HostedDB - Dedicated UNIX Servers
nvh_ids_6 October 2, 1998 Page 6 Strengths of Host-Based Intrusion Detection Systems While host-based intrusion detection systems are not as fast as their network counterparts, they do offer advantages that the network-based systems cannot match. These strengths include stronger forensic analysis, a close focus on host-specific event data and lower entry-level costs. Host-based intrusion detection: 1.   Verifies success or failure of an attack –  Since host-based IDS use logs containing events that have actually occurred, they can measure whether an attack was successful or not with greater accuracy and fewer false positives can network-based systems. In this respect, host- based IDS make an excellent complement to network-based intrusion detection, with the network component providing early warning and the host component providing verification of whether an attack was successful or not. 2.   Monitors specific system activities – host-based IDS monitor user and file access activity, including file accesses, changes to file permissions, attempts to install new executables and/or attempts to access privileged services. For example, a host-based IDS can monitor all user logon and logoff activity, as well as what each user does while connected to the network. It is very difficult for a network-based system to provide this level of event detail. Host-based technology can also monitor activities that are normally executed only by an administrator. Operating systems log any event where user accounts are added, deleted, or modified. The host-based IDS can detect an improper change as soon as it is executed. Host-based IDS can also audit policy changes that affect what systems track in their logs. Finally, host-based systems can monitor changes to key system files and executables. Attempts to overwrite vital system files, or to install trojan horses or backdoors, can be detected and stopped. Network-based systems sometimes miss this kind of activity. 3.   Detects attacks that network-based systems miss – Host-based systems can detect attacks that cannot be seen by network-based products. For example, attacks from the keyboard of a critical server do not cross the network, and so cannot be seen by a network-based intrusion detection system. 4.   Well-suited for encrypted and switched environmentsSince host-based systems reside on various hosts throughout an enterprise, they can overcome some of the deployment challenges faced by network-based intrusion detection in switched and encrypted environments. Switches allow large networks to be managed as many smaller network segments. As a result, it can be difficult to identify the best locations for deploying a network-based IDS to achieve sufficient network coverage. Traffic mirroring and administrative ports on switches can help, but these techniques are not always appropriate. Host-based intrusion detection provides greater visibility in a switched environment by residing on as many critical hosts as needed. Certain types of encryption also present challenges to network-based intrusion detection. Depending where the encryption resides within the protocol stack, it may leave a network- based system blind to certain attacks. Host-based IDS do not have this limitation. By the