34,333
edits
Changes
→Host-based Intrusion Detections Systems
* ''Management and Reporting Interface'' - A management interface provide a mechanism by which system administrators may manage the systema nd receive alerts when intrusions are detected.
== Host-based Intrusion Detections Systems (HIDS) == A host-based IDS runs directly on a server or desktop system and uses the resources of that system to examine log and audit files together with network traffic entering and leaving the system. In addition some host-based systems are able to monitor the log files for specific services such as web or ftp servers. These systems either work in real-time or in a batch mode where logs are checked at pre-defined intervals. A host based IDS might, for example, look for anomalies such multiple failed login attempts, logins occurring at unusual times and access to system files not usually accessed by users. Host-based intrution detection system have a number of strengths and weaknesses. == Host-based IDS - Strengths == * '''Fewer False Positives''' - A false positive is legitimate and authorized activity on a system which is incorrectly identified by an IDS as being suspicious or malicious. By running directly on the host and analyzing log files in context with overall system activity the number of false positives is reduced. * '''Narrow Operating System Focus''' - Host based systems are usually developed for specific operating systems, avoiding the pitfalls of a more general, cross-platform approach to intrusion detection. * '''Decrypted Data Monitoring''' - Because malicious network traffic is more often than not encrypted it is often missed by network-based IDSs. Because host-based systems examine data after it has been decrypted by the operating system and network stack it is better placed to identify malicious activity. * '''Non-Network Based Attacks''' - While many attacks are initiated via the network it is also common for attacks to be performed directly at the system by disgruntled or dishonest employees. The advantage of a host-based IDS over a network-based IDS is that is capable of identify suspicious activity taking place at the physical machine (i.e the keyboard and mouse attached to the computer). == Host-based IDS - Weaknesses == * '''Use of Local System Resources'' - Host-based IDSs use CPU and memory resources of the systems they are designed to protect. Whilst not a serious issue for typical users this can have a significant impact on system where high performance or real-time demands are made on the system. * '''Scalability''' - Whilst host-based intrusion detection systems work well for deployment on smaller numbers of systems the tracking, monitoring and maintaining of hundreds or thousands of systems can quickly become a cumbersome overhead in terms of costs and resources. * '''Local IDS Logging Vulnerable''' - Because host-based systems often log locally on the systems they are protecting they are vulnerable to having those log files compromised to remove any record of malicious activity. == Network-based Intrusion Detection Systems (NIDS) ==
