Host based intrusion detection (HIDS) refers to intrusion detection that takes place on a single host system. Currently, HIDS involves installing an agent on the local host that monitors and reports on the system configuration and application activity. Some common abilities of HIDS systems include log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and alerting1. They often also have the ability to baseline a host system to detect variations in system configuration. In specific vendor implementations these HIDS agents also allow connectivity to other security systems. For example, Cisco CSA has the ability to send host data upstream to Cisco network IPS devices2, Checkpoint Integrity can be integrated with Checkpoint Secure Client (Client VPN)3, and IBM Proventia Desktop is Cisco NAC certified.4
Most HIDS packages now have the ability to actively prevent malicious or anomalous activity on the host system. Due to the potential impact this can have on the end user, HIDS is frequently deployed in "monitor only" mode initially. This enables the administrator to create a baseline of the system configuration and activity. Active blocking of applications, system changes, and network activity is limited to only the most egregious activities. Administrators can then tune the system policy based on what is considered "normal activity".
To be effective in an environment with more than a few hosts, HIDS is generally deployed to be managed from a central location. On the management system a policy is configured for deployment to local agents. There can be a single policy for all computers, but more than likely there will be multiple policies for particular operating systems, machine types, physical locations, and user types. As an example, a policy may be specific for all Windows DNS servers, all Windows desktops in a remote office, or all Linux systems in an enterprise. These policies have configuration values unique to the local system requirements. On a Windows host it is common to monitor registry changes, access and changes to .dll files, and application activity. On a DNS server the policy may look to verify the integrity and report on changes to the DNS server configuration files.
Once a policy is configured, it is then applied and distributed to a group of hosts with the agent installed. Some benefits of this central management architecture are the ability to apply changes to many systems at once and create a "baseline" for known system types. Central authentication, alerting, and reporting are also benefits of the central management architecture.
The HIDS agent monitors system integrity, application activity, file changes, host network traffic, and system logs. Using common hashing tools, file timestamps, system logs, and monitoring system calls and the local network interface gives the agent insight to the current state of the local host. If an unauthorized change or activity is detected, it will alert the user via a pop-up, alert the central management server, block the activity, or a combination of the three. The decision is based on the policy that is installed on the local system.
There are many types of HIDS software available. Below is a list of some of the most common:
Ernst & Young
1 OSSEC About
2 Integrating Cisco Security Agent with Cisco Intrusion Prevention System
3 Checkpoint Integrity with Secure Client
4 IBM Proventia Desktop FAQ
5 Original SANS IDS FAQ Laurie Zirkle, CSE