Host-based intrusion detection system
This article needs additional citations for verification. (July 2011) |
A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates.[1] HIDS focuses on more granular and internal attacks through focusing monitoring host activities instead of overall network traffic.[2] HIDS was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent.[3]
One major issue with using HIDS is that it needs to be installed on each and every computer that needs protection from intrusions. This can lead to a slowdown in device performance and intrusion detection systems.[4]
Overview
This section possibly contains original research. (July 2011) |
A host-based IDS is capable of monitoring all or parts of the dynamic behavior and the state of a
One can think of a HIDS as an agent that monitors whether anything or anyone, whether internal or external, has circumvented the system's security policy.
In comparison to network-based intrusion detection systems, HIDS is advantageous because of its capability of identifying internal attacks. While NIDS examines data from network traffic, HIDS examines data originating from operating systems. In recent years, HIDS has been faced with the big data challenge, which can be attributed to the increased advancement of data center facilities and methodologies.[6]
Monitoring dynamic behavior
Many computer users have encountered tools that monitor dynamic system behavior in the form of
Some
Monitoring state
The principle operation of a HIDS depends on the fact that successful intruders (
In theory, a computer user has the ability to detect any such modifications, and the HIDS attempts to do just that and reports its findings.
Ideally a HIDS works in conjunction with a NIDS, such that a HIDS finds anything that slips past the NIDS. Commercially available software solutions often do correlate the findings from NIDS and HIDS in order to find out about whether a network intruder has been successful or not at the targeted host.
Most successful intruders, on entering a target machine, immediately apply best-practice security techniques to secure the system which they have infiltrated, leaving only their own backdoor open, so that other intruders can not take over their computers.
Technique
In general a HIDS uses a database (object-database) of system objects it should monitor – usually (but not necessarily) file system objects. A HIDS could also check that appropriate regions of memory have not been modified – for example, the system call table for Linux, and various vtable structures in Microsoft Windows.
For each object in question a HIDS will usually remember its attributes (permissions, size, modifications dates) and create a
An alternate method to HIDS would be to provide NIDS type functionality at the network interface (NIC) level of an end-point (either server, workstation or other end device). Providing HIDS at the network layer has the advantage of providing more detailed logging of the source (IP address) of the attack and attack details, such as packet data, neither of which a dynamic behavioral monitoring approach could see.
Operation
At installation time – and whenever any of the monitored objects change legitimately – a HIDS must initialize its checksum-database by scanning the relevant objects. Persons in charge of computer security need to control this process tightly in order to prevent intruders making un-authorized changes to the database(s). Such initialization thus generally takes a long time and involves cryptographically locking each monitored object and the checksum databases or worse. Because of this, manufacturers of HIDS usually construct the object-database in such a way that makes frequent updates to the checksum database unnecessary.
Computer systems generally have many dynamic (frequently changing) objects which intruders want to modify – and which a HIDS thus should monitor – but their dynamic nature makes them unsuitable for the checksum technique. To overcome this problem, HIDS employ various other detection techniques: monitoring changing file-attributes, log-files that decreased in size since last checked, and numerous other means to detect unusual events.
Once a system administrator has constructed a suitable object-database – ideally with help and advice from the HIDS installation tools – and initialized the checksum-database, the HIDS has all it requires to scan the monitored objects regularly and to report on anything that may appear to have gone wrong. Reports can take the form of logs, e-mails or similar.
Protecting the HIDS
A HIDS will usually go to great lengths to prevent the object-database, checksum-database and its reports from any form of tampering. After all, if intruders succeed in modifying any of the objects the HIDS monitors, nothing can stop such intruders from modifying the HIDS itself – unless security administrators take appropriate precautions. Many worms and viruses will try to disable anti-virus tools, for example.
Apart from crypto-techniques, HIDS might allow administrators to store the databases on a CD-ROM or on other read-only memory devices (another factor in favor of infrequent updates...) or storing them in some off-system memory. Similarly, a HIDS will often send its logs off-system immediately – typically using VPN channels to some central management system.
One could argue that the
Reception
InfoWorld states that host-based intrusion-detection system software is a useful way for network managers to find malware, and suggest they run it on every server, not just critical servers.[8]
See also
- Host-based intrusion detection system comparison
- IBM Internet Security Systems– commercial HIDS / NIDS
- Open Source Tripwire – open source HIDS
- OSSEC – a multi-platform open source HIDS
- Trusted Computing Group
References
- ISBN 978-0-7637-5994-0.
- ISSN 0360-0300.
- .
- ISSN 2161-3915.
- ^ Vacca, John. Computer and Information Security Handbook. Morgan Kauffman, 2013, pp. 494–495
- ISSN 0360-0300.
- ISBN 978-0-596-00661-7.
- ^ Marsan, Carolyn Duffy (6 July 2009), "The 10 dumbest mistakes network managers make", InfoWorld, IDG Network, retrieved 31 July 2011
External links
- Deep Security – a commercial multi-platform HIDS
- Lacework HIDS – a commercial HIDS for cloud deployments