nvh_ids_6
October 2, 1998
Page 6
Strengths of Host-Based Intrusion Detection Systems
While host-based intrusion detection systems are not as fast as their network counterparts, they
do offer advantages that the network-based systems cannot match. These strengths include
stronger forensic analysis, a close focus on host-specific event data and lower entry-level costs.
Host-based intrusion detection:
1. Verifies success or failure of an attack Since host-based IDS use logs containing events
that have actually occurred, they can measure whether an attack was successful or not with
greater accuracy and fewer false positives can network-based systems. In this respect, host-
based IDS make an excellent complement to network-based intrusion detection, with the
network component providing early warning and the host component providing verification
of whether an attack was successful or not.
2. Monitors specific system activities host-based IDS monitor user and file access activity,
including file accesses, changes to file permissions, attempts to install new executables
and/or attempts to access privileged services. For example, a host-based IDS can monitor
all user logon and logoff activity, as well as what each user does while connected to the
network. It is very difficult for a network-based system to provide this level of event detail.
Host-based technology can also monitor activities that are normally executed only by an
administrator. Operating systems log any event where user accounts are added, deleted, or
modified. The host-based IDS can detect an improper change as soon as it is executed.
Host-based IDS can also audit policy changes that affect what systems track in their logs.
Finally, host-based systems can monitor changes to key system files and executables.
Attempts to overwrite vital system files, or to install trojan horses or backdoors, can be
detected and stopped. Network-based systems sometimes miss this kind of activity.
3. Detects attacks that network-based systems miss Host-based systems can detect attacks
that cannot be seen by network-based products. For example, attacks from the keyboard of
a critical server do not cross the network, and so cannot be seen by a network-based
intrusion detection system.
4. Well-suited for encrypted and switched environments Since host-based systems reside
on various hosts throughout an enterprise, they can overcome some of the deployment
challenges faced by network-based intrusion detection in switched and encrypted
environments.
Switches allow large networks to be managed as many smaller network segments. As a
result, it can be difficult to identify the best locations for deploying a network-based IDS to
achieve sufficient network coverage. Traffic mirroring and administrative ports on switches
can help, but these techniques are not always appropriate. Host-based intrusion detection
provides greater visibility in a switched environment by residing on as many critical hosts
as needed.
Certain types of encryption also present challenges to network-based intrusion detection.
Depending where the encryption resides within the protocol stack, it may leave a network-
based system blind to certain attacks. Host-based IDS do not have this limitation. By the