Welcome » IT Booklets » Information Security » Security Monitoring » Activity Monitoring » Host Intrusion Detection Systems
Host intrusion detection systems (hIDS) also use signature-based
and anomaly-based methods. Popular hIDSs include anti-virus
and anti-spyware programs (See the "Malicious Code Prevention"
section of this booklet), as well as file integrity checkers.
A file integrity checker creates a hash of key binaries, and
periodically compares a newly generated hash against the original
hash. Any mismatch signals a change to the binary, a change
that could be the result of an intrusion. Successful
operation of this method involves protection of the original
binaries from change or deletion and protection of the host that
compares the hashes. If attackers can substitute a new hash
for the original, an attack may not be identified. Similarly,
if an attacker can alter the host performing the comparison so that
it will report no change in the hash, an attack may not be
An anomaly-based method monitors the application program calls
to the operating system for unexpected or unwanted behavior, such
as a Web server calling a command line interface, and alerts when
unexpected calls are made.
Attackers can defeat host-based IDS systems using kernel
modules. A kernel module is software that attaches itself to
the operating system kernel. From there, it can redirect and
alter communications and processing, hiding files, processes,
registry keys, and other information. With the proper kernel
module, an attacker can force a comparison of hashes to always
report a match and provide the same cryptographic fingerprint of a
file, even after the source file was altered. Kernel modules
can also hide the use of the application program interfaces.
Detection of kernel modules can be extremely difficult.
Detection is typically performed through another kernel module or
applications that look for anomalies left behind when the kernel
module is installed.
Some host-based IDS units address the difficulty of performing
intrusion detection on encrypted traffic. Those units
position their sensors between the decryption of the IP packet and
the execution of any commands by the host. This host-based
intrusion detection method is particularly appropriate for Internet
banking servers and other servers that communicate over an
encrypted channel. Kernel modules, however, can defeat these
host-based IDS units.
Host-based intrusion detection systems are recommended by the
NIST for all mission-critical systems, even those that should not
allow external access.NIST Special Publication