HIDS – A Guide To Host Based Intrusion Detection Systems
Defending against cyber attack
With cyber-attacks constantly in the news and the threats becoming more sophisticated and prevalent, you are not alone in your concerns about your business’s security. While simple security measures might have been adequate in the past, today, your company will need a multi-layered security approach to prevent it from hackers and other malicious actors. In this article, we are going to look at an application that monitors a host device for suspicious activity, namely a HIDS or Host-Based Intrusion System.
What is an Intrusion Detection System?
There are two types of Intrusion Detection Systems: Host-Based and Network-Based IDS. In this article, we will discuss host-based systems, but we will also explore the difference between the two. Similar to a burglar or fire alarm in a physical environment, an intrusion detection system will identify potential threats to your network or host. Just like its physical counterparts, when an incident is identified, it will notify someone of the intrusion. In this case, it is likely to be a system administrator or IT security personnel. They will investigate the intrusion and take remedial action if necessary.
An intrusion detection system is a software or tool that monitors traffic on a network or host device and analyses it for signs of malicious intent or policy violations. Common incidents that IDS protects against are malware, unauthorised access attempts, authorised users that attempt to abuse or escalate privileges for which they are unauthorised, and modification of configuration files.
Typically intrusion detection systems work in conjunction with firewalls. The way they deal with traffic is the mirror image of each other. A firewall is configured to allow only specific types of traffic and block the rest. IDS allows all traffic and identifies specific traffic that could be a threat.
What is a Host Based Intrusion Detection System?
A Host-based Intrusion Detection System monitors and sends alerts if suspicious activity is detected on a single host such as a computer, server or another endpoint device. Most HIDS deploy software known as an agent on the host that will monitor and report on activity. Some examples of what a HIDS will monitor are network traffic for that specific host, file access, file modifications, configuration changes, running processes and events, application and system logs.
HIDS are typically installed on critical hosts such as servers that contain sensitive data or that are accessible to the public. But as HIDS agents can be deployed on any single host if require. They are available for use on most servers and computers used by a business.
How Does a Host Based Intrusion Detection Work?
What Is The Difference Between HIDS and NIDS?
The simple answer is that HIDS protects against host-level attacks while NIDS (Network-Based Intrusion Detection System) protects against attacks to a network segment. Both intrusion systems operate by examining event and log messages generated by the system. In addition, NIDS works in real-time, monitoring the packets that are going across the network for evidence of interference. In contrast, HID will look at historical data in logged files for system anomalies.
As each intrusion detection system has its benefits, the best strategy would be to incorporate both into your security systems, utilising their combined strengths. If an intruder manages to go undetected by the NIDS, it might be identified by the HIDS.
What are The Pros and Cons of HIDS?
- HIDS are more challenging to manage than a similar-sized NIDS setup, especially for a larger organisation where each host that requires monitoring will need to be installed, configured and managed. This could be a complex process for an extensive network with thousands of hosts. The logical solution, in this case, would be to use a combination of the two. A network-based system for most of the network and a host-based intrusion detection system for mission-critical machines.
- Malware that establishes itself on the host might be able to gain access to privileges and escalate them. This could allow it to turn off anti-malware software and logging during the attack for instance or once compromised even disable the HIDS.
- An experienced systems administrator is required to administer a HIDS.
What's The Difference Between HIDS and HIPS?
While an IDS analyses copied data rather than the actual data, it doesn't interrupt traffic flow, essentially analysing the date offline. In contrast, an Intrusion Prevention System (IPS) monitors data in real-time and makes traffic flow through it. Thus preventing any incoming or outgoing malicious traffic on the network. As with IDS, intrusion prevention systems can be deployed either in the host or the network. Host-based Intrusion Prevention Systems are known as HIPS and Network-based -- NIPS.
So IPS software installed on a host (HIPS) will block activity that it deems malicious and a HIDS will identify the threat but not block it. Basically, HIDS is a passive solution while HIPS is active. Often IPS and IDS solutions will be used in conjunction depending on a business's individual needs.
Host-Based Intrusion Detection Systems can play a part in a robust security system alongside the other IDPS (Intrusion Detection Prevention systems) solutions we briefly discussed. Each has its advantages and disadvantages, and all of them require the knowledge of IT security professionals to use them optimally.
Bulletproof your business with our next-generation, multi-layered cyber protection that combines managed SIEM with human insight and intelligence.Learn more
Our experts are the ones to trust when it comes to your cyber security
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.