Thursday, January 25, 2007

Host Intrusion Prevention versus Host Anti Virus

This may be a little advance for security 1A. But please read it and try to grasp the differences between Anti Virus and Host Intrusion Prevention. If this concept was deployed on home computers the chances of you been infected with anything get very close to 0%.

Host Anti Virus is a traditional security mitigation software used by millions of computer users across the globe. Anti Virus does a great job of stopping known security exploits through the use of signature type definition files. Unfortunately for the general computer user, the word “known” is the key to this conversation. This means that Anti Virus is only as good as attacks that you already know about. If you use Anti Virus, you are still highly susceptible to a new computer attacks.


Contrast that with Hosts Intrusion Prevention (HIPS). HIPS looks at the behavior of hosts and decides if that behavior could be consistent with the action of malicious code. If the hips software besides that the behavior is suspicious, it will either stop the behavior or query you on whether you want to allow the behavior. Bottom line is that HIPS does not use signature definition files, it uses rule files that don't require updates and will stop viruses and worms whether they are known or not. My experience with hips software is that it is 100% reliable.


The downside of Host Intrusion Prevention software is that the versions that are available are targeted for larger customers with a professional security team that can manage and analyze events seen win rules trigger. Generally it's too complex to be managed by the average end user.


This article is little more than a call to action for security developers. Security engineers readily accept that HIPS software is superior to Anti Virus, now is the time to commercialize the software. Take the complexity out of the existing hips software, and tone it down so that the average home user can use it, and be protected at all times as opposed to the current scenario experience while using antivirus. This isn't that huge of a task. Shoot for the low hanging fruit, and only deploy rules such as, stopping code that is executed after a buffer overflow, stopping code that is being run for the first time, stop browsers from acting as servers, stop the average computer from opening any listening port, stop traffic related to port scans. These are just ideas I'm sure there's more. If you do happen to read this article, please encourage your local hips vendor to commercialize their product, maybe even encourage them to market it to huge service providers such as Comcast, and AOL.