A host intrusion prevention system (HIPS) is an approach to security that relies on third-party software tools to identify and prevent malicious activities.
Host-based intrusion prevention systems are typically used to protect endpoint devices. Once malicious activity is detected, the HIPS tool can take a variety of actions, including sending an alarm to the computer user, logging the malicious activity for future investigation, resetting the connection, dropping malicious packets and blocking subsequent traffic from the suspect IP address. Some host intrusion prevention systems allow users to send logs of malicious activity and fragments of suspicious code directly to the vendor for analysis and possible identification.
Most host intrusion prevention systems use known attack patterns, called signatures, to identify malicious activity. Signature-based detection is effective, but it can only protect the host device against known attacks. It cannot protect against zero day attacks or signatures that are not already in the provider's database.
A second approach to intrusion detection establishes a baseline of normal activity and then compares current activity against the baseline. The HIPS looks for anomalies, including deviations in bandwidth, protocols and ports. When activity varies outside of an acceptable range -- such as a remote application attempting to open a normally closed port -- an intrusion may be in progress. However, an anomaly, such as a sudden spike in bandwidth use, does not guarantee an actual attack, so this approach amounts to an educated guess and the chance for false positives can be high.
A third common intrusion-detection method uses stateful inspection to assess the actual protocols in packets traversing the network. The analysis is called stateful because the malware prevention tool tracks the state of each protocol. For example, it understands how TCP and UDP packets can or cannot carry DNS, SMTP, HTTP and other protocols -- and what values should or should not be contained within each packet of each protocol. Stateful protocol analysis looks for deviations from normal states of protocol content and can flag a possible attack when an unexpected deviation occurs. Since stateful analysis is more aware of actual packet contents, the chances for false positives are somewhat lower than statistical anomaly detection.
HIPS products often focus on just one of the three approaches, though multiple approaches are sometimes used. For example, McAfee's Host Intrusion Prevention for Desktop and Dell's Managed iSensor Intrusion Prevention System (IPS) service are just two offerings that rely on multiple approaches to intrusion prevention.