Recognize the confusions and trends of active defense concept Security Software

Anti-virus software has active defense, which should be a forward-looking Function

Active Defense seems to have been hot enough, because network security events that take the virus as the main attack type are endless, and anti-virus software usually does not have the ability to identify new viruses, it cannot intercept very well. This situation has lasted for many years. As the virus changes more and more, the activity in the virus industry chain has become more and more rampant, which has led to users' distrust of anti-virus software.

To address these increasingly serious new threats, anti-virus vendors are actually moving forward in two different directions. On the one hand, traditional feature recognition, enhanced engine shelling, enhanced sample collection, and faster updates of virus features are adopted. Today, this is still the most important and most efficient response method. However, it is inevitable that a computer will fall down and become a victim of the new virus. On the other hand, it is to develop new virus identification technologies. Such as Behavior Identification, registry protection, and application protection.

Looking back at the word active defense, it should first come from network hardware systems such as gateways or firewalls. IDS (Intrusion Detection System) and IPS (intrusion protection system) are attack identification and interception technologies developed based on the firewall. Because the firewall is a device between two networks, which is used to control the communication between the two networks. Compared with the network in which the firewall is located, access from the outside will follow the firewall rule table, apply the corresponding access policies, including allow, block, or report. Generally, the firewall allows inbound and outbound access. Therefore, if an attacker exists in the network, security issues will occur throughout the network.

The intrusion detection system is a device developed to monitor illegal access to the Intranet. Based on the rules of the intrusion detection and identification database, it determines whether illegal access exists in the network. The Administrator analyzes these events to evaluate the network security situation and then takes corresponding protection policies. An important issue of the intrusion detection system (IDS) is that there are too many such warnings, so that administrators need to discover security events from the vast logs, not only error-prone, but also increase management costs. IPS is equivalent to firewall + intrusion detection, which improves performance and reduces false positives. These are gateway devices. These design concepts are extended to HIPS, namely host-based intrusion protection systems, when applied to desktop computer systems.

The so-called "active defense" software is actually a development direction of security software and should not be interpreted as a technology or product. Active Defense in the user's eyes should be able to automatically intercept and clear unknown threats. users do not need to pay attention to the specific defense details. The purpose is very simple, that is, I installed you, you are responsible for me, honestly do your work, don't bother me anymore.

Security software vendors also work in this direction, such as active updates of anti-virus software, active vulnerability scanning and repair, and automatic virus processing. To some extent, it is in line with some of the features of active defense.

Currently, in many software programs listed as HIPS, three functions can be implemented:
1. Application Layer Protection: Execute corresponding applications according to certain rules. For example, when an application is executed, other programs may be started, or other programs may be inserted to run, the application protection rules will be triggered.
2. Protection of the Registry, responding to read/write operations on the registry according to rules. After a program is executed, some registry keys will be created or accessed. Likewise, these registry keys are monitored or protected by HIPS software.
3. file Protection protects applications from creating or accessing disk files. After a program runs, a new disk file is created or a program file on the hard disk needs to be accessed, this triggers the monitoring or protection function of the HIPS software.

The monitoring and protection functions of the HIPS software take a further step towards active defense goals, but "active defense" is not yet implemented. This is because when such software is used, a large number of monitoring functions of HIPS software are frequently triggered. These functions cannot be automatically and correctly handled, this is confusing if the end user of the computer needs to make the right choice. At present, although HIPS can improve security to some extent, it is too troublesome to use it. Is it really what common users need? Can normal computer users make the right decisions? These are functions that security software vendors need to further improve. At the same time, it has another confusion: If I can smoothly and skillfully use HIPS software, I may only need to pay attention to other aspects, it is easier to avoid viruses or Trojans.

Active Defense is not magical. Obviously, there is still no real "active defense" yet. It can only be said that the target is closer, and there are more options for anti-virus vendors. The difficulty lies in: how to use technology to implement the functions created by this technology without the need for more technologies.