What is Host-based Intrusion Detection System?
- Host-based intrusion detection systems are aimed at collecting information about activity on a particular single system, or host
- Monitors: “who accessed what,” ie. helping malicious or improper activities
- The term “host”refers to an individual computer, thus a separate sensor would be needed for every machine.
- These host-based agents, which are sometimes referred to as sensors, would typically be installed on a machine that is deemed to be susceptible to possible attacks.
- Sensors work by collecting data about events taking place on the system being monitored. This data is recorded by operating system mechanisms called audit trails
- Example of HIDS is OSSEC
Advantages of Host Based Intrusion Detection System
- Versatile: ability to operate in environments that are encrypted, as well as over a switched network topology.
- Scalability: host-based systems are necessarily disbursed throughout a system
- Reduced deployment costs: can distribute the load associated with monitoring across available hosts on large networks
Disadvantages of Host Based Intrusion Detection System
- To gather finer levels of detail, sensors accumulate large amounts of data that take up significant storage.
- Cannot monitor network traffic or limited to host monitoring only
- Since audit trails are used as the source of information, they can be very costly
- Cross-platform issues: Sensors are host-based, so they have to be compatible with the platform they are running over
What is Network based Intrusion Detection System ?
- These systems collect information from the network itself, rather than from each separate host.
- Network sensors come equipped with “attack signatures”that are rules on what will constitute an attack and most network-based systems allow advanced users to define their own signatures.
- The sensor compares signatures to the traffic that they capture, by inspecting the contents and header information also known as packet sniffing. This is how sensor identify hostile traffic
- Intrusion detection systems are configured and signatures are carefully written to minimize the instances of false-positives.
Advantages of Network based Intrusion Detection System
- Low performance cost is due to the fact that the monitors only read each packet as they come across its network segment.
- Low cost as per financial perspective, since it requires low storage space.
- Extremely portable: focuses on capturing network packets, regardless of the destination operating system type.
Disadvantages of Network based Intrusion Detection System
- Signatures are written based on data collected from known and previous attacks, “will always be a step behind the latest underground exploits”
- NIDS requires, regular updates to their signature databases
- Scalability: network monitors must inspect every packet that is passed through the segment, but can’t monitor high speed (today in gigabits) networks
- Encryption: agent cannot scan what’s inside packet.
- Switched networks: the network switch acts to isolate network connections between hosts so that a host can only see the traffic that is addressed to it”
- Communication media: network monitors are unable to see traffic travelling in dial-up phone lines
The latest arguments suggest that the best solution is one that will incorporate both methods. A system that integrates both host- and network-based characteristics seems intuitively the most logical approach.