Welcome » IT Booklets » Information Security » Security Monitoring » Activity Monitoring » Host Intrusion Detection Systems
Host intrusion detection systems (hIDS) also use signature-based and anomaly-based methods. Popular hIDSs include anti-virus and anti-spyware programs (See the "Malicious Code Prevention" section of this booklet), as well as file integrity checkers.
A file integrity checker creates a hash of key binaries, and periodically compares a newly generated hash against the original hash. Any mismatch signals a change to the binary, a change that could be the result of an intrusion. Successful operation of this method involves protection of the original binaries from change or deletion and protection of the host that compares the hashes. If attackers can substitute a new hash for the original, an attack may not be identified. Similarly, if an attacker can alter the host performing the comparison so that it will report no change in the hash, an attack may not be identified.
An anomaly-based method monitors the application program calls to the operating system for unexpected or unwanted behavior, such as a Web server calling a command line interface, and alerts when unexpected calls are made.
Attackers can defeat host-based IDS systems using kernel modules. A kernel module is software that attaches itself to the operating system kernel. From there, it can redirect and alter communications and processing, hiding files, processes, registry keys, and other information. With the proper kernel module, an attacker can force a comparison of hashes to always report a match and provide the same cryptographic fingerprint of a file, even after the source file was altered. Kernel modules can also hide the use of the application program interfaces. Detection of kernel modules can be extremely difficult. Detection is typically performed through another kernel module or applications that look for anomalies left behind when the kernel module is installed.
Some host-based IDS units address the difficulty of performing intrusion detection on encrypted traffic. Those units position their sensors between the decryption of the IP packet and the execution of any commands by the host. This host-based intrusion detection method is particularly appropriate for Internet banking servers and other servers that communicate over an encrypted channel. Kernel modules, however, can defeat these host-based IDS units.
Host-based intrusion detection systems are recommended by the NIST for all mission-critical systems, even those that should not allow external access.NIST Special Publication 800-41.