Wikipedia

Host-based intrusion detection system: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
m date formats per MOS:DATEFORMAT by script, Script-assisted fixes: per CS1 and MOS:ITALICS
Line 1:
{{RefimproveMore citations needed|date=July 2011}}
{{Use dmy dates|date=JulyDecember 20112020}}
 
A '''host-based intrusion detection system''' ('''HIDS''') is an [[intrusion detection system]] that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates.<ref name=newman2009/> This was the first type of intrusion detection software to have been designed, with the original target system being the [[mainframe computer]] where outside interaction was infrequent.<ref name=cn31_8_805/>
Line 5 ⟶ 6:
== Overview ==
{{Original research|section|date=July 2011}}
A host-based IDS is capable of monitoring all or parts of the dynamic behavior and the state of a computer system, based on how it is configured. Besides such activities as dynamically inspecting network packets targeted at this specific host (optional component with most software solutions commercially available), a HIDS might detect which program accesses what resources and discover that, for example, a word-processor has suddenly and inexplicably started modifying the system password database. Similarly a HIDS might look at the state of a system, its stored information, whether in [[Random Access Memory|RAM]], in the file system, log files or elsewhere; and check that the contents of these appear as expected, e.g. have not been changed by intruders.<ref>Vacca, John. ''Computer and Information Security Handbook''. Morgan Kauffman, 2013, pgpp. 494-495494–495</ref>
 
One can think of a HIDS as an [[software agent|agent]] that monitors whether anything or anyone, whether internal or external, has circumvented the system's [[security policy]].
Line 31 ⟶ 32:
 
==== Operation ====
At installation time – and whenever any of the monitored objects change legitimately – a HIDS must initialize its checksum-database by scanning the relevant objects. Persons in charge of computer security need to control this process tightly in order to prevent intruders making un-authorized changes to the database(s). Such initialization thus generally takes a long time and involves [[cryptography|cryptographically]] locking each monitored object and the checksum databases or worse. Because of this, manufacturers of HIDS usually construct the object-database in such a way that makes frequent updates to the checksum database unnecessary.
 
Computer systems generally have many dynamic (frequently changing) objects which intruders want to modify – and which a HIDS thus should monitor – but their dynamic nature makes them unsuitable for the checksum technique. To overcome this problem, HIDS employ various other detection techniques: monitoring changing file-attributes, log-files that decreased in size since last checked, and numerous other means to detect unusual events.
Line 40 ⟶ 41:
A HIDS will usually go to great lengths to prevent the object-database, checksum-database and its reports from any form of tampering. After all, if intruders succeed in modifying any of the objects the HIDS monitors, nothing can stop such intruders from modifying the HIDS itself – unless security administrators take appropriate precautions. Many [[Computer worm|worms]] and [[Computer virus|viruses]] will try to disable anti-virus tools, for example.
 
Apart from crypto-techniques, HIDS might allow administrators to store the databases on a [[CD-ROM]] or on other read-only memory devices (another factor in favor of infrequent updates...) or storing them in some off-system memory. Similarly, a HIDS will often send its logs off-system immediately – typically using VPN channels to some central management system.
 
One could argue that the [[trusted platform module]] comprises a type of HIDS. Although its scope differs in many ways from that of a HIDS, fundamentally it provides a means to identify whether anything/anyone has tampered with a portion of a computer. Architecturally this provides the ultimate (at least {{As of|2005|alt=at this point in time}}) host-based intrusion detection, as depends on hardware external to the [[central processing unit|CPU]] itself, thus making it that much harder for an intruder to corrupt its object and checksum databases.
 
==Reception==
Line 62 ⟶ 63:
<ref name=cn31_8_805>{{cite journal | first1=Hervé | last1=Debar | first2=Marc | last2=Dacier | first3=Andreas | last3=Wespi | title=Towards a taxonomy of intrusion-detection systems | journal=Computer Networks | volume=31 | issue=8 | date=23 April 1999 | pages=805–822 | doi=10.1016/S1389-1286(98)00017-6 }}</ref>
 
<ref name=iw20090706>{{citation | first1=Carolyn Duffy | last1=Marsan | date=6 July 2009 | title=The 10 dumbest mistakes network managers make | work=InfoWorld | publisher=IDG Network | url=http://www.infoworld.com/d/security-central/10-dumbest-mistakes-network-managers-make-162?page=0,2&r=974 | accessdate=2011-07-31 July 2011 }}</ref>
 
<ref name=cox_gerg2004>{{cite book | first1=Kerry | last1=Cox | first2=Christopher | last2=Gerg | year=2004 | page=3 | title=Managing security with Snort and IDS tools
Line 72 ⟶ 73:
* [http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/ Deep Security] – a commercial multi-platform HIDS
* [https://info.lacework.com/host-based-intrusion-detection-solution-brief/ Lacework HIDS] – a commercial HIDS for cloud deployments
{{Use dmy dates|date=July 2011}}
 
[[Category:Intrusion detection systems]]
Retrieved from "https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system"