Wikipedia

Host-based intrusion detection system: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
m Fixed link
OAbot (talk | contribs)
Bots
646,409 edits
m Open access bot: url-access updated in citation with #oabot.
 
(182 intermediate revisions by more than 100 users not shown)
Line 1:
{{mergefromShort description|Host-basedType of intrusion- detection system}}
{{More citations needed|date=July 2011}}
A '''Host-based Intrusion Detection System (HIDS)''', as a special category of an [[Intrusion detection system|Intrusion-Detection System]], focuses its monitoring and analysis on the internals of a computing system rather than on its external interfaces (as a [[Network intrusion detection system|Network Intrusion Detection System]] (NIDS) would do).
{{Use dmy dates|date=December 2020}}
 
A '''host-based intrusion detection system''' ('''HIDS''') is an [[intrusion detection system]] that is capable of monitoring and analyzing the internals of a computing system as well as the [[network packet]]s on its network interfaces, similar to the way a network-based [[intrusion detection system]] (NIDS) operates.<ref name=newman2009/> HIDS focuses on more granular and internal attacks through focusing monitoring host activities instead of overall network traffic.<ref>{{Cite journal |last=Liu |first=Ming |last2=Xue |first2=Zhi |last3=Xu |first3=Xianghua |last4=Zhong |first4=Changmin |last5=Chen |first5=Jinjun |date=2018-11-19 |title=Host-Based Intrusion Detection System with System Calls: Review and Future Trends |url=https://doi.org/10.1145/3214304 |journal=ACM Computing Surveys |volume=51 |issue=5 |pages=98:1–98:36 |doi=10.1145/3214304 |issn=0360-0300|url-access=subscription }}</ref> HIDS was the first type of intrusion detection [[software]] to have been designed, with the original target system being the [[mainframe computer]] where outside interaction was infrequent.<ref name=cn31_8_805/>
 
One major issue with using HIDS is that it needs to be installed on each and every computer that needs protection from intrusions. This can lead to a slowdown in device performance and intrusion detection systems.<ref>{{Cite journal |last=Ahmad |first=Zeeshan |last2=Shahid Khan |first2=Adnan |last3=Wai Shiang |first3=Cheah |last4=Abdullah |first4=Johari |last5=Ahmad |first5=Farhan |date=January 2021 |title=Network intrusion detection system: A systematic study of machine learning and deep learning approaches |url=https://onlinelibrary.wiley.com/doi/10.1002/ett.4150 |journal=Transactions on Emerging Telecommunications Technologies |language=en |volume=32 |issue=1 |doi=10.1002/ett.4150 |issn=2161-3915}}</ref>
 
== Overview ==
{{Original research|section|date=July 2011}}
A HIDShost-based willIDS monitoris capable of monitoring all or partparts of the dynamic behavior and of the state of a [[Computer System|computer system.]], Muchbased ason ahow NIDSit willis configured. Besides such activities as dynamically inspectinspecting network packets targeted at this specific host (optional component with most software solutions commercially available), a HIDS might detect which program accesses what resources and assurediscover that, (say)for example, a word-processor hasn'thas suddenly and inexplicably started modifying the system password- database. Similarly a HIDS might look at the state of a system, its stored information, whether in [[Random Access Memory|RAM]], in the file- system, log files or elsewhere; and check that the contents of these appear as expected, e.g. have not been changed by intruders.<ref>Vacca, John. ''Computer and Information Security Handbook''. Morgan Kauffman, 2013, pp. 494–495</ref>
 
One can think of a HIDS as an [[software agent | agent]] that monitors whether anything/ or anyone, -whether internal or external -, has circumvented the system's [[security policy]] that the [[operating system]] tries to enforce.
 
In comparison to network-based intrusion detection systems, HIDS is advantageous because of its capability of identifying internal attacks. While NIDS examines data from [[network traffic]], HIDS examines data originating from [[Operating system|operating systems]]. In recent years, HIDS has been faced with the [[big data]] challenge, which can be attributed to the increased advancement of data center facilities and methodologies.<ref>{{Cite journal |last=Liu |first=Ming |last2=Xue |first2=Zhi |last3=Xu |first3=Xianghua |last4=Zhong |first4=Changmin |last5=Chen |first5=Jinjun |date=2018-11-19 |title=Host-Based Intrusion Detection System with System Calls: Review and Future Trends |url=https://doi.org/10.1145/3214304 |journal=ACM Computing Surveys |volume=51 |issue=5 |pages=98:1–98:36 |doi=10.1145/3214304 |issn=0360-0300|url-access=subscription }}</ref>
 
=== Monitoring dynamic behavior ===
Many computer users have encountered tools that monitor dynamic system behavior in the form of [[Antianti-virus software | anti-virus]] (AV) packages. While AV programs often also monitor system state, they do spend a lot of their time looking at who is doing what inside a computer - and whether a given program should or should not have access oneto or anotherparticular system resourceresources. The lines become very blurred here, as many of the tools overlap in functionality.
 
Some [[intrusion prevention system]]s protect against [[buffer overflow]] attacks on system memory and can enforce [[security policy]].<ref name=cox_gerg2004/>
 
=== Monitoring state ===
The principle of operation of a HIDS depends on the fact that successful intruders ([[crackingHacker (computer security)|crackershackers]]) will generally leave a trace of their activities. (In fact, such intruders often want to ''own'' the computer they have attacked, and will establish their "ownership" by installing software that will grant the intruders future access to carry out whatever activity ([[Keyboard logger | keyboardkeystroke logging]], [[identity theft]], [[spamming]], [[botnet | botnet activity]], [[Spyware | spyware-usage]] etc.) they envisage.)
 
In theory, a computer user has the ability to detect any such modifications, and the HIDS attempts to do just that and reports its findings.
 
Ideally a HIDS works in conjunction with a NIDS, such that a HIDS finds anything that slips past the NIDS. Commercially available software solutions often do correlate the findings from NIDS and HIDS in order to find out about whether a network intruder has been successful or not at the targeted host.
 
Ironically, mostMost successful intruders, on entering a target machine, immediately apply best-practice security techniques to secure the system which they have infiltrated, leaving only their own [[Backdoor (computing)|backdoor]] open, so that other intruders can not take over ''their'' computers. (Crackers are a [[competition | competitive]] bunch...) Again, one can detect (and learn from) such changes.
 
==== Technique ====
In general a HIDS uses a [[database]] (object-database) of system objects it should monitor - usually (but not necessarily) file- system objects. A HIDS could also check that appropriate regions of memory have not been modified, for example -, the system- call table comes to mind for [[Linux]], and various [[virtual method table|vtable]] structures in [[Microsoft Windows]].
 
For each object in question a HIDS will usually remember its attributes (permissions, size, modifications dates) and perhaps create a [[checksum]] of some kind (an [[MD5]], [[SHA1]] hash or similar) for the contents, if any. This information gets stored in a secure database for later comparison (checksum- database). Note that a matching MD5 hash does not provide a complete guarantee that an intruder or other unauthorised user has not tampered with the target file. Recent ([[as of 2004 | 2004]]) research has resulted in claims (still under debate) that the probability of such tampering may exceed what one might hope.
 
An alternate method to HIDS would be to provide NIDS type functionality at the network interface (NIC) level of an end-point (either server, workstation or other end device). Providing HIDS at the network layer has the advantage of providing more detailed logging of the source (IP address) of the attack and attack details, such as packet data, neither of which a dynamic behavioral monitoring approach could see.
 
==== Operation ====
At installation time - and whenever any of the monitored objects change legitimately - a HIDS must initialiseinitialize its checksum-database by scanning the relevant objects. Persons in charge of computer security need to control this process tightly in order to prevent intruders making un-authorized changes to the [[Database|database(s)]]. Such initialisationinitialization thus generally takes a long time and involves [[cryptography | cryptographically]] locking each monitored object and the checksum databases or worse. Because of this, manufacturers of HIDS usually construct the object-database in such a way that makes frequent updates to the checksum database unnecessary.
 
Computer systems generally have many dynamic (frequently changing) objects which intruders want to modify - and which a HIDS thus should monitor - but their dynamic nature makes them unsuitable for the checksum technique. To overcome this problem, HIDS employ various other detection techniques: monitoring changing file-attributes, log-files that decreased in size since last checked, and a raft ofnumerous other means to detect unusual events.
 
Once a system administrator has constructed a suitable object-database - ideally with help and advice from the HIDS installation tools - and initialized the checksum-database, the HIDS has all it requires to scan the monitored objects regularly and to report on anything that may appear to have gone wrong. Reports can take the form of logs, e-mails or similar.
 
=== Protecting the HIDS ===
A HIDS will usually go to great lengths to prevent the object-database, checksum-database and its reports from any form of tampering. After all, if intruders succeed in modifying any of the objects the HIDS monitors, nothing can stop such intruders from modifying the HIDS itself - unless security administrators take appropriate precautions. Many [[Computer worm|worms]] and [[Computer virus|viruses]] will try to disable anti-virus tools, for example. Sadly, a lot of them succeed in doing so.
 
Apart from crypto-techniques, HIDS might allow administrators to store the databases on a [[CD-ROM]] or on other read-only memory devices (another factor militatingin favor forof infrequent updates...) or storing them in some off-system memory. Similarly, a HIDS will often send its logs off-system immediately - intypically someusing instances via one-way communicationsVPN channels, suchto assome acentral serialmanagement port which only has "Transmit" connected, for examplesystem.
 
One could argue that the [[trusted platform module]] comprises a type of HIDS. Although its scope differs in many ways from that of a HIDS, fundamentally it provides a means to identify whether anything/anyone has tampered with a portion of a computer. Architecturally this provides the ultimate (at least [[as{{As of |2005 | alt=at this point in time]]}}) host-based intrusion detection, as depends on hardware external to the [[central processing unit|CPU]] itself, thus making it that much harder for an intruder to corrupt its object and checksum databases.
 
==Reception==
[[InfoWorld]] states that host-based intrusion-detection system software is a useful way for network managers to find malware, and suggest they run it on every server, not just critical servers.<ref name=iw20090706/>
 
==See also==
* [[IntrusionHost-based intrusion detection system comparison]]
* [[IBM Internet Security Systems]] – commercial HIDS / NIDS
* [[network intrusion detection system|Network Intrusion Detection System]]
* [[TripwireOpen (software)Source Tripwire]] - aopen pioneeringsource HIDS
* [[OSSEC]] – a multi-platform open source HIDS
* [[Trusted Computing Group]]
 
* [[Trusted platform module]]
==References==
{{Reflist|refs=
 
<ref name=newman2009>{{cite book | first=Robert C. | last=Newman | year=2009 | title=Computer Security: Protecting Digital Resources | publisher=Jones & Bartlett Learning | isbn=978-0-7637-5994-0 | url=https://books.google.com/books?id=_R5ndK-i3vkC&pg=PA269 }}</ref>
 
<ref name=cn31_8_805>{{cite journal | first1=Hervé | last1=Debar | first2=Marc | last2=Dacier | first3=Andreas | last3=Wespi | title=Towards a taxonomy of intrusion-detection systems | journal=Computer Networks | volume=31 | issue=8 | date=23 April 1999 | pages=805–822 | doi=10.1016/S1389-1286(98)00017-6 }}</ref>
 
<ref name=iw20090706>{{citation | first1=Carolyn Duffy | last1=Marsan | date=6 July 2009 | title=The 10 dumbest mistakes network managers make | work=InfoWorld | publisher=IDG Network | url=http://www.infoworld.com/d/security-central/10-dumbest-mistakes-network-managers-make-162?page=0,2&r=974 | access-date=31 July 2011 }}</ref>
 
<ref name=cox_gerg2004>{{cite book | first1=Kerry | last1=Cox | first2=Christopher | last2=Gerg | year=2004 | page=3 | title=Managing security with Snort and IDS tools
| series=O'Reilly Series | publisher=O'Reilly Media, Inc. | isbn=978-0-596-00661-7 | url=https://books.google.com/books?id=5UKt2oWpOU0C&pg=PT19 }}</ref>
 
}}
 
==External links==
* [http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/ Deep Security] – a commercial multi-platform HIDS
* [http://md5deep.sourceforge.net/ md5deep - an Open Source HIDS]
* [https://info.lacework.com/host-based-intrusion-detection-solution-brief/ Lacework HIDS] – a commercial HIDS for cloud deployments
* [http://sourceforge.net/projects/aide Aide - an Open Source HIDS that aims to do what tripwire does]
* [http://la-samhna.de/samhain/ Samhain - an Open Source HIDS]
* [http://www.snort.org Snort - an Open Source NIDS]
* [http://www.openhids.com OpenHIDS - an Open Source HIDS for Windows NT/2000/XP/2003 systems]
 
[[Category:Computer{{Information security]]}}
{{Authority control}}
[[Category:System administration]]
 
[[Category:Intrusion detection systems]]
[[es:HIDS]]
[[it:Host based intrusion detection system]]
Retrieved from "https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system"