Host-Based Intrusion Detection Systems

Host-based intrusion detection systems (HIDSs) are applications that operate on information collected from individual computer systems. This vantage point allows an HIDS to analyze activities on the host it monitors at a high level of detail; it can often determine which processes and/or users are involved in malicious activities. Furthermore, unlike NIDSs, HIDSs are privy to the outcome of an attempted attack since they can directly access and monitor the data files and system processes targeted by these attacks.

Tripwire (the reference model for many of the follow-on HIDSs). Tripwire operates on MD5 hashes of critical system files, as defined by the system administrator. It is one model for host-based intrusion detection—like the secret agent trick of putting a hair on the doorknob, it lets you know if somebody’s been changing things inside your system—but only after this occurs.

Alternatively, HIDSs can utilize information sources of two types, operating system audit trails, and system logs. Operating system audit trails are usually generated at the innermost (kernel) level of the operating system, and are therefore more detailed and better protected than system logs. System logs are much less obtuse and much smaller than audit trails, and are normally far easier to comprehend.

Most HIDS software, like Tripwire, establishes a “digital inventory” of files and their attributes in a known state, and uses that inventory as a baseline for monitoring any system changes. The “inventory” is usually a file containing MD5 checksums for individual files and directories. This must be stored offline on a secured, read-only medium that is not available to an attacker. On a server with no read-only media (a blade server, for example), one method to accomplish this is to store the statically compiled intrusion detection application and its data files on a remote computer. When you wish to run an HIDS report, SCP (secure copy) the remote files to /tmp (or its equivalent) on the target server and run them from there. When you modify any files on the server, rerun the application, and make a new data set, which should be stored on the remote computer.

HIDS surveillance is especially important on VoIP media, proxy, and registration servers and should be considered as part of the initial install package. Indeed, vendors such as Cisco are even making this part of the default installation. For instance, the Cisco Security Agent (CSA) comes with every Call Manager license, and Avaya Media Servers ship with a Web-enabled version of Tripwire installed and preconfigured.

The downside to HIDS use is that clever attackers who compromise a host can attack and subvert host-based HIDSs as well. HIDS can not prevent DoS attacks. Most significantly, a host-based IDS consumes processing time, storage, memory, and other resources on the hosts where such systems operate. HIDSs that operate in a client-server mode (most of them) can also add to network traffic congestion.