Host-based intrusion detection system

Host-based intrusion detection system

A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyses the internals of a computing system rather than on its external interfaces (as a network-based intrusion detection system (NIDS) would do).

Overview

A host-based IDS monitors all or parts of the dynamic behaviour and the state of a computer system. Much as a NIDS will dynamically inspect network packets, a HIDS might detect which program accesses what resources and discover that, for example, a word-processor has suddenly and inexplicably started modifying the system password-database. Similarly a HIDS might look at the state of a system, its stored information, whether in RAM, in the file-system, log files or elsewhere; and check that the contents of these appear as expected.

One can think of a HIDS as an agent that monitors whether anything/anyone - internal or external - has circumvented the security policy that the operating system tries to enforce.

Monitoring dynamic behaviour

Many computer users have encountered tools that monitor dynamic system behaviour in the form of anti-virus (AV) packages. While AV programs often also monitor system state, they do spend a lot of their time looking at who is doing what inside a computer - and whether a given program should or should not access particular system resources. The lines become very blurred here, as many of the tools overlap in functionality.

Monitoring state

The principle of operation of a HIDS depends on the fact that successful intruders (crackers) will generally leave a trace of their activities. (In fact, such intruders often want to "own" the computer they have attacked, and will establish their "ownership" by installing software that will grant the intruders future access to carry out whatever activity (keystroke logging, identity theft, spamming, botnet activity, spyware-usage etc.) they envisage.

In theory, a computer user has the ability to detect any such modifications, and the HIDS attempts to do just that and reports its findings.

Ideally a HIDS works in conjunction with a NIDS, such that a HIDS finds anything that slips past the NIDS.

Ironically, most successful intruders, on entering a target machine, immediately apply best-practice security techniques to secure the system which they have infiltrated, leaving only their own backdoor open, so that other intruders can not take over "their" computers. (Crackers are a competitive bunch...) Again, one can detect (and learn from) such changes.

Technique

In general a HIDS uses a database (object-database) of system objects it should monitor - usually (but not necessarily) file-system objects. A HIDS could also check that appropriate regions of memory have not been modified, for example - the system-call table comes to mind for Linux, and various vtable structures in Microsoft Windows.

For each object in question a HIDS will usually remember its attributes (permissions, size, modifications dates) and create a checksum of some kind (an MD5, SHA1 hash or similar) for the contents, if any. This information gets stored in a secure database for later comparison (checksum-database).

An alternate method to HIDS would be to provide NIDS type functionality at the network interface (NIC) level of an end-point (either server, workstation or other end device). Providing HIDS at the network layer has the advantage of providing more detailed logging of the source of the attack (Source IP address) and attack details (packet data), neither of which a dynamic behavioral monitoring approach could see.

Operation

At installation time - and whenever any of the monitored objects change legitimately - a HIDS must initialise its checksum-database by scanning the relevant objects. Persons in charge of computer security need to control this process tightly in order to prevent intruders making un-authorized changes to the database(s). Such initialization thus generally takes a long time and involves cryptographically locking each monitored object and the checksum databases or worse. Because of this, manufacturers of HIDS usually construct the object-database in such a way that makes frequent updates to the checksum database unnecessary.

Computer systems generally have many dynamic (frequently changing) objects which intruders want to modify - and which a HIDS thus should monitor - but their dynamic nature makes them unsuitable for the checksum technique. To overcome this problem, HIDS employ various other detection techniques: monitoring changing file-attributes, log-files that decreased in size since last checked, and a raft of other means to detect unusual events.

Once a system administrator has constructed a suitable object-database - ideally with help and advice from the HIDS installation tools - and initialized the checksum-database, the HIDS has all it requires to scan the monitored objects regularly and to report on anything that may appear to have gone wrong. Reports can take the form of logs, e-mails or similar.

Protecting the HIDS

A HIDS will usually go to great lengths to prevent the object-database, checksum-database and its reports from any form of tampering. After all, if intruders succeed in modifying any of the objects the HIDS monitors, nothing can stop such intruders from modifying the HIDS itself - unless security administrators take appropriate precautions. Many worms and viruses will try to disable anti-virus tools, for example.

Apart from crypto-techniques, HIDS might allow administrators to store the databases on a CD-ROM or on other read-only memory devices (another factor militating for infrequent updates...) or storing them in some off-system memory. Similarly, a HIDS will often send its logs off-system immediately - in some instances via one-way communications channels, such as a serial port which only has "Transmit" connected, for example.

One could argue that the trusted platform module comprises a type of HIDS. Although its scope differs in many ways from that of a HIDS, fundamentally it provides a means to identify whether anything/anyone has tampered with a portion of a computer. Architecturally this provides the ultimate (at least at this point in time) host-based intrusion detection, as depends on hardware external to the CPU itself, thus making it that much harder for an intruder to corrupt its object and checksum databases .

ee also

* Intrusion detection system (IDS)
* Network intrusion detection system (NIDS)
* Tripwire (software) - commercial HIDS
* OSSEC - a multi-platform open source HIDS
* Trusted Computing Group
* Trusted platform module

External links

* [http://www.ossec.net/ OSSEC - an Open Source HIDS]
* [http://la-samhna.de/samhain/ Samhain - an Open Source HIDS]
* [http://osiris.shmoo.com/ Osiris - an Open Source HIDS]
* [http://sourceforge.net/projects/aide Aide - an Open Source HIDS that aims to do what tripwire does]
* [http://www.thirdbrigade.com ThirdBrigade - Host Based Intrusion Prevention with deep packet inspection]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Host-based intrusion detection system — HIDS, Sistema de detección de intrusos en un Host. Busca detectar anomalías que indican un riesgo potencial, revisando las actividades en la máquina (host). Puede tomar medidas protectoras. Las funciones de este tipo de software son muy similares …   Wikipedia Español

  • Protocol-based intrusion detection system — A protocol based intrusion detection system (PIDS) is an intrusion detection system which is typically installed on a web server, and is used in the monitoring and analysis of the protocol in use by the computing system. A PIDS will monitor the… …   Wikipedia

  • Intrusion detection system — An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.[1] Some systems may attempt to stop …   Wikipedia

  • Intrusion Detection System — Système de détection d intrusion Un système de détection d intrusion (ou IDS : Intrusion Detection System) est un mécanisme destiné à repérer des activités anormales ou suspectes sur la cible analysée (un réseau ou un hôte). Il permet ainsi… …   Wikipédia en Français

  • Network intrusion detection system — A Network Intrusion Detection System (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring (NSM) of… …   Wikipedia

  • Intrusion prevention system — Intrusion Prevention Systems (IPS), also known as Intrusion Detection and Prevention Systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention… …   Wikipedia

  • Intrusion-prevention system — An intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real time, to block or prevent those activities. Network based IPS, for example, will… …   Wikipedia

  • Intrusion Detection — Ein Intrusion Detection System (IDS) ist ein System zur Erkennung von Angriffen, die an ein Computersystem oder Computernetz gerichtet sind. Das IDS kann eine Firewall ergänzen oder auch direkt auf dem zu überwachenden Computersystem laufen und… …   Deutsch Wikipedia

  • Intrusion detection — In Information Security, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. When Intrusion detection takes a preventive measure without direct human… …   Wikipedia

  • Intrusion Prevention System — Als Intrusion Prevention Systeme (kurz: IPS) werden Intrusion Detection Systeme (kurz: IDS) bezeichnet, die über die reine Generierung von Ereignissen (Events) hinaus Funktionen bereitstellen, die einen entdeckten Angriff verhindern können.… …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”