Host-based intrusion detection system: Difference between revisions

Many computer users have encountered tools that monitor dynamic system behaviour in the form of [[anti-virus software|anti-virus]] (AV) packages. While AV programs often also monitor system state, they do spend a lot of their time looking at who is doing what inside a computer -– and whether a given program should or should not have access to particular system resources. The lines become very blurred here, as many of the tools overlap in functionality.

In general a HIDS uses a [[database]] (object-database) of system objects it should monitor -– usually (but not necessarily) file system objects. A HIDS could also check that appropriate regions of memory have not been modified -– for example, the system call table for [[Linux]], and various [[virtual method table|vtable]] structures in [[Microsoft Windows]].

At installation time -– and whenever any of the monitored objects change legitimately -– a HIDS must initialize its checksum-database by scanning the relevant objects. Persons in charge of computer security need to control this process tightly in order to prevent intruders making un-authorized changes to the database(s). Such initialization thus generally takes a long time and involves [[cryptography|cryptographically]] locking each monitored object and the checksum databases or worse. Because of this, manufacturers of HIDS usually construct the object-database in such a way that makes frequent updates to the checksum database unnecessary.

Computer systems generally have many dynamic (frequently changing) objects which intruders want to modify -– and which a HIDS thus should monitor -– but their dynamic nature makes them unsuitable for the checksum technique. To overcome this problem, HIDS employ various other detection techniques: monitoring changing file-attributes, log-files that decreased in size since last checked, and numerous other means to detect unusual events.

Once a system administrator has constructed a suitable object-database -– ideally with help and advice from the HIDS installation tools -– and initialized the checksum-database, the HIDS has all it requires to scan the monitored objects regularly and to report on anything that may appear to have gone wrong. Reports can take the form of logs, e-mails or similar.

A HIDS will usually go to great lengths to prevent the object-database, checksum-database and its reports from any form of tampering. After all, if intruders succeed in modifying any of the objects the HIDS monitors, nothing can stop such intruders from modifying the HIDS itself -– unless security administrators take appropriate precautions. Many [[Computer worm|worms]] and [[Computer virus|viruses]] will try to disable anti-virus tools, for example.

Apart from crypto-techniques, HIDS might allow administrators to store the databases on a [[CD-ROM]] or on other read-only memory devices (another factor militating for infrequent updates...) or storing them in some off-system memory. Similarly, a HIDS will often send its logs off-system immediately -– typically using VPN channels to some central management system.

* [[VerisysOSSEC]] – a multi-platform open commercialsource HIDS

* [[Tripwire (software)]] -– commercial HIDS

* [[IBM Internet Security SystemsVerisys]] -– commercial HIDS / NIDS