host intrusion prevention system (HIPS)

What is a host intrusion prevention system (HIPS)?

A host intrusion prevention system (HIPS) is an approach to security that relies on third-party software tools to identify and prevent malicious activities.

Host-based intrusion prevention systems are typically used to protect endpoint devices. Once it detects malicious activity, the HIPS tool can take a variety of actions, including sending an alarm to the computer user, logging the malicious activity for future investigation, resetting the connection, dropping malicious packets and blocking subsequent traffic from the suspect IP address. Some host intrusion prevention systems allow users to send logs of malicious activity and suspicious code directly to the vendor for analysis and possible identification.

Most host intrusion prevention systems use known attack patterns, called signatures, to identify malicious activity. Signature-based detection is effective, but it can only protect the host device against known attacks. It cannot protect against zero-day attacks or signatures that are not already in the provider's database.

A second approach to intrusion detection establishes a baseline of normal activity and then compares current activity against the baseline. The HIPS looks for anomalies, including deviations in bandwidth, protocols and ports. When activity varies outside an acceptable range -- such as a remote application attempting to open a normally closed port -- an intrusion might be in progress. However, an anomaly such as a sudden spike in bandwidth use does not guarantee an actual attack, so this approach amounts to an educated guess, and the chances for false positives can be high.

A third common intrusion detection method uses stateful inspection to assess the actual protocols in packets traversing the network. The analysis is called stateful because the malware prevention tool tracks the state of each protocol. For example, it understands how Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets can or cannot carry domain name system (DNS), Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP) and other protocols -- and what values should be contained within each packet of each protocol. Stateful protocol analysis looks for deviations from normal states of protocol content and can flag a possible attack when an unexpected deviation occurs. Since stateful analysis is more aware of actual packet contents, the chances for false positives are somewhat lower than with statistical anomaly detection.

HIPS products often focus on just one of the three approaches, though some vendors implement multiple approaches.