HIPSHost-Based Intrusion Prevention System

By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team)

Life’s Live in Code Life

ContentsWhat does "HIPS" mean anyway?

Introduction to Intrusions

Types of Intruders

Consequences of Intrusion

Detection Approaches

Statistical Anomaly Detection

Introduction to HIPS in Kaspersky Anti-Virus

HIPS Components

Packages in HIPS source code

What is an intrusion?

Any set of actions that attempt to compromise:• Confidentiality• Integrity• Availability

Of a computer resource.

Types of Intruders

There are three classes of intruders:

• MasqueradersAn individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.

• MisfeasorA legitimate user who accesses data, programs or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges.

• ClandestineAn individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit actions.

Consequences of Intrusion

Intruder may attempt following:

• Read privileged data

• Perform unauthorized modification to data

• Disrupt the system settings

Detection Approaches

• To discriminate between anomaly or attack patterns (signatures) and known intrusion detection signatures.

• A technique often used in the Intrusion Detection Systems (IDS) and many anti-malware systems such as anti-virus and anti-spyware etc.

• The network or system information scanned against a known attack or malware signature database. If match found, an alert takes place for further actions.

Signature-based

Detection Approaches

• Involves the collection of data relating the behavior of legitimate users over a period of time.

• Statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior.

Statistical anomaly detection

Statistical Anomaly Detection Categories

Threshold DetectionInvolves counting the numbers of occurrences of specified event type over an interval of time

Statistical Anomaly Detection Categories(Continued)

Profile-Based Anomaly DetectionFocuses on characterizing the past behavior of individuals users or related groups of users and then detecting significant deviations.

Examples of parameters:•Counter•Interval time

10

HIPS in KasperSky

HIPS Explained

What does "HIPS" mean anyway?

It stands for Host Intrusion Prevention System. In essence it's a program that alerts the user to a malware program such as a virus that may be trying to run on the user's computer, or that an unauthorized user such as a hacker may have gained access to the user's computer.

HIPS Explained

HIPS controls specific system events:

File Creation or Deletion

System registry manipulation

Network traffic

HIPS Components

Group Policy Manager and Application Rules Manager• Trusted • Low restricted • High restricted • Untrusted

According to source code : According to source code :

CHipsRuleManager

HIPS Components

Adequate permissions and restrictions are preset for each group

Trusted applications are not restricted in their rights and abilities

Low restricted applications are denied to perform actions which can be dangerous for the system

High restrictedapplications are only allowed to perform the actions which cannot make any harm

Untrustedcan practically perform no system actions.

HIPS Components

HIPS Components

Basics of rules in HIPS• Subject 

• the application or group which triggers the definite event

• Object• to which the application or

group is trying to get access

• Action • allow, deny or prompt for

action

HIPS Components

Firewall and Network Rules

Block trafficAllow trafficPrompt for action

According to source code : According to source code :

CHipsRuleManager

CAlock

CNetRMSettings

CNetRulesTaskState

HIPS Components

System WatcherThe System Watcher component in Kaspersky Anti-Virus collects data about the actions performed by applications on your computer and gives this information to other components for improved protection

According to source code : According to source code :

cEHSysWatch

cSystemWatcherData

cSysWatchEventHandler

System Watcher FunctionalitiesExploit preventionHeuristic analysisRolling back malware actionsApplication control

System Watcher Functionalities

Exploit preventionThis functionality protects computer from malicious programs that use vulnerabilities in the most common applications.

• Controls executable files started from vulnerable applications and web browsers.• Controls suspicious actions of vulnerable applications.• Monitors previous program.• Tracks a source of a malicious code.• Prevents using application vulnerabilities.

System Watcher Functionalities

Heuristic analysis• System Watcher uses heuristic analysis to detect actions which partially match

to patterns of dangerous activity. If such actions are detected the application will ask a user to select an action to be performed with a suspicious program Depending on the selected protection mode you can set the following actions:

• Select action automatically (if automatic protection mode is enabled). In this case System Watcher will automatically apply an action recommended by Kaspersky Lab specialists. 

• Prompt for action (if interactive protection mode is enabled). In this case System Watcher will inform you of a detected suspicious activity and will prompt for action: allow or block the activity.

• Select action: • Delete.• Terminate the malware (all malware processes will be terminated).• Ignore (no actions will be applied to the malware).

System Watcher Functionalities

Rolling back malware actionsInformation about suspicious actions in the system is collected not only for the current session, but also for previous sessions. This makes it possible to roll back all actions performed by the application if the application is subsequently recognized as malicious.

System Watcher Functionalities

Application Control Module

 Applications Activity module with which you can view information about installed and running applications (such as information about an application's status and the level of trust attributed to it).

Packages in HIPS source code

Classes inside the HIPS in KasperSky

CHipsRuleManager

\Hips\Task\hipsrulemanager.h

_CPrague

\Hips\hips_base_serializer\CPrague.h

CNetRMSettings

\Hips\Task\NetRMSettings.h

CAlock

\Hips\Task\NetRulesManager.h

CNetRulesTaskState

\Hips\Task\NetRulesManager.h

cAutoLockerCS

\Hips\swdrv\swdrv.cpp

cSystemWatcherData

\Hips\gui\SwCsWrap\SwCsWrap.cpp

cCS

\Hips\swdrv\swdrv.cpp

cSysWatchEventHandler

\Hips\SystemWatcher\syswatch_eventhandler.h

cEHSysWatch

\Hips\EventHandler\eh_syswatch.h

SharpStr2WcharStr

\Hips\gui\SwCsWrap\SwCsWrap.cpp

CHipsDataSerializer

\Hips\hips_base_serializer\HipsDataSerializer.h

WcharStr2SharpStr

\Hips\gui\SwCsWrap\SwCsWrap.cpp

CHipsLocalCash

\Hips\Task\hipsmanager.h

CHipsManager

\Hips\Task\hipsmanager.h

Thank you for your attention.

Any Questions?

Life’s Live in Code Life