Host-based intrusion-detection system
From Free net encyclopedia
Template:Mergeto Host-based intrusion-detection is the art of detecting malicious activity within a single computer.
A host-based intrusion detection system (HIDS) uses host log information, system activity, and scanners such as virus scanners to determine whether a computer host is being used for illegitimate purposes. HIDS may be local to the protected host, remote (via syslogd, etc), or part of a distributed intrusion detection system.
A common technique is to make checksums of important system files that should not be altered under normal circumstances. Intruders often replace system components with so-called root kits that enable them to remain hidden in the system while performing further probing such as sniffing. The checksums for the improper replacement files would not agree with the originals.
When trying to uncover a root kit, the administrator needs to ensure the programs used in the investigation are not themselves compromised; otherwise many root kits conceal their own presence by altering the output of basic system functions such as directory listings and process lists to conceal the changes the intruder has made. To be thorough, the administrator must supply and use known-good copies of tools that list directory contents, file dates, sizes and checksums, and that list running processes.