Translated by
2010/05/11 23:24:26


HIPS (Host Intrusion Prevention Systems) is the system of reflection of local threats. HIPS controls work of the started applications and blocks accomplishment of dangerous transactions.


Principle of work of HIPS

A HIPS system intercepts all addresses software to OS kernel

A HIPS system using own driver intercepts all appeals of software to OS kernel. In case of attempt of accomplishment of potentially dangerous action from software, a HIPS system blocks accomplishment of this action and submits an inquiry to the user who decides to permit or prohibit accomplishment of this action.

The basis of any HIPS is formed by the table of rules. In some products it is not separated in any way, in others – breaks into intermediate tables according to the nature of rules (for example, rules for files, rules for networks, rules for system privileges and so on), in the third separation of the table happens according to applications and their groups. These systems control certain system events (for example, such as creation or removal of files, registry access, memory access, start of other processes), and every time when these events should take place, HIPS is verified with the table of rules then works according to the settings set in the table. Action either is allowed, or it is forbidden, or HIPS asks the user a question of what she should undertake in this specific case.

Feature of HIPS is the group policy which allows to apply the same permissions to all applications entered to a certain group. As a rule, applications are divided into entrusted and not entrusted and also intermediate groups are possible (for example, poorly limited and strongly limited). The entrusted applications are not limited in the rights and opportunities in any way, poorly limited the actions, most dangerous to a system, are prohibited, strongly limited only those actions which cannot cause essential damage are resolved, but entrusted can perform almost any system operations.

The rules HIPS contain three basic components: the subject (i.e. the application or group which causes a certain event), action (to permit, to prohibit or ask the user) and an object (what the application or group tries to get access to). Depending on an object type of the rule are separated into three groups:

  • files and the system registry (an object – files, registry keys);
  • the system rights (an object – the system rights to accomplishment of these or those actions);
  • networks (an object – the IP addresses and their groups, ports and the directions).


  • HIPS in which the decision is made by the user — when the Application Programming Interface (API) interceptor - functions intercepts any function of the application, the question of further action is displaid. The user should solve, start the application or not with what privileges or restrictions to start it.
  • HIPS in which the decision is made by a system — the decision is made by the analyzer, for this purpose the developer creates the database in which rules and algorithms of decision making are entered.
  • The "mixed" HIPS system — makes the decision the analyzer, but when it cannot make the decision or settings "about decision making by the user" are included the solution and the choice of further actions are provided to the user.

Advantages of HIPS

  • Low consumption of system resources.
  • Are not exacting to computer hardware.
  • Can work at different platforms.
  • High efficiency of opposition to new threats.
  • High efficiency of counteraction to the rootkits working at the application layer (user-mode).

Shortcomings of HIPS

  • Low performance of counteraction to the rootkits working at the kernel level.
  • Large number of addresses to the user.
  • The user should have knowledge of the principles of functioning of OS.
  • Impossibility of counteraction to active infection of the computer.

Examples of HIPS