HIDS and HIPS

The host intrusion detection system (HIDS) and host intrusion prevention system (HIPS) are host-based cousins to NIDS and NIPS.

Edited at 2020-10-10 05:58:06

Fiona_

HIDS and HIPS

Fiona_

Recommended to you
Outline

40k classes
- 1.8k
- 2
- 1
Oliveettom
Cisco IOS interface
- 578
- 3
Roy Mustang
application development and deployment
- 786
- 8
- 2
Roy Mustang
Data Sanitization Tools
- 376
- 1
Roy Mustang
DATA COLLECTION MEASURES
- 634
- 2
Roy Mustang
Android
- 444
- 1
Roy Mustang
Java Training
- 1.7k
- 11
- 2
Roy Mustang
Active reading techniques
- 569
- 3
- 2
Study Smarter
Classification of visual languages
- 284
- 1
Study Smarter
Game Theory
- 1.0k
- 9
- 3
Fiona_

HIDS & HIPS

Host-Based Intrusion Detection Systems

Intrusion Detection System (IDS):

A software application that monitors a network or systems for malicious activity or policy violations.

Host-based Intrusion Detection Systems (HIDS):

Software installed directly on an OS that monitors changes in file integrity.

Examples of HIDS applications:

Trend Micro OSSEC:

https://ossec.github.io/index.html

Verisys:

https://www.ionx.co.uk/products/verisys

Tripwire:

https://www.tripwire.com/products/tripwire-file-integrity-monitoring/

Two types of monitoring can be performed by an IDS:

Statistical Anomaly (Heuristic) Monitoring:

A baseline (based on normal network traffic) is established, and compared to sampled traffic.

Traffic outside the set baseline parameters triggers a notification.

Signature-Based Monitoring:

Traffic is matched against patterns of known malicious code snippets known as signatures.

These signatures are stored in a database that must be updated regularly.

Four types of traffic identification are possible. This is not exclusive to an IDS:

True Positive:

An attack is correctly identified as malicious and filtered (discarded)

True Negative:

Non-threatening traffic is correctly identified as legitimate and permitted

False Positive:

Non-threatening traffic is incorrectly identified as malicious and filtered (discarded)

False Negative:

An attack is incorrectly identified as legitimate and permitted

Malicious activities and violations are typically reported either to an administrator or collected centrally using a Security Information and Event Management (SIEM) system.

Host-Based Intrusion Prevention Systems

Software designed not only to detect incidents and attacks, but also to attempt to prevent them from doing any real damage to the computer or to the network.

Providers:

McAfee

Symantec

There are also downloadable implementations for Linux that prevent malicious code from executing, such as Security-Enhanced Linux (SELinux). It is a set of kernel modifications originally developed by the National Security Agency (NSA) but was released to the open source community for download.