Host Based Intrusion Detection System - Definition
A host based intrusion detection system (HIDS) is a piece of software which monitors a computer system for vulnerabilities and intrusions. It may also monitor software misuse, policy violations and other malicious activities. A host based intrusion detection system may also perform log analysis, spyware detection and virus detection. An example of HIDS is the OSSEC-HIDS tool. Host based intrusion detection system have the advantage that they reside locally on the machine and hence can keep a watch over it closely than NIDS. The downside is, in a large scale implementation an HIDS will generate a huge amount of data which will be difficult to manage for a manager node.
Network Based Intrusion Detection System – Definition
In contrast to the host based intrusion detection system a network based intrusion detection system is placed at strategic points in the network from where it can monitor the network traffic coming from and going to all the systems in the network. The upside of using a NIDS is that by observing packets before they reach a particular machine you can take actions pro actively while on HIDS you will have to wait for the malicious packet to do something. The downside though is that an NIDS will slow down the network speed since every packet is being checked and also has the tendency of raising too many false alarms. An example of an NIDS is wireshark.
Types of Intrusion Detection Techniques
Intrusion detection systems can be classified based on what techniques they use to detect malicious behavior.
1. Anomaly Detection
Anomaly detection programs will try to find out abnormal behavior on a user’s of software’s part. For this, first of all a baseline pattern of usage is defined. This base line pattern is considered as what is the normal behavior of a system’s usage. An anomaly is any behavior which deviates from normal usage. An incident which occurs either too frequently or too rarely than normal is considered an anomaly. For example software which usually just reads file, if starts modifying files, it’s an anomaly in the software’s behavior. If a computer which if often used only during daytime is accessed in the night it would be considered a usage anomaly.
2. Misuse or Signature Detection
Signature is a pattern associated with a certain entity. The entity can either be software or user or a packet. Signatures are often associated with virus and spywares. Viruses and spywares can be grouped into classes according to their behavior. These classes of such malicious software have similar functionality and hence similar code sections. Such similar functionality and code sections can be considered as the signature of the malicious software. Intrusion detection systems keep a database of all such signatures and keep checking software against their database to detect a malicious signature. Similarly such techniques can be applied to a user’s behavior and a network packet.
3. Target Monitoring
In target monitoring, the intrusion detection system does not check the whole file system; instead it keeps an eye on certain files and folders which are more susceptible to attacks and modifications from the attackers. Since some files and folders in the system have high sensitivity and have greater impact on the system it makes sense to protect them. Cryptographic hashes can be used periodically to check whether the system has been modified by unauthorized entities.
4. Stealth Probes
Stealth probes detect attackers which try to launch their attack in a prolonged period of time so as to avoid being detected because of anomalous behavior. Stealth probes collect a wide variety of data to check for such attacks.
Comparing HIDS and NIDS
This section will compare the two intrusion detection system based on a few functionalities.
Network Binding
Since NIDS resides on the network and only on one machine, NIDS is only able to provide protection when the system is on the network; once it goes out of the protected network NIDS is no longer able to provide any protection. In contrast HIDS always resides on a local machine irrespective of whether the machine is on or off the network and thus is able to monitor and protect it at all times.
Versatility
While an HIDS can provide comprehensive monitoring and analysis of the state of the machine by scanning and checking important system files, anomalies, software signatures and by keeping a check on the ports, an NIDS can only analyze the network traffic to monitor intrusions. Thus an HIDS is far more versatile than an NIDS is this respect.
Real time detection
While NIDS scans packet all the time, it provides real time detection and protection on the other hand HIDS runs and checks the system periodically.
Ease of updating
Both the intrusion detection systems require certain patterns and behavior definitions which should be kept up to date. Updating these patterns and behaviors on an NIDS is far easier than in an HIDS since NIDS resides only on one machine while HIDS agents reside on every single machine in the network.
Cross platform compatibility
If the network consists of machines running on a number of different platforms, which always the case is. A network may have a few windows machines, a few linux machines, a few machines running MacOS and others running FreeBSD etc. For HIDS it is a difficult task to overcome variation in the platforms. For example OSSEC-HIDS does not have a manager which can run on a windows machine, so if you want to run OSSEC-HIDS you cannot do it on an all windows network. This problem does not arise in case of NIDS since one dedicated system can be used to run NIDS.
Local machine scanning
Computers can be infected not only through the network but also by a number of other means, for example somebody accidently transferring a virus they had on their flash drive. This cannot be detected by an NIDS but can be detected by an HIDS.
Centralized management
NIDS can be managed in a centralized manner far more efficiently than HIDS. Centralized management has advantages since the company who owns the network can hire specialized security people to always monitor the network than relying on users to analyze the HIDS databases.
Reliability
HIDS are more reliable than NIDS since NIDS have a single point of failure. If the NIDS machine goes down entire network becomes unprotected and vulnerable, on the other hand in case of an HIDS failure, only the machine on which the failure occurred is vulnerable while all the other machine are still protected.
Point of Impact
While HIDS systems are better suited for on machine attacks, the point of impact is on the system and the inside attackers are dealt with. In the NIDS the point of impact is the network and hence it deals with the outside attackers.
Damage Assessment
The virtue of real time protection, gives rise to the vice that, NIDS cannot assess the damage to a system, while HIDS, because they keep logs of every activity and check the system periodically can provide a measure of how much damage has occurred.
Attack anticipation
Related to the above is attack anticipation, since HIDS always keep a track of everything going on in a system, they are capable of predicting when an attack can take place by using the data about the usage characteristics, NIDS on the other hand do not have the luxury of having any such data and hence do not have any attack anticipation functionality.
