Yogesh Chauhan's Blog

What Does Host-Based Intrusion Detection System (HIDS) Mean and What Are Some Advantages Over NIDS?

in Miscellaneous on January 30, 2020

What does Host-Based Intrusion Detection System (HIDS) mean?

A host-based intrusion detection system (HIDS) is a system that capable of monitoring and analyzing a computer system on which it is installed to detect an intrusion and logs in the activity. It’s like a watchman for a building.

It is similar to firewall, except it detect intrusions.

host-based intrusion detection systems (HIDS) are systems that sit at service endpoints rather than in the network transit points like NIDS. 

The first type of IDS that’s widely implemented, Host IDS, is installed on servers and is more focused on analyzing the specific operating system and application functionality residing on the HIDS host. 

HIDS are often critical in detecting internal attacks directed towards an organization’s servers such as DNS, mail, and web servers. 

HIDS can detect a variety of potential attack situations such as file permission changes and improperly formed client–server requests.

Why do we need HIDS?

NOTE: There are many more advantages of HIDS over NIDS like file logging, inspecting unencrypted inbound traffic, application level attributes to detect intrusion, Specific user activity based on files, processes, system calls etc. but I've talked about just few top advantages in detail.

Advantage 1: NIDS may not be able to catch all intrusions as HIDS is more versatile and it’s great for large traffic.

Advantage 2: Insertion/evasion techniques bypass NIDS but not HIDS.

Following are the examples of Insertion/evasion techniques

1. Fragmentation and small packets

Attackers can evade IDS by crafting packets in such a way that the end host interprets the attack payload correctly while the IDS either interprets the attack incorrectly or determines that the traffic is benign too quickly.

One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack.

One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer.

2. Overlapping fragments and TCP segments

Another evasion technique is to craft a series of packets with TCP sequence numbers configured to overlap. For example, the first packet will include 90 bytes of payload, but the second packet's sequence number will be 86 bytes after the start of the first packet. 

When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes.

3. Some IDS evasion techniques involve deliberately manipulating TCP or IP protocols in a way the target computer will handle differently from the IDS.

4. Attacks which are spread out across a long period of time or a large number of source IPs, such as nmap's slow scan, can be difficult to pick out of the background of benign traffic.

Advantage 3: And the last but not list advantage of HIDS is that it allows admin to determine if a host was compromised due to attack.

Most Read

#1 How to check if radio button is checked or not using JavaScript? #2 How to add Read More Read Less Button using JavaScript? #3 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #4 How to uninstall Cocoapods from the Mac OS? #5 PHP Login System using PDO Part 1: Create User Registration Page #6 How to Use SQL MAX() Function with Dates?

Recently Posted

#Jan 16 Colleague UI Basics: The Search Area #Jan 16 Colleague UI Basics: The Context Area #Jan 16 Colleague UI Basics: Accessing the user interface #Jan 14 How to display a student’s individual transcript in Colleague? #Jan 11 How to install PuTTY on a MacOS? #Jan 8 How to Install Xcode Command Line Tools on MacOS?
You might also like these
Social Media Colors: LESS VariablesMiscellaneousHow to define constants in PHP?PHPHow to change value of a span tag using a reference from another div using jQuery?jQueryHow to use a Subquery to Insert Multiple Rows in SQL Table?SQL/MySQLHow to position an image on top of another image using CSS?CSSIntroduction to Angular modules Part 1: NgModule metadataAngular