Revision as of 21:06, 14 October 2017 edit Doctorg (talk \| contribs) Extended confirmed users 3,707 edits cleaning up lead prose ← Previous edit		Revision as of 17:25, 24 October 2017 edit undo 73.41.54.132 (talk) →Overview: for clarity Next edit →
Line 12: Many computer users have encountered tools that monitor dynamic system behaviour in the form of [[anti-virus software\|anti-virus]] (AV) packages. While AV programs often also monitor system state, they do spend a lot of their time looking at who is doing what inside a computer – and whether a given program should or should not have access to particular system resources. The lines become blurred here, as many of the tools overlap in functionality. Some [[~~Intrusion~~intrusion prevention system]]s ~~are a type of HIDS software that protects~~protect against [[buffer overflow]] attacks on system memory and can enforce [[security policy]].<ref name=cox_gerg2004/> === Monitoring state === Line 25: ==== Technique ==== In general a HIDS uses a [[database]] (object-database) of system objects it should monitor – usually (but not necessarily) file system objects. A HIDS could also check that appropriate regions of memory have not been modified – for example, the system call table for [[Linux]], and various [[virtual method table\|vtable]] structures in [[Microsoft Windows]]. During the communication establishment phase and while transferring the data requested by the client, the host's server and the client exchanges a passphrase to verify their identity. The server uses the same passphrase all the time for this purpose. Based upon that an object is created. For each object in question a HIDS will usually remember its attributes (permissions, size, modifications dates) and create a [[checksum]] of some kind (an [[MD5]], [[SHA1]] hash or similar) for the contents, if any. This information gets stored in a secure database for later comparison (checksum database).

Host-based intrusion detection system: Difference between revisions