What is the difference between HIPS, Behavior Blocker, and Intrusion Detection System?

SloppyMcFloppy

Level 13
Thread author
Verified
Sep 12, 2015
617
I'm having a difficultly try to understand between HIPS, Behavior Blocker, Intrusion Detection System, and zero day protection. So I would appreciate if you guys can answer these questions below for me because I have no idea how to answer these with my rookie knowledge. Thanks, user102.

What is the differences between HIPS, Behavior Blocker, Intrusion Detection System, and zero day protection?

What is the pros and cons for each of them?

How does each one of them work when it engage unknown malicious applications?

Which one is strongest and which one is the weakest?

Which one do would you use? And why?
 
H

hjlbx

Very basic summary...

HIPS (Classical) monitors a whole range of actions - process creation, changes to file system, writes to registry, etc, etc, etc. What actions are monitored vary from HIPS design to HIPS design - and also there are some limitations on 64-bit systems because of Patch Guard. Classical HIPS requires the greatest amount of user input, knowledge and experience.

Behavior Blocker is different for different vendors. Some are HIPS-based, others are heuristics-based, others it seems are some type of combo.

Behavior Blocker in Emsisoft is really a HIPS that monitors for very specific actions based upon an algorithm - and not heuristics. This is done to greatly minimize the number of alerts - and subsequent user input.

Norton SONAR is an algorithm behavior blocker that evaluates hundreds of file characteristics and actions. It is more akin to file "profiling." Once again, the point being to minimize any type of user-based decision making. I should point out that Norton considers their SONAR to be really an Intrustion Detection System. They call it a behavior blocker and IDS interchangeably.

Intrusion Detection System monitors network or system activities for malicious activities or policy violations. It is much more prevalent in Enterprise than Home solutions. Bitdefender being a notable exception. Here again the intent being to minimize alerts and automate decision making.

Zero-Day protection. There is no such thing. It is called this, but in reality is one or a combo of the above - or something completely different - cleverly marketed.

None of the above have a clear advantage over the other for the typical user in terms of protection. Well, a behavior blocker is less taxing for a novice\beginner and an IDS is the least taxing since it is essentially fully automated.

However, for the experienced, knowledgeable user that knows their system well, classical HIPS is difficult to improve upon - because it is the (experienced, knowledgeable) human making all the decisions. The same applies to Emsisoft's type of Behavior Blocker.

Norton SONAR type behavior blockers and IDS systems are only as good as their coding.

You can have a HIPS, Behavior Blocker, IDS and so-called "Zero-Day" protection on your system and still get infected... that's the disadvantage.
 
Last edited by a moderator:

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Great summary @hjlbx :)

I'd prefer HIPS, although it might lead to lot's of alerts (and so lot's of user decisions). I disliked BD for that, as Autopilot showed up next to none alerts, which made me feel unsafe.
Qihoo 360 TS(E) seems to use heuristics based hips: Qihoo 360 - Investor Relations - Our Technologies - 360 HIPS
It often alerts you when something is trying to change registry entries.
Regarding Zero Day Protection and IDS, that might be done by HMP.A, which seems to use BB, HitmanPro.Alert - SurfRight, instead of signatures.
Next to none user intervention needed (all supported programmes etc. are automatically added to the protection layers), but it can lead to conflicts, especially with new programme versions (I noticed this with KIS 2015, the Win10 compatible revision they brought up just after Win10 launch, as well as with PSE14 and it's recent update - see my thread here in this forum). Whitelisting did not work for me then, had to completely turn off the false-alarm-giving protection layer...
 
Last edited by a moderator:
H

hjlbx

Great summary @hjlbx :)

I'd prefer HIPS, although it might lead to lot's of alerts (and so lot's of user decisions). I disliked BD for that, as Autopilot showed up next to none alerts, which made me feel unsafe.
Qihoo 360 TS(E) seems to use heuristics based hips: Qihoo 360 - Investor Relations - Our Technologies - 360 HIPS
It often alerts you when something is trying to change registry entries.
Regarding Zero Day Protection and IDS, that might be done by HMP.A, which seems to use BB, HitmanPro.Alert - SurfRight, instead of signatures.
Next to none user intervention needed (all supported programmes etc. are automatically added to the protection layers), but it can lead to conflicts, especially with new programme versions (I noticed this with KIS 2015, the Win10 compatible revision they brought up just after Win10 launch, as well as with PSE14 and it's recent update - see my thread here in this forum). Whitelisting did not work for me then, had to completely turn off the false-alarm-giving protection layer...

I use COMODO with HIPS enabled under Proactive Security.

I have changed the rating of vulnerable Windows processes from Trusted to Unrecognized.

No HIPS alerts (unless I execute a vulnerable process - e.g. cmd.exe, powershell.exe, mmc.exe, etc).

If HIPS alert appears "out-of-no-where" then you know something might be up to no good.

Qihoo HIPS is classical HIPS.

HMP.A could be called either an IDS or Behavior Blocker.

HMP.A is advanced, complex soft - so conflicts are to be expected... (yes, pain!)

White-listing should be the foundation of any security config.
 

DracusNarcrym

Level 20
Verified
Top Poster
Well-known
Oct 16, 2015
970
Excellent and accurate definition by @hjlbx.

HIPS (Host Intrusion Prevention System): Monitors activity of processes or modules within a local host system and performs certain actions against that activity, based on a set of predefined rules or policies. HIPS can (in most cases) also be configured to prompt the user with an alert regarding a certain kind of activity occuring within the host, allowing him/her to take action manually.

Intrusion Detection System: Umbrella term referring to a general security mechanism/system which monitors activity occurring within the host system or monitors protocol data transfers or inbound/outgoing protocol connections, performing specific actions as defined, again, in a preconfigured set of rules or policies, or prompting the user to take action manually through an alert.
Intrusion Detection Systems (IDS) are also commonly referred to as Intrusion Detection and Prevention Systems (depending on their underlying functions) and as such one may consider HIPS to be a subcategory of IDS/IDPS.

Behavior blockers: Security components which usually utilize a combination of mechanisms for detecting suspicious anomalies in the actions of processes and/or modules, and as @hjlbx described, those mechanisms might range from HIPS-based methods to heuristics.

I have nothing more to contribute as far as "Zero-day protection" is concerned, it was well-covered by other members above. It is largely a term coined as part of corporate marketing schemes to push products utilizing some or all of the above technologies to end-uses and/or enterprises.

The following well-written Wikipedia article contains further information regarding the matter in question:
Intrusion prevention system - Wikipedia, the free encyclopedia

EDIT: Corrected unbelievable typo. Thanks @Umbra.
 
Last edited:

SloppyMcFloppy

Level 13
Thread author
Verified
Sep 12, 2015
617
Thanks @DracusNarcrym and @hjlbx for the information you provided! Both of you deserve MVP award :).
MVP-Logo.png
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
IDS is more on the bundled protection on firewall component and sometimes link to related on web protection basis which monitors the suspicious connection, although in that sense I've never encounter the interaction pop-up but rather its an auto-pilot based which blocks without notification.

Take an example like in Norton.

HIPS and BB have little different of concepts

[HIPS] Closely to monitor large scale base of system and can block the access permanently, there is no any reference base to determine the suspicious or not but only the ruleset should be enough.

[BB] Contains algorithm to detect any suspicious actions although many products tends to rely much on cloud to capture similar alerts and reveal the official answer on those alerts however the effectiveness is great in such instance low FP rates should observe due to predefined behavior techniques.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top