Host-based intrusion detection systems are aimed at collecting information about
activity on a particular single system, or host. These host-based agents, which are
sometimes referred to as sensors, would typically be installed on a machine that is
deemed to be susceptible to possible attacks. The term “host” refers to an individual
computer, thus a separate sensor would be needed for every machine. Sensors work by
collecting data about events taking place on the system being monitored. This data is
recorded by operating system mechanisms called audit trails .
Other sources from which a host-based sensor can obtain data, “include system logs, other logs generated by operating system processes, and contents of objects not reflected in standard operating system audit and logging mechanisms” . These logs are for the most part simple text files, which are written a few lines at a time, as events occur and operations on a system take place. As host-based systems rely heavily on audit trails, they become limited by these audit trails, which are not provided by the manufacturers who design the intrusion detection system itself. As a result, theses trails may not necessarily support the needs of the intrusion detection system, leading some to conclude that having more effective hostbased systems, “may require the developer to amend the operating system kernel code to generate event information. This approach extracts a cost in performance, which might be unacceptable for customers running computationally greedy applications” . Despite this limitation, audit trails are still considered to be the source of choice for host-based intrusion detection information.
A common criticism of host-based systems lies with the amount of data they can offer. The configuration of the sensors must obviously collect detailed enough information to identify abnormalities on a host, so the more refined the data captured, the better the sensor should work. The problem is that, as the sensors gather finer levels of detail, they accumulate large amounts of data that take up significant storage . In addition, because, “both the volume and complexity of the data rise with greater detail … it makes it difficult for an adversary to circumvent the audit process entirely, the greater volume and complexity of the data make it easier in practice for intruders to hide their footprints”
Host-based intrusion detection systems are desirable for several reasons. As briefly mentioned above, because host-based systems can monitor access to information in terms of “who accessed what,” these systems can trace malicious or improper activities to a specific user ID.
Host-based sensors are also useful in that they can keep track of the behavior of individual users . This can help catch attacks while they are happening or possibly stop a potential attack before it affect the system.
Other sources from which a host-based sensor can obtain data, “include system logs, other logs generated by operating system processes, and contents of objects not reflected in standard operating system audit and logging mechanisms” . These logs are for the most part simple text files, which are written a few lines at a time, as events occur and operations on a system take place. As host-based systems rely heavily on audit trails, they become limited by these audit trails, which are not provided by the manufacturers who design the intrusion detection system itself. As a result, theses trails may not necessarily support the needs of the intrusion detection system, leading some to conclude that having more effective hostbased systems, “may require the developer to amend the operating system kernel code to generate event information. This approach extracts a cost in performance, which might be unacceptable for customers running computationally greedy applications” . Despite this limitation, audit trails are still considered to be the source of choice for host-based intrusion detection information.
A common criticism of host-based systems lies with the amount of data they can offer. The configuration of the sensors must obviously collect detailed enough information to identify abnormalities on a host, so the more refined the data captured, the better the sensor should work. The problem is that, as the sensors gather finer levels of detail, they accumulate large amounts of data that take up significant storage . In addition, because, “both the volume and complexity of the data rise with greater detail … it makes it difficult for an adversary to circumvent the audit process entirely, the greater volume and complexity of the data make it easier in practice for intruders to hide their footprints”
Host-based intrusion detection systems are desirable for several reasons. As briefly mentioned above, because host-based systems can monitor access to information in terms of “who accessed what,” these systems can trace malicious or improper activities to a specific user ID.
Host-based sensors are also useful in that they can keep track of the behavior of individual users . This can help catch attacks while they are happening or possibly stop a potential attack before it affect the system.
No comments:
Post a Comment