“The Effectiveness of McAfee Host Intrusion
Prevention”
Crystal Cummings
CPSC 6126
Columbus State University
Columbus, United States
Cummings_crystal@colstate.edu
Submitted November 9, 2009
1
Abstract— The purpose of this paper is to select an
be to apply an intrusion detection system to the
intrusion detection system and suggest ways to possibly
measurement matrix proposed and to identify if it can be
improve it. In order to this, we need to understand the
improved to meet the changing needs of a corporation or
purpose of intrusion detection systems and know how to
if a new way to secure the network needs to be explored.
measure them. The paper we chose to critique does just
The measurement matrix proposed takes the various
that, it examines how to measure the performance of the
types of outputs an intrusion system can have and
various types of intrusion systems. IT groups in
correlates it to the types of architecture in which the
corporations are tasked every day to keep their network
intrusion system could potentially be operating. The
safe and secure. Meanwhile, malware attackers are
architectures are file, host, network, and enterprise. As
working everyday to find a loophole in the security of
stated in our textbook, the primary focus of computer
“secure networks”. The damage could be catastrophic if
security is intrusion prevention, where the goal is to keep
the proper research was not done by a corporation to
the bad guys out of your system or network. The purpose
choose the correct intrusion detection system for their
of an intrusion detection system is to detect attacks
specific needs. We will evaluate McAfee Host Intrusion
before, during, and after they have occurred [1]. We will
Prevention according to the proposed measurement
create a fictitious corporation to illustrate the use of an
matrix. Lastly, we will comment on what is next for
intrusion detection system.
McAfee Host Intrusion Prevention, whether it is worth it
Corporation C uses McAfee Host Intrusion
to suggest improvements or choose the latest technology
Prevention as its intrusion detection system of choice.
currently available.
Corporation C uses it to defend against any unauthorized
Keywords- networks, intrusion systems, data security,
intrusion and zero-day attacks. To improve the total cost
malware, performance.
of ownership, the company decides to install it on every
I.
INTRODUCTION
laptop along with McAfee anti-virus software. The
installation was not customized; we just followed the
Intrusion detection systems are on the rise.
Technology is barely keeping up because of the many
malware attackers that are in existence today. This is
why corporations are desperately seeking a “cure all”
intrusion detection system. Does one exist? If not, who
comes close? Before we can answer the questions we
need to clearly define what intrusion detection is and
decide how to measure it. The problem we will attempt
to solve is to identify one meaning of intrusion detection
of the many that are out there and to decide if McAfee
Host Intrusion Prevention is strong enough to thrive in
defaulted prompts. How does this corporation fit into the
intrusion systems model?
The main limitation of the chosen article is that it
does not mention any specific intrusion system or
software. It is very general and only names the types of
intrusion systems. It also does not provide any real life
examples as to the application of the proposed solution.
It also seems to need additional work in relation to
enterprise –based networks.
The remainder of this paper is structured as
follows: Section 2 is an overview of my related work.
the virus prone networks of today. My contribution will
2
Section 3 details my proposed solution. Section 4
concludes this paper.
II.

Prosecution – indicates the identity of the
originator of the intrusion [7].
RELATED WORK
We also need to take into account the types of
techniques that could potential correlate the type of
We first have to decide what definition of
intrusion detection we would like to go with since there
are so many. One of the first definitions was from
Amoroso. His definition states intrusion detection is,
“the process of identifying and responding to malicious
activity targeted at computing and networking resources”
[2]. Ptacek and Newsham defined intrusion as,
“unauthorized usage of or misuse of a computer system”
[3]. Alessandri et al. defined intrusion as, “a malicious
activity threatening the security policy that leads to a
security failure, that is to a security policy violation” [4].
Lastly, Bace and Mell defined intrusion as, “attempts to
compromise the confidentiality, integrity, availability, or
to bypass the security mechanisms of a computer or
network” [5]. We will use a definition inspired by
Alessandri et al. Intrusion will be defined as an activity
outputs to the type of architectures. Figure 1 shows a
view of all the types discussed above. For example, file
hashes can be used in intrusion detection systems
operating at the file data level. In Figure 2, we see that
McAfee, which would fall into the host-based category,
would only protect against recognition and detection
outputs. It is assumed that anomaly techniques were
applied and we know that confirmation and identification
are not achievable with any reasonable confidence levels
in an anomaly-based system. However, host-based
system using signature techniques are expected to work
at the confirmation and identification level depending on
the discrimination abilities of the signatures [1]. We will
now look at what an actual customer of McAfee Host
Intrusion Prevention had to say along with other case
studies done on McAfee.
that leads to the violation of the security policy of a
computer system. Since we have our definition, analysis
can begin.
The types of outputs received from an intrusion
system are based on the work of Johnson [6]. The article
goes on to extend Johnson’s work and define the “types
of output” as the following:

Detection – indicates the occurrence of a possible
intrusion.

Recognition – indicates the type of attack.

Identification – indicates declaring the exploits
used to achieve the intrusion.

Confirmation – indicates that an attack plan is
deduced.
Figure 1. – Intrusion System Matrix
3
Lastly, Cascadian Labs also conducted a study
comparing McAfee, Symantec and Sophos. They
concluded McAfee is a comprehensive suite targeted at
very large enterprises. It has flexible Active Directory
support, a robust reporting engine, and multi-server
database roll-up features that are useful for companies
with thousands of users and with multiple locations. The
most recent version includes a significant change to the
management console. However, as with previous
versions, McAfee’s installation, deployment, and basic
usability and management features are clearly more
Figure 2. – Intrusion System Footprint
complicated than those of Sophos and Symantec. In
testing, they used the default configurations. McAfee
In a McAfee Study, TeliaSonera AB - The
had decent signature-based detection rates but its day-
largest telecommunications provider in Sweden and
zero protection was very poor. Some of this poor
Finland, offering mobile and fixed network services to
performance can be attributed to the need to configure
the Nordic and Baltic countries commented, “We think
rules when using its run-time HIPS configuration, a
McAfee best meets our need for central managing, and
difficult and time-consuming task for even a seasoned
we agreed with their future views on anti-virus
security administrator [10].
technologies and policies,” adds Larsson. “We knew we
There are challenges faced by all intrusion
could evolve easily with McAfee over time.” “The Host
systems. For example, the prosecution output type
Intrusion Prevention solution was one of our main
requires that information be gathered with high integrity
reasons for choosing McAfee,” adds Stenlund. “From the
and totally secured from change. Although, this is a
beginning, we used it as a desktop firewall product. Now
common requirement in secure systems, it requires levels
that it has more functionality, it integrates better with our
necessary to allow criminal prosecution, within a system
Windows and Microsoft applications and helps us secure
that has intruders present [11]. For an enterprise system,
our patch update process” [8].
the technology challenge appears to be the development
The Tolly Group conducted a study where they
of discriminates that will separate intrusion and non-
found that McAfee provides lower Total Cost of
intrusion events in mixed-trust data flows. These data
Ownership when compared to Symantec and Trend
flows will often be occurring on equipments not owned
Micro. It offered increased reliability and availability by
by the enterprise and therefore the ability to provide
alleviating the need for in-house IT infrastructure and
local monitoring of the network will be limited. A view
resources. It is easy to deploy and offers flexibility for
of these interactions is shown in Figure 3.
company growth [9].
4
Figure 2a. – Updated Intrusion System Footprint
Figure 3. – Challenging Areas
Three areas provide insight into the
III.
PROPOSED SOLUTIONS
We have already proposed a solution to the first
performance of intrusion systems. They are the number
of outputs covered by the system, the types of
problem, which was to identify and adopt one definition
architecture supported by the intrusion system, and any
of an intrusion detection system. We concluded that we
areas that overlap each other. We can conclude that
would use the following definition: “an activity that
McAfee covers four out of five outputs, two out of four
leads to the violation of the security policy of a computer
architectures and produces no overlap.
system”. The second problem was to apply McAfee to
While this may be suitable for some
the measurement matrix proposed. It was determined
organizations, we doubt that it is suitable for most given
that since McAfee is a host- based system, but uses
the current technological advancements today with the
signature and behavioral intrusion prevention, it would
various attacks and viruses. For example, many
be able to measure recognition, detection, identification,
corporations require some of their employees to be
and confirmation abilities. An updated view of Figure 2
mobile. It may be for telecommuting or business related
is shown below to include the coverage of having
travel. The employees, at some point, may need to work
signature based host system. Lastly, we were tasked
off-the-network, in which case, they would need access
with determining any potential improvements McAfee
to a laptop that is not on the corporations’ network.
could make to be more beneficial to a corporation or to
When these remote employees log on to the company
simply have it replaced.
network, it may be via VPN from a Wi-Fi hotspot. Still,
laptops issued by corporations require a good intrusion
detection system whether out or in the network. We do
not recommend improving this software to make it more
robust. We will opt for a more advanced technology that
would give greater scalability. Desktop virtualization is
the latest technology that practically eliminates the use
5
of host intrusion software at the endpoint or any other
the type of network or system chosen. We can safely say
point on the network except at the server level. Desktop
that large footprints represent intrusion systems that
virtualization creates a virtual image on a desktop or
provide a broad range of applicability, thus a wider range
laptop. No data physically resides on the hard drive; it
of output information is gained during an intrusion.
resides on the server, so if someone were to physically
Smaller footprints, however, are very specific in their
steal the end device it would be a waste of time because
application. We can also conclude that McAfee is good
there is no data to steal.
at what it does, but that is it, it does not lend itself for
There are many desktop virtualization vendors.
much growth. As a result, removing local desktops and
The major players are VMware, Cisco, Sun
using virtual hosts with their own intrusion detection
Microsystems, Citrix, and Microsoft. As of now, no one
systems provides intruders with a smaller, more closely-
vendor beats the other, it all depends on the level of
guarded target. However, this particular solution may not
comfort and familiarity the IT professionals in the
be cost-effective or reasonable in all cases.
corporation have with a specific vendor. This is a
subject area for further research and next steps.
As for an ideal endpoint security suite, we
The challenge in security is in keeping pace with
changing threats, as malware attackers adapt to stay
ahead of defenses. Signatures have demonstrated their
believe it should take ownership of the endpoint security
worth, but also their limitations and other approaches
problem and not overly complicate the life of the security
have moved antivirus on significantly. Using anti-
administrator or end-user. It should be simple, which
malware experts’ experience to define easy to use
means it should provide complete protection with
behavioral controls based on common threat behavior
minimal management. It should also be seamless to the
allows antivirus tools to block malware proactively.
end user and administrators until it is actually needed and
Signatures provide the ability to define the threat and
even then, it should not affect the performance of the
clear the damage. For the signature piece, time remains a
system. The administrators would need to be able to
challenge when dealing with the creation, testing and
maintain the security policies through a user-friendly
deployment of the system. Most recently, in-the-cloud
interface. Every threat should be handled through the
security linked the customer and vendor. It uses the
signature database or by other protection designed to
concept of behavioral heuristics to identify potential
handle outliers and new threats based on their patterns or
threats, allowing an informational fingerprint to be sent to
behaviors. Lastly, a good notification system should be
the security vendor and, if recognized, blocking the
in place to alert administrators about computers that need
threat.
attention and the threats it has uncovered [10].
Blending reactive and proactive controls
provides the best of both worlds: proactive behavioral
IV.
CONCLUSION
The most important impact of the proposed
detection that can be easily implemented to defend
against the unknown and signature-based detection to
solutions is the realization that corporations have to stay
give an understanding of the attack and its implications.
ever vigilant in protecting their networks regardless of
In-the-cloud security has continued the progress along
6
this evolutionary path, virtually closing the gap between
[7]
discovery and signature defense [12].
Tucker, C., Fumell, S., Ghita, B., & Brooke, P.
(2007). A new taxonomy for comparing intrusion
Future work includes but not limited to a deeper
detection systems. Internet Research, 17(1), 88-98.
comparison of the measurement matrix, which includes
http://search.ebscohost.com,
an examination of all the performance metrics at all
doi:10.1108/10662240710730515
points of overlap on the intrusion footprint. Likewise, it
[8]
would be beneficial to understand the additional benefits
that could be realized at points where there is no overlap.
http://www.mcafee.com/us/local_content/case_studi
es/library/cs_teliasonera_ab_s.pdf
[9]
Tolly Group, The. (2008, February 27). TCO
Evaluation of McAfee Total Protection Service vs.
Symantec Endpoint Protection Small Business
Edition 11.0 and Trend Micro Client Sever
REFERENCES
[1]
Messaging Security for SMB. McAfee, Inc.
Stamp, M. (2005). Information Security: Principles
Retrieved from
and Practice. Wiley-Interscience.
[2]
http://www.tolly.com/DocDetail.aspx?DocNumber=
Amoroso, E.G. (1998), Intrusion Detection: An
208255
Introduction to Internet Surveillance, Correlation,
Traps, Trace Back, and Response, Intrusion.Net
[10]
Securities for Enterprise. Sophos. Retrieved from
Books, Sparta, NJ.
[3]
http://www.sophos.com/sophos/docs/eng/marketing_
Ptacek, T.H. and Newsham, T.N. (1998), Insertion,
material/cascadia-sesc-review.pdf
Evasion, and Denial of Service: Eluding Network
Intrusion Detection, Secure Networks Inc., Syracuse,
[11]
Journal of Computer and Telecommunications
Alessandri, D., Cachin, C., Dacier, M., Deak, O.,
Networking, Vol. 31, pp. 2477-87.
Julisch, K., Randell, B. and Riordan, J. (2001),
Towards a Taxonomy of Intrusion Detection Systems
and Attacks, IBM Research, Zurich Research
Laboratory, Zurich.
[5]
Bace, R. and Mell, P. (2001), Intrusion Detection
Systems, NIST Special Publication on Intrusion
Sommer, P. (1999), “Intrusion detection systems as
evidence”, Computer Networks – TheInternational
NY.
[4]
Cascadia Labs. ( 2007, November). Endpoint
[12]
Potter, B., & Day, G. (2009). The effectiveness of
anti-malware tools. Computer Fraud & Security,
2009(3), 12-13. http://search.ebscohost.com,
doi:10.1016/S1361-3723(09)70033-8
Images:
Detection System, NIST, Gaithersburg, MD.
[6]
Johnson, J. (1958), “Analysis of image forming
systems”, Proceedings of the Image Intensifier
Symposium, US Army Engineering Research
Development Laboratories, Fort Belvoir, VI
7
Figure 2a. Updated Intrusion System Footprint. Source:
Article by Tucker, C., Fumell, S., Ghita, B., & Brooke,
P. in Internet Research (2007).
Figure 1. Intrusion System Matrix. Source: Article by
Tucker, C., Fumell, S., Ghita, B., & Brooke, P. in
Internet Research (2007).
Figure 3. Challenging Areas. Source: Article by Tucker,
C., Fumell, S., Ghita, B., & Brooke, P. in Internet
Research (2007).
Figure 2. Intrusion System Footprint. Source: Article by
Tucker, C., Fumell, S., Ghita, B., & Brooke, P. in
Internet Research (2007).
8