HIPS vs Heuristics?

ncage

Level 3
Thread author
Verified
May 20, 2017
107
Hi guys I’ve been doing some research to understand the difference between heuristics & HIPS. From my research they seem similar. The only real difference I can come up with is HIPS generally will nag the user and ask them to make a choice while *I think* heuristics will use use algorithms/machine learning/ect to make the decision. I know some behavior blockers are HIPS based and some are heuristics based. I would think Emsisoft is probably HIPS based (probably a little smarter than that based upon whether to show the user a dialog or not) and Bitdefender seems to be heuristics based (autopilot).

While I could easily accept this answer, it seems incomplete. ESET is known to not have a behavior blocker. According to the following post where people were complaining of the lack of a BB in ESET:
"We don't perform behavior blocking"

There are forum mods that are defending the lack of a behavior blocker because they don’t want dialogs nagging users in an enterprise type of environment and go on to say they do have heuristics. Wouldn’t the heuristics be considered to be behavior blocking? Bitdefender doesn’t generally show dialogs to the user and they are considered to have a true behavior blocker and to make matters even more confusing in Eset allows you to enable/disable HIPS through their interface.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
I'll try at this. Best I can come up with, but I'm looking forward to other answers.

HIPS-Specific single and vulnerable areas of a PC are monitored for changes of specific single types of change behavior. If one of the types of change behaviors being monitored for is detected in one of the monitored areas, an alert is generated. You will then have the option to allow or deny the specific type of behavior for the offending process which is requesting to make the change. HIPS is purely mechanical.

Heuristics-(some say HIPS is heuristics so I assume you mean AI heuristics). The same as above in some ways, except that information regarding change requests by a process is compiled into a complexly predictive algorithm, which determines the probability of maliciousness. This is based on the sum total of a larger number of more minute observations on the part of the security program. The best parts of this monitoring will happen at the code/machine instruction level. With this type of monitoring, potential risk may be detected after the fact of an episode, leading to a specific response. Otherwise, a specific behavior may also simply be classified as too risky to allow as with HIPS. In either case, there would be an alert. Kaspersky has the rollback for ransomeware, which is a good example of heuristics making a determination after the fact. Allow the activity, until there it is clearly abnormal (i.e. broad scale encryption + no digital signature or some other set of similar considerations)...then respond. HIPS would just block the activity in the first place based on a rule to block all changes of unapproved applications for the specific folder location etc. If the heuristics is good most issues should be caught up front.

Otherwise, I think that's a decent summary you made to say that heuristics makes the decision instead of the user. Maybe it's not true in all cases, but really great AI/heuristics should do this I believe. For me heuristics is way better, the problem being that it's difficult to know how good the heuristic algorithms of a security program are...
 

Mahesh Sudula

Level 17
Verified
Top Poster
Well-known
Sep 3, 2017
825
Heuristics : Comes into action only for a known threat...that shares similar characteristics when an unknown threat is executed
Mostly obsolete for today's threats but they do have their own importance.
Pioneered vendor's in Heuristics: Norton, Kaspersky, Dr Web Worthless Vendors: All the remaining vendors to the most part
It is a fancy feature used by most Av's in their protective technologies to scale and fool the users

Hips: Entirely different from Heuristics..works on pre- framed rules like (1-100) ..Does not focus on characteristic of a malware
but on pre fixed rules (Consists of 100 or more)...High fp's, Too painful for normal users..Entire lock down of the system.
Independent of signatures.
Pioneered vendors: Comodo, Trustport, Vipre, ESET., Qihoo 360..


Though HIPS and Behaviour blocker may give the same meaning..but BB completely works different and is much more solid and secured'
Independent decision taking, Matured detections with slight Fp"s here and there
Pioneers: Kaspersky, Norton, G DATA, AVAST,Trend Micro,Bit Defender, Quick Heal, K7,*F Secure, Emsisoft (Most of the part is HIPS)*
 
Last edited:

ichito

Level 11
Verified
Top Poster
Content Creator
Well-known
Dec 12, 2013
541
HIPS - detection of every action tried made on sensitive areas of system...basicaly no matter wich apps try to do such action
Behavioral blocker/ monitor - detection of suspicious action but it does not means that is the first detected action...BB is monitoring each single action but user is alerted only in case when action is suspicious according to the builtin rules/technology.
BB sometime use heuristic and sometime other method like e.g. list of specific action connected to behaviour of malware. First is builtin e.g. in ThreatFire, second was in Mamutu.

For interested user - Security Overflow...for me "the Bible" of HIPS/BB apps
SECURITY OVERFLOW
or interesting thread on MT
Q&A - What is the difference between HIPS, Behavior Blocker, and Intrusion Detection System?
 
Last edited:
D

Deleted member 178

Emsisoft AM has a pure BB (ex-Mamutu), it was never an HIPS, Online Armor was Emsisoft HIPS.

Intrinsically, HIPS doesn't differentiate between legit or malicious system changes, it just prompt, hence the shower of cryptic alerts that may confuse the user.
Behavior Blocker however has rules and compare the system behavior to those rules then generate an alert (or not depending the user settings) if something seems suspicious.

Heuristic is just code analysis , and alert the user or quarantine the file if its code is similar to a known malware.

So put simply: Heuristic is code comparison, HIPS/BB are system modification monitoring.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top