Host-based intrusion detection system
Encyclopedia
A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system as well as (in some cases) the network packets on its network interfaces (just like a network-based intrusion detection system
(NIDS) would do). This was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer
where outside interaction was infrequent.
One can think of a HIDS as an agent
that monitors whether anything or anyone, whether internal or external, has circumvented the system's security policy
.
Intrusion prevention systems is a type of HIDS software that protects against buffer overflow
attacks on system memory and can enforce security policy
.
) will generally leave a trace of their activities. (In fact, such intruders often want to own the computer they have attacked, and will establish their "ownership" by installing software that will grant the intruders future access to carry out whatever activity (keystroke logging
, identity theft
, spamming, botnet activity
, spyware-usage
etc.) they envisage.
In theory, a computer user has the ability to detect any such modifications, and the HIDS attempts to do just that and reports its findings.
Ideally a HIDS works in conjunction with a NIDS, such that a HIDS finds anything that slips past the NIDS. Commercially available software solutions often do correlate the findings from NIDS and HIDS in order to find out about whether a network intruder has been successful or not at the targeted host.
Most successful intruders, on entering a target machine, immediately apply best-practice security techniques to secure the system which they have infiltrated, leaving only their own backdoor open, so that other intruders can not take over their computers.
(object-database) of system objects it should monitor - usually (but not necessarily) file system objects. A HIDS could also check that appropriate regions of memory have not been modified - for example, the system call table for Linux
, and various vtable
structures in Microsoft Windows
.
For each object in question a HIDS will usually remember its attributes (permissions, size, modifications dates) and create a checksum
of some kind (an MD5
, SHA1 hash or similar) for the contents, if any. This information gets stored in a secure database for later comparison (checksum database).
An alternate method to HIDS would be to provide NIDS type functionality at the network interface (NIC) level of an end-point (either server, workstation or other end device). Providing HIDS at the network layer has the advantage of providing more detailed logging of the source (IP address) of the attack and attack details, such as packet data), neither of which a dynamic behavioral monitoring approach could see.
locking each monitored object and the checksum databases or worse. Because of this, manufacturers of HIDS usually construct the object-database in such a way that makes frequent updates to the checksum database unnecessary.
Computer systems generally have many dynamic (frequently changing) objects which intruders want to modify - and which a HIDS thus should monitor - but their dynamic nature makes them unsuitable for the checksum technique. To overcome this problem, HIDS employ various other detection techniques: monitoring changing file-attributes, log-files that decreased in size since last checked, and numerous other means to detect unusual events.
Once a system administrator has constructed a suitable object-database - ideally with help and advice from the HIDS installation tools - and initialized the checksum-database, the HIDS has all it requires to scan the monitored objects regularly and to report on anything that may appear to have gone wrong. Reports can take the form of logs, e-mails or similar.
and viruses
will try to disable anti-virus tools, for example.
Apart from crypto-techniques, HIDS might allow administrators to store the databases on a CD-ROM
or on other read-only memory devices (another factor militating for infrequent updates...) or storing them in some off-system memory. Similarly, a HIDS will often send its logs off-system immediately - typically using VPN channels to some central management system.
One could argue that the trusted platform module
comprises a type of HIDS. Although its scope differs in many ways from that of a HIDS, fundamentally it provides a means to identify whether anything/anyone has tampered with a portion of a computer. Architecturally this provides the ultimate (at least ) host-based intrusion detection, as depends on hardware external to the CPU
itself, thus making it that much harder for an intruder to corrupt its object and checksum databases.
states that host-based intrusion-detection system software is a useful way for network managers to find malware, and suggest they run it on every server, not just critical servers.
Network intrusion detection system
A Network Intrusion Detection System is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring of network traffic.A NIDS reads all the incoming packets and tries to...
(NIDS) would do). This was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer
Mainframe computer
Mainframes are powerful computers used primarily by corporate and governmental organizations for critical applications, bulk data processing such as census, industry and consumer statistics, enterprise resource planning, and financial transaction processing.The term originally referred to the...
where outside interaction was infrequent.
Overview
A host-based IDS monitors all or parts of the dynamic behavior and the state of a computer system. Besides such activities like dynamically inspect network packets targeted at this specific host (optional component with most software solutions commercially available), a HIDS might detect which program accesses what resources and discover that, for example, a word-processor has suddenly and inexplicably started modifying the system password database. Similarly a HIDS might look at the state of a system, its stored information, whether in RAM, in the file system, log files or elsewhere; and check that the contents of these appear as expected, e.g. have not been changed by intruders.One can think of a HIDS as an agent
Software agent
In computer science, a software agent is a piece of software that acts for a user or other program in a relationship of agency, which derives from the Latin agere : an agreement to act on one's behalf...
that monitors whether anything or anyone, whether internal or external, has circumvented the system's security policy
Security policy
Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls...
.
Monitoring dynamic behavior
Many computer users have encountered tools that monitor dynamic system behaviour in the form of anti-virus (AV) packages. While AV programs often also monitor system state, they do spend a lot of their time looking at who is doing what inside a computer - and whether a given program should or should not have access to particular system resources. The lines become very blurred here, as many of the tools overlap in functionality.Intrusion prevention systems is a type of HIDS software that protects against buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
attacks on system memory and can enforce security policy
Security policy
Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls...
.
Monitoring state
The principle operation of a HIDS depends on the fact that successful intruders (crackersCracking
Cracking may refer to:* Cracking, the formation of a fracture or partial fracture in a solid material* Fluid catalytic cracking, a catalytic process widely used in oil refineries for cracking large hydrocarbon molecules into smaller molecules...
) will generally leave a trace of their activities. (In fact, such intruders often want to own the computer they have attacked, and will establish their "ownership" by installing software that will grant the intruders future access to carry out whatever activity (keystroke logging
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
, identity theft
Identity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
, spamming, botnet activity
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
, spyware-usage
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
etc.) they envisage.
In theory, a computer user has the ability to detect any such modifications, and the HIDS attempts to do just that and reports its findings.
Ideally a HIDS works in conjunction with a NIDS, such that a HIDS finds anything that slips past the NIDS. Commercially available software solutions often do correlate the findings from NIDS and HIDS in order to find out about whether a network intruder has been successful or not at the targeted host.
Most successful intruders, on entering a target machine, immediately apply best-practice security techniques to secure the system which they have infiltrated, leaving only their own backdoor open, so that other intruders can not take over their computers.
Technique
In general a HIDS uses a databaseDatabase
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
(object-database) of system objects it should monitor - usually (but not necessarily) file system objects. A HIDS could also check that appropriate regions of memory have not been modified - for example, the system call table for Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, and various vtable
Virtual method table
A virtual method table, virtual function table, dispatch table, or vtable, is a mechanism used in a programming language to support dynamic dispatch ....
structures in Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
.
For each object in question a HIDS will usually remember its attributes (permissions, size, modifications dates) and create a checksum
Checksum
A checksum or hash sum is a fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage. The integrity of the data can be checked at any later time by recomputing the checksum and...
of some kind (an MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
, SHA1 hash or similar) for the contents, if any. This information gets stored in a secure database for later comparison (checksum database).
An alternate method to HIDS would be to provide NIDS type functionality at the network interface (NIC) level of an end-point (either server, workstation or other end device). Providing HIDS at the network layer has the advantage of providing more detailed logging of the source (IP address) of the attack and attack details, such as packet data), neither of which a dynamic behavioral monitoring approach could see.
Operation
At installation time - and whenever any of the monitored objects change legitimately - a HIDS must initialize its checksum-database by scanning the relevant objects. Persons in charge of computer security need to control this process tightly in order to prevent intruders making un-authorized changes to the database(s). Such initialization thus generally takes a long time and involves cryptographicallyCryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
locking each monitored object and the checksum databases or worse. Because of this, manufacturers of HIDS usually construct the object-database in such a way that makes frequent updates to the checksum database unnecessary.
Computer systems generally have many dynamic (frequently changing) objects which intruders want to modify - and which a HIDS thus should monitor - but their dynamic nature makes them unsuitable for the checksum technique. To overcome this problem, HIDS employ various other detection techniques: monitoring changing file-attributes, log-files that decreased in size since last checked, and numerous other means to detect unusual events.
Once a system administrator has constructed a suitable object-database - ideally with help and advice from the HIDS installation tools - and initialized the checksum-database, the HIDS has all it requires to scan the monitored objects regularly and to report on anything that may appear to have gone wrong. Reports can take the form of logs, e-mails or similar.
Protecting the HIDS
A HIDS will usually go to great lengths to prevent the object-database, checksum-database and its reports from any form of tampering. After all, if intruders succeed in modifying any of the objects the HIDS monitors, nothing can stop such intruders from modifying the HIDS itself - unless security administrators take appropriate precautions. Many wormsComputer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
and viruses
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
will try to disable anti-virus tools, for example.
Apart from crypto-techniques, HIDS might allow administrators to store the databases on a CD-ROM
CD-ROM
A CD-ROM is a pre-pressed compact disc that contains data accessible to, but not writable by, a computer for data storage and music playback. The 1985 “Yellow Book” standard developed by Sony and Philips adapted the format to hold any form of binary data....
or on other read-only memory devices (another factor militating for infrequent updates...) or storing them in some off-system memory. Similarly, a HIDS will often send its logs off-system immediately - typically using VPN channels to some central management system.
One could argue that the trusted platform module
Trusted Platform Module
In computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...
comprises a type of HIDS. Although its scope differs in many ways from that of a HIDS, fundamentally it provides a means to identify whether anything/anyone has tampered with a portion of a computer. Architecturally this provides the ultimate (at least ) host-based intrusion detection, as depends on hardware external to the CPU
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
itself, thus making it that much harder for an intruder to corrupt its object and checksum databases.
Reception
InfoworldInfoWorld
InfoWorld is an information technology online media and events business operating under the umbrella of InfoWorld Media Group, a division of IDG...
states that host-based intrusion-detection system software is a useful way for network managers to find malware, and suggest they run it on every server, not just critical servers.
See also
- Intrusion detection system (IDS)
- Network intrusion detection systemNetwork intrusion detection systemA Network Intrusion Detection System is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring of network traffic.A NIDS reads all the incoming packets and tries to...
(NIDS) - VerisysVerisysVerisys is a commercial file integrity monitoring solution for Windows based systems, developed by the UK based company Ionx.-Components:Verisys consists of both client and server components - the Verisys Console and Verisys Agents. Agents are deployed to servers or workstations to be monitored,...
- commercial HIDS - Tripwire (software)Tripwire (software)Open Source Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file change on a range of systems. The project is based on code originally contributed by Tripwire, Inc. in 2000....
- commercial HIDS - OSSECOSSECOSSEC is a free, open source host-based intrusion detection system . It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD,...
- a multi-platform open source HIDS - Trusted Computing GroupTrusted Computing GroupThe Trusted Computing Group , successor to the Trusted Computing Platform Alliance , is an initiative started by AMD, Hewlett-Packard, IBM, Intel, and Microsoft to implement Trusted Computing...
- Trusted platform moduleTrusted Platform ModuleIn computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...
- IBM Internet Security Systems - commercial HIDS / NIDS