Articles
Writers

Guide to Host-based Intrusion Detection Systems

File System Security Monitoring Software For Windows PC & Linux

© Yuen Kit Mun

Sep 22, 2009
A Host IDS Detects Changes to the Hard Disk Drive, ilco (stock.xchng)
A Host IDS can detect virus infections and other unauthorized changes to the operating system. This article looks at their advantages and limitations.

The main difference between one computer (whether a desktop PC or a server: a "host") and another is the contents of their hard disks. In general (there are rare exceptions) a virus needs to write to the hard disk to infect the computer.

By detecting changes in an operating system's files, a Host IDS (HIDS, Host-based IDS or Host Integrity Monitoring System) can warn about possible virus infections and other computer security issues.

Popular Host IDS include Samhain, Tripwire, OSSEC and Osiris. Many Host IDS were originally developed on Linux, but Windows versions are now also available.

How a Host IDS Works

A Host IDS is a security monitoring program that scans important operating system files, storing a signature (checksum or hash) of each file.

Every few hours, the scan is repeated. Any changes to the files will result in a different signature. The user or administrator is alerted about the changed files (notification via email is possible). Newly created and deleted files are also reported.

It is the administrator's responsibility to analyze the changes and to determine whether or not the changes are harmful.

Possible harmless reasons include:

  • Operating system security patch update.
  • Authorized administrative changes (adding of new user account, installation of new software).

Possible harmful reasons include:

  • Virus infection.
  • System penetration by a hacker (adding of new user account for the hacker's use, installation of hacking utilities).

For Windows systems, separate monitoring of the registry is needed. While the registry is stored on the hard disk, monitoring the raw registry files for changes isn't practical or useful.

Host IDS Advantages and Limitations

Like a Host Intrusion Prevention System (HIPS), a Host IDS doesn't rely on virus signatures. It comes as no surprise that they have similar advantages and limitations.

Host IDS limitations:

  • The user or system administrator is only told that a file has changed. He needs to figure out for himself whether the change is safe or dangerous.
  • The computer could already have been infected before the Host IDS was installed. The Host IDS will not be able to detect this infection.

Host IDS advantages:

  • No virus signature is required. Can detect new or unknown threats.
  • Can detect changes to operating system configuration (new user account, password change) ignored by antivirus software.

Host IDS versus HIPS

A Host IDS is totally passive. It only detects changes to the file system. A HIPS is proactive, actually preventing unauthorized behavior by programs. This can be good or bad, depending on the priorities of the system administrator.

A Host IDS will not interfere with the running of any programs. While an improperly configured HIPS could potentially disrupt the legitimate operation of a mission-critical piece of software.

However, a HIPS can stop a real attack whereas a Host IDS will just stand idly by the side and let the attack happen.

A HIPS also knows which program tried to do what, keeping a log of unauthorized access. A Host IDS only knows that a file has changed, but not which program made the change.

One advantage of a Host IDS is that it is more easily deployed for multiple computers compared to a HIPS. Less customization is required for each computer. Most Host IDS software have explicit support for multiple machines, running a client file scanner on each computer and storing the results in a central administrative computer.

Should a Host IDS be Deployed?

Like a HIPS, a host IDS requires some IT knowledge to use. It is suitable for IT professionals who need to secure many servers in a controlled environment.

Deploying a Host IDS for critical systems is a "no brainer". A Host IDS:

  • Does not interfere with normal system operation (unlike a HIPS).
  • Works well with other security software (antivirus, HIPS, host firewall).
  • Takes up few system resources, does not significantly slow down the computer (unlike some antivirus programs).
  • Provides logs of system changes to help with security forensics.

In short, there is little downside to deploying a Host IDS. The main cost is manpower to deploy the system, respond to alerts and analyze the log files. Many of the leading Host IDS solutions are open source projects, requiring no license fee for use.

Corporate IT departments should consider deploying a Network IDS/IPS.

For more information, Brian Wotring has an article on Host Integrity Monitoring: Best Practices for Deployment.


The copyright of the article Guide to Host-based Intrusion Detection Systems in Security/Antivirus Software is owned by Yuen Kit Mun. Permission to republish Guide to Host-based Intrusion Detection Systems in print or online must be granted by the author in writing.


A Host IDS Detects Changes to the Hard Disk Drive, ilco (stock.xchng)
        


Post this Article to facebook Add this Article to del.icio.us! Digg this Article furl this Article Add this Article to Reddit Add this Article to Technorati Add this Article to Newsvine Add this Article to Windows Live Add this Article to Yahoo Add this Article to StumbleUpon Add this Article to BlinkLists Add this Article to Spurl Add this Article to Google Add this Article to Ask Add this Article to Squidoo




about us Limelight Blog freelance writing jobs careers press room Site Map Terms & Conditions Privacy Policy