What does Host-Based Intrusion Detection System (HIDS) mean?
A host-based intrusion detection system (HIDS) is a system that capable of monitoring and analyzing a computer system on which it is installed to detect an intrusion and logs in the activity. It’s like a watchman for a building.
It is similar to firewall, except it detect intrusions.
host-based intrusion detection systems (HIDS) are systems that sit at service endpoints rather than in the network transit points like NIDS.
The first type of IDS that’s widely implemented, Host IDS, is installed on servers and is more focused on analyzing the specific operating system and application functionality residing on the HIDS host.
HIDS are often critical in detecting internal attacks directed towards an organization’s servers such as DNS, mail, and web servers.
HIDS can detect a variety of potential attack situations such as file permission changes and improperly formed client–server requests.
Why do we need HIDS?
NOTE: There are many more advantages of HIDS over NIDS like file logging, inspecting unencrypted inbound traffic, application level attributes to detect intrusion, Specific user activity based on files, processes, system calls etc. but I've talked about just few top advantages in detail.
Advantage 1: NIDS may not be able to catch all intrusions as HIDS is more versatile and it’s great for large traffic.
Advantage 2: Insertion/evasion techniques bypass NIDS but not HIDS.
Following are the examples of Insertion/evasion techniques
1. Fragmentation and small packets
Attackers can evade IDS by crafting packets in such a way that the end host interprets the attack payload correctly while the IDS either interprets the attack incorrectly or determines that the traffic is benign too quickly.
One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack.
One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer.
2. Overlapping fragments and TCP segments
Another evasion technique is to craft a series of packets with TCP sequence numbers configured to overlap. For example, the first packet will include 90 bytes of payload, but the second packet's sequence number will be 86 bytes after the start of the first packet.
When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes.
3. Some IDS evasion techniques involve deliberately manipulating TCP or IP protocols in a way the target computer will handle differently from the IDS.
4. Attacks which are spread out across a long period of time or a large number of source IPs, such as nmap's slow scan, can be difficult to pick out of the background of benign traffic.
Advantage 3: And the last but not list advantage of HIDS is that it allows admin to determine if a host was compromised due to attack.