hips host-based intrusion prevention system by ali adlavaran & mahdi mohamad pour (m.a. team)...
TRANSCRIPT
![Page 1: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/1.jpg)
HIPSHost-Based Intrusion Prevention System
By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team)
Life’s Live in Code Life
![Page 2: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/2.jpg)
ContentsWhat does "HIPS" mean anyway?
Introduction to Intrusions
Types of Intruders
Consequences of Intrusion
Detection Approaches
Statistical Anomaly Detection
Introduction to HIPS in Kaspersky Anti-Virus
HIPS Components
Packages in HIPS source code
![Page 3: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/3.jpg)
What is an intrusion?
Any set of actions that attempt to compromise:• Confidentiality• Integrity• Availability
Of a computer resource.
![Page 4: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/4.jpg)
Types of Intruders
There are three classes of intruders:
• MasqueradersAn individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.
• MisfeasorA legitimate user who accesses data, programs or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges.
• ClandestineAn individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit actions.
![Page 5: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/5.jpg)
Consequences of Intrusion
Intruder may attempt following:
• Read privileged data
• Perform unauthorized modification to data
• Disrupt the system settings
![Page 6: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/6.jpg)
Detection Approaches
• To discriminate between anomaly or attack patterns (signatures) and known intrusion detection signatures.
• A technique often used in the Intrusion Detection Systems (IDS) and many anti-malware systems such as anti-virus and anti-spyware etc.
• The network or system information scanned against a known attack or malware signature database. If match found, an alert takes place for further actions.
Signature-based
![Page 7: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/7.jpg)
Detection Approaches
• Involves the collection of data relating the behavior of legitimate users over a period of time.
• Statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior.
Statistical anomaly detection
![Page 8: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/8.jpg)
Statistical Anomaly Detection Categories
Threshold DetectionInvolves counting the numbers of occurrences of specified event type over an interval of time
![Page 9: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/9.jpg)
Statistical Anomaly Detection Categories(Continued)
Profile-Based Anomaly DetectionFocuses on characterizing the past behavior of individuals users or related groups of users and then detecting significant deviations.
Examples of parameters:•Counter•Interval time
![Page 10: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/10.jpg)
10
HIPS in KasperSky
![Page 11: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/11.jpg)
HIPS Explained
What does "HIPS" mean anyway?
It stands for Host Intrusion Prevention System. In essence it's a program that alerts the user to a malware program such as a virus that may be trying to run on the user's computer, or that an unauthorized user such as a hacker may have gained access to the user's computer.
![Page 12: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/12.jpg)
HIPS Explained
HIPS controls specific system events:
File Creation or Deletion
System registry manipulation
Network traffic
![Page 13: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/13.jpg)
HIPS Components
Group Policy Manager and Application Rules Manager• Trusted • Low restricted • High restricted • Untrusted
According to source code : According to source code :
CHipsRuleManager
![Page 14: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/14.jpg)
HIPS Components
Adequate permissions and restrictions are preset for each group
Trusted applications are not restricted in their rights and abilities
Low restricted applications are denied to perform actions which can be dangerous for the system
High restrictedapplications are only allowed to perform the actions which cannot make any harm
Untrustedcan practically perform no system actions.
![Page 15: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/15.jpg)
HIPS Components
![Page 16: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/16.jpg)
HIPS Components
Basics of rules in HIPS• Subject
• the application or group which triggers the definite event
• Object• to which the application or
group is trying to get access
• Action • allow, deny or prompt for
action
![Page 17: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/17.jpg)
HIPS Components
Firewall and Network Rules
Block trafficAllow trafficPrompt for action
According to source code : According to source code :
CHipsRuleManager
CAlock
CNetRMSettings
CNetRulesTaskState
![Page 18: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/18.jpg)
HIPS Components
System WatcherThe System Watcher component in Kaspersky Anti-Virus collects data about the actions performed by applications on your computer and gives this information to other components for improved protection
According to source code : According to source code :
cEHSysWatch
cSystemWatcherData
cSysWatchEventHandler
System Watcher FunctionalitiesExploit preventionHeuristic analysisRolling back malware actionsApplication control
![Page 19: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/19.jpg)
System Watcher Functionalities
Exploit preventionThis functionality protects computer from malicious programs that use vulnerabilities in the most common applications.
• Controls executable files started from vulnerable applications and web browsers.• Controls suspicious actions of vulnerable applications.• Monitors previous program.• Tracks a source of a malicious code.• Prevents using application vulnerabilities.
![Page 20: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/20.jpg)
System Watcher Functionalities
Heuristic analysis• System Watcher uses heuristic analysis to detect actions which partially match
to patterns of dangerous activity. If such actions are detected the application will ask a user to select an action to be performed with a suspicious program Depending on the selected protection mode you can set the following actions:
• Select action automatically (if automatic protection mode is enabled). In this case System Watcher will automatically apply an action recommended by Kaspersky Lab specialists.
• Prompt for action (if interactive protection mode is enabled). In this case System Watcher will inform you of a detected suspicious activity and will prompt for action: allow or block the activity.
• Select action: • Delete.• Terminate the malware (all malware processes will be terminated).• Ignore (no actions will be applied to the malware).
![Page 21: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/21.jpg)
System Watcher Functionalities
Rolling back malware actionsInformation about suspicious actions in the system is collected not only for the current session, but also for previous sessions. This makes it possible to roll back all actions performed by the application if the application is subsequently recognized as malicious.
![Page 22: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/22.jpg)
System Watcher Functionalities
Application Control Module
Applications Activity module with which you can view information about installed and running applications (such as information about an application's status and the level of trust attributed to it).
![Page 23: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/23.jpg)
Packages in HIPS source code
![Page 24: HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life](https://reader035.vdocument.in/reader035/viewer/2022062304/56649ef05503460f94c00919/html5/thumbnails/24.jpg)
Classes inside the HIPS in KasperSky
CHipsRuleManager
\Hips\Task\hipsrulemanager.h
_CPrague
\Hips\hips_base_serializer\CPrague.h
CNetRMSettings
\Hips\Task\NetRMSettings.h
CAlock
\Hips\Task\NetRulesManager.h
CNetRulesTaskState
\Hips\Task\NetRulesManager.h
cAutoLockerCS
\Hips\swdrv\swdrv.cpp
cSystemWatcherData
\Hips\gui\SwCsWrap\SwCsWrap.cpp
cCS
\Hips\swdrv\swdrv.cpp
cSysWatchEventHandler
\Hips\SystemWatcher\syswatch_eventhandler.h
cEHSysWatch
\Hips\EventHandler\eh_syswatch.h
SharpStr2WcharStr
\Hips\gui\SwCsWrap\SwCsWrap.cpp
CHipsDataSerializer
\Hips\hips_base_serializer\HipsDataSerializer.h
WcharStr2SharpStr
\Hips\gui\SwCsWrap\SwCsWrap.cpp
CHipsLocalCash
\Hips\Task\hipsmanager.h
CHipsManager
\Hips\Task\hipsmanager.h