject: drag
Do you figure that things like SElinux and LSM would prove more usefull for this stuff in the future? By using mandatory access control-like permissions it makes it possible to setup permissions for programs and users based what they need to do in order to operate correctly, but block them and/or throw up red flags when they try to do something unexpected. I figure a person could use this technology to setup a effect HIPS system.
I know right now that it's a pain to setup and pre-setup versions like found in Fedora and Redhat aren't that usefull, but it's reliable and it works and it has already prevented software programming errors into turning into real vunerabilities. But I figure it will mature and advances will make it simplier for the average administrator to configure and deal with.
Wed Sep 21 08:15:34 2005: Subject: TonyLawrence
Yes, that's part of it, but we need more. I think kernels are going to become much bigger and have more and more intelligence.
Add your comments