Host Intrusion Prevention System Basic
HIPS represents a preemptive approach to network security and utilizes advanced techniques to detect and block attempts to breach a
computers system. It utilizes several advanced techniques to scan network traffic and look for patterns in the data. If a possible
breach is discovered, HIPS can take several different defensive actions depending on the type and severity of the detected
activity. Defensive actions can include alerting the user and/or administrator and automatically dropping suspicious data streams.
Through the next couple of sections we’ll explore the different methods that HIPS uses to examine network traffic.
Comodo AEP provides several types of Host Intrusion Prevention, incorporating signature, baseline and stateful inspection. The Host
Intrusion Prevention System (HIPS) layer looks for deviations from normal or baseline states in bandwidth, protocol usage and
ports. Stateful inspection allows Comodo AEP to look at the actual protocols contained in the data packets traversing the network.
If an abnormal state is detected, HIPS can implement a predetermined set of actions to prevent the endpoint from being compromised
and can alert the user or administrator as required. HIPS is just one layer of defense that makes up
Comodo’s Advanced Endpoint Protection solution.
The profile method involves HIPS collecting a data stream from a system in a controlled network environment. This controlled
pattern of data flow is then used as a baseline which is compared against the traffic patterns of other machines. If the real-time
data pattern is found to be suspiciously different from the baseline then preventative actions are taken. For example, if HIPS
detected activity across a port that was not accessed in the control system, Host Intrusion Prevention System would take that as a malicious activity, generate an alert and take preventive action. Protection levels are further enhanced by employing artificial intelligence,
allowing for fewer false alarms and detection of advanced persistent threats.
Stateful Protocol Method
Each data packet travelling over a network is wrapped with the header of the protocol being used to handle the packet, and each
networking model adds its own type of header data. These protocols must follow the standards put forth in the Requests for
Comments (RFC) document that describes in detail how a protocol should be implemented. The stateful protocol method examines each
header and looks for inconsistencies between how the header is assembled vs. what the RFC defines it should be. The HIPS also has
data on how protocols are implemented in normal operations, making sure that “normal” implementations are not being flagged as
malicious activities. If HIPS detects a true deviation from the baseline and RFC profiles, HIPS can take preventative action as
well as alerting users and administrators. For example, a TCP header that included the seldom used URG (urgent) mechanism may well
be labeled as suspicious and alerts to administrators generated.
Comodo AEP HIPS layers all three methods together in one high performance engine that maximizes detection while limiting the number
of generated alerts.
The Comodo AEP HIPS provides a key security layer in the layered protection approach that combines multiple security technologies (Secure Auto-Containment™, device control, antivirus protection, machine learning, etc) to provide optimal endpoint protection.