Mind Map Gallery HIDS and HIPS
The host intrusion detection system (HIDS) and host intrusion prevention system (HIPS) are host-based cousins to NIDS and NIPS.Edited at 2020-10-10 05:58:06
HIDS & HIPS
Host-Based Intrusion Detection Systems
Intrusion Detection System (IDS):
A software application that monitors a network or systems for malicious activity or policy violations.
Host-based Intrusion Detection Systems (HIDS):
Software installed directly on an OS that monitors changes in file integrity.
Examples of HIDS applications:
Trend Micro OSSEC:
Two types of monitoring can be performed by an IDS:
Statistical Anomaly (Heuristic) Monitoring:
A baseline (based on normal network traffic) is established, and compared to sampled traffic.
Traffic outside the set baseline parameters triggers a notification.
Traffic is matched against patterns of known malicious code snippets known as signatures.
These signatures are stored in a database that must be updated regularly.
Four types of traffic identification are possible. This is not exclusive to an IDS:
An attack is correctly identified as malicious and filtered (discarded)
Non-threatening traffic is correctly identified as legitimate and permitted
Non-threatening traffic is incorrectly identified as malicious and filtered (discarded)
An attack is incorrectly identified as legitimate and permitted
Malicious activities and violations are typically reported either to an administrator or collected centrally using a Security Information and Event Management (SIEM) system.
Host-Based Intrusion Prevention Systems
Software designed not only to detect incidents and attacks, but also to attempt to prevent them from doing any real damage to the computer or to the network.
There are also downloadable implementations for Linux that prevent malicious code from executing, such as Security-Enhanced Linux (SELinux). It is a set of kernel modifications originally developed by the National Security Agency (NSA) but was released to the open source community for download.