The purpose of an intrusion detection system (IDS) is to monitor systems and/or network for malicious activity and/or violations of defined policies. An IDS can be hardware or a software application. A security information and event management (SIEM) system typically monitors and collects the information, which alerts the administrator to take appropriate action.
Robust cyber security solutions such as Comodo Advanced Endpoint Protection (AEP) provide a Host Intrusion Prevention System as part of their features such as antivirus, firewall, and autocontainment.
The Comodo Host Intrusion Prevention System (HIPS) is an intrusion detection system that proactively identifies and blocks malicious network intrusions. A HIPS monitors all the traffic in a network to detect threats that cannot be detected by an antivirus or firewall. Comodo AEP employs HIPS as a part of its layered defense strategy.
In this method, HIPS looks and compares the real-time data flow patterns with known attack patterns. The intrusion detection system performs full real-time packet capture, and it scans each packet for known malicious patterns that signify a possible attack. Multiple login request failures, emails from known malicious sources and system port scans are examples of the signature detection methods.
In this method, HIPS collects a data stream in a controlled network environment from a system. The controlled data flow pattern is from then onwards used as a baseline. This is then used for comparing the traffic patterns of other systems. Suspicious real-time data patterns immediately trigger preventative actions. Comodo also employs artificial intelligence for enhanced detection and fewer false alarms. Comodo HIPS is effective against advanced persistent threats.
A typical example of detection is when activity is detected across ports that had not been accessed in the controlled network environment.
In networking, data packets are wrapped with a header of the protocol when they have to travel over the network. The type of header data differs according to each networking model. In Comodo AEP, the protocols follow the standards as specified in the Requests for Comments (RFC) document on protocol implementation.
In this method, each header assembly is examined for inconsistencies with RFC defined profiles. True deviation from RFC profiles is flagged as malicious. HIPS also maintains data on normal implementations so as to avoid false detections. True deviations trigger alerts to users and the administrators.
A typical suspicious detection could include detection of a TCP header that included a rarely used URG (urgent) mechanism.
Comodo AEP incorporates signature, baseline and stateful inspection types in its HIPS intrusion detection system. Deviations are observed in ports, bandwidth, and protocol usage. Detection of an abnormal state (intrusion detection) triggers implementation of a predetermined set of actions that alerts administrators and also prevents compromise of the endpoint.
Comodo AEP HIPS intrusion detection system in an important security layer in the multi-layered protection mechanism that includes antivirus protection, Auto-Containment™, and firewall. The intrusion detection system provides protection against root-kits, key-loggers, and inter-process memory injections.