|
"Host-based Intrusion Detection
Systems are confined to monitoring
activity on the local host."
|
|
|
|
The first IDS
designs were introduced in the early 80’s
as Host-based Intrusion Detection Systems (HIDS).
Host-based Intrusion Detection Systems are confined to monitoring
activity on the local host computer. This monitoring can include
network traffic
to the host, or local object (files, processes, services) access on the
host.
For example, a HIDS implementation can be used to analyze all the
network traffic transmitted to the computer and pass only the packets
deemed safe onto the computer. A HIDS could also be a service running
on
the local machine that periodically examines the system security logs
for suspicious activity.
Keep in mind, suspicious activity in one environment may not equate to
suspicious activity in another environment. So rules that define what
suspicious activity need to be created. Some examples of
possible suspicious activities include; several unauthorized logon
attempts, confidential file access, deletion of logs, etc.
Benefits to Host-based Intrusion Detection System
Implementations:
- Direct system information access. Since HIDS exist directly on the
host system, it can directly access local system resources (operating
system configurations, files, registry, software installations, etc).
- Can associate users with local computer processes.
- Since a host is part of the target, a HIDS can provide detailed
information on the state of the system during the attack.
- Low resource utilization: HIDS only deal with the inspection of
traffic and events local to the host.
|
|
|
|
