Host-based intrusion detection system: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 15:28, 2 April 2021 edit Weanlitar (talk \| contribs) 203 edits Adding short description: "Intrusion detection system" (Shortdesc helper) ← Previous edit		Latest revision as of 18:31, 25 May 2025 edit undo OAbot (talk \| contribs) Bots 643,717 edits m Open access bot: url-access updated in citation with #oabot.
(13 intermediate revisions by 10 users not shown)
Line 1: {{Short description\|~~Intrusion~~Type of intrusion detection system}} {{More citations needed\|date=July 2011}} {{Use dmy dates\|date=December 2020}} A '''host-based intrusion detection system''' ('''HIDS''') is an [[intrusion detection system]] that is capable of monitoring and analyzing the internals of a computing system as well as the [[network packet]]s on its network interfaces, similar to the way a network-based [[intrusion detection system]] (NIDS) operates.<ref name=newman2009/> ~~This~~HIDS focuses on more granular and internal attacks through focusing monitoring host activities instead of overall network traffic.<ref>{{Cite journal \|last=Liu \|first=Ming \|last2=Xue \|first2=Zhi \|last3=Xu \|first3=Xianghua \|last4=Zhong \|first4=Changmin \|last5=Chen \|first5=Jinjun \|date=2018-11-19 \|title=Host-Based Intrusion Detection System with System Calls: Review and Future Trends \|url=https://doi.org/10.1145/3214304 \|journal=ACM Computing Surveys \|volume=51 \|issue=5 \|pages=98:1–98:36 \|doi=10.1145/3214304 \|issn=0360-0300\|url-access=subscription }}</ref> HIDS was the first type of intrusion detection [[software]] to have been designed, with the original target system being the [[mainframe computer]] where outside interaction was infrequent.<ref name=cn31_8_805/> One major issue with using HIDS is that it needs to be installed on each and every computer that needs protection from intrusions. This can lead to a slowdown in device performance and intrusion detection systems.<ref>{{Cite journal \|last=Ahmad \|first=Zeeshan \|last2=Shahid Khan \|first2=Adnan \|last3=Wai Shiang \|first3=Cheah \|last4=Abdullah \|first4=Johari \|last5=Ahmad \|first5=Farhan \|date=January 2021 \|title=Network intrusion detection system: A systematic study of machine learning and deep learning approaches \|url=https://onlinelibrary.wiley.com/doi/10.1002/ett.4150 \|journal=Transactions on Emerging Telecommunications Technologies \|language=en \|volume=32 \|issue=1 \|doi=10.1002/ett.4150 \|issn=2161-3915}}</ref> == Overview == {{Original research\|section\|date=July 2011}} A host-based IDS is capable of monitoring all or parts of the dynamic behavior and the state of a [[Computer System\|computer system]], based on how it is configured. Besides such activities as dynamically inspecting network packets targeted at this specific host (optional component with most software solutions commercially available), a HIDS might detect which program accesses what resources and discover that, for example, a word-processor has suddenly and inexplicably started modifying the system password database. Similarly a HIDS might look at the state of a system, its stored information, whether in [[Random Access Memory\|RAM]], in the file system, log files or elsewhere; and check that the contents of these appear as expected, e.g. have not been changed by intruders.<ref>Vacca, John. ''Computer and Information Security Handbook''. Morgan Kauffman, 2013, pp. 494–495</ref> One can think of a HIDS as an [[software agent\|agent]] that monitors whether anything or anyone, whether internal or external, has circumvented the system's [[security policy]]. In comparison to network-based intrusion detection systems, HIDS is advantageous because of its capability of identifying internal attacks. While NIDS examines data from [[network traffic]], HIDS examines data originating from [[Operating system\|operating systems]]. In recent years, HIDS has been faced with the [[big data]] challenge, which can be attributed to the increased advancement of data center facilities and methodologies.<ref>{{Cite journal \|last=Liu \|first=Ming \|last2=Xue \|first2=Zhi \|last3=Xu \|first3=Xianghua \|last4=Zhong \|first4=Changmin \|last5=Chen \|first5=Jinjun \|date=2018-11-19 \|title=Host-Based Intrusion Detection System with System Calls: Review and Future Trends \|url=https://doi.org/10.1145/3214304 \|journal=ACM Computing Surveys \|volume=51 \|issue=5 \|pages=98:1–98:36 \|doi=10.1145/3214304 \|issn=0360-0300\|url-access=subscription }}</ref> === Monitoring dynamic behavior === Many computer users have encountered tools that monitor dynamic system ~~behaviour~~behavior in the form of [[anti-virus software\|anti-virus]] (AV) packages. While AV programs often also monitor system state, they do spend a lot of their time looking at who is doing what inside a computer – and whether a given program should or should not have access to particular system resources. The lines become blurred here, as many of the tools overlap in functionality. Some [[intrusion prevention system]]s protect against [[buffer overflow]] attacks on system memory and can enforce [[security policy]].<ref name=cox_gerg2004/> Line 30 ⟶ 34: For each object in question a HIDS will usually remember its attributes (permissions, size, modifications dates) and create a [[checksum]] of some kind (an [[MD5]], [[SHA1]] hash or similar) for the contents, if any. This information gets stored in a secure database for later comparison (checksum database). An alternate method to HIDS would be to provide NIDS type functionality at the network interface (NIC) level of an end-point (either server, workstation or other end device). Providing HIDS at the network layer has the advantage of providing more detailed logging of the source (IP address) of the attack and attack details, such as packet data, neither of which a dynamic behavioral monitoring approach could see. ==== Operation ==== At installation time – and whenever any of the monitored objects change legitimately – a HIDS must initialize its checksum-database by scanning the relevant objects. Persons in charge of computer security need to control this process tightly in order to prevent intruders making un-authorized changes to the [[Database\|database(s)]]. Such initialization thus generally takes a long time and involves [[cryptography\|cryptographically]] locking each monitored object and the checksum databases or worse. Because of this, manufacturers of HIDS usually construct the object-database in such a way that makes frequent updates to the checksum database unnecessary. Computer systems generally have many dynamic (frequently changing) objects which intruders want to modify – and which a HIDS thus should monitor – but their dynamic nature makes them unsuitable for the checksum technique. To overcome this problem, HIDS employ various other detection techniques: monitoring changing file-attributes, log-files that decreased in size since last checked, and numerous other means to detect unusual events. Line 74 ⟶ 78: * [https://info.lacework.com/host-based-intrusion-detection-solution-brief/ Lacework HIDS] – a commercial HIDS for cloud deployments {{Information security}} {{Authority control}}