Host-Based Intrusion Detection Systems

Giovanni Vigna, Reliable Software Group

Christopher Kruegel, Technical University, Vienna, Austria

Introduction

Operating System–Level Intrusion Detection

Audit Data Gathering

Misuse-Based Approaches

Anomaly-Based Approaches

Specification-Based Approaches

Application-Level Intrusion Detection

Audit Data Gathering

Misuse-Based Approaches

Anomaly-Based Approaches

Specification-Based Approaches

Related Techniques

Host-Based IDSs versus Network-Based IDSs

Future Trends

Conclusions

Glossary

Cross References

References

INTRODUCTION

Intrusion detection (Crothers, 2002; Schultz, Endorf, & Mellander, 2003) is the process of identifying and responding to suspicious activities targeted at computing and communication resources. An intrusion detection system (IDS) monitors and collects data from a target system that should be protected, processes and correlates the gathered information, and initiates responses when evidence of an intrusion is detected. Depending on their source of input, IDSs can be classified into network-based systems and host-based systems.

Network-based intrusion detection systems (NIDSs) collect input data by monitoring network traffic (e.g., packets captured by network interfaces in promiscuous mode). Host-based intrusion detection systems (HIDSs), on the other hand, rely on events collected by the hosts they monitor.

HIDSs can be classified based on the type of audit data they analyze or based on the techniques used to analyze their ...