When operating one or more servers, it is advisable to secure and monitor one's own services against attacks in order to maintain the protective goals of information security (confidentiality, availability and integrity). In addition to manually recurring tasks such as active patch management or regular security audits, an intrusion detection system (IDS) can be used to detect and an intrusion prevention system (IPS) to prevent attacks on internal IT systems.

What intrusion detection systems exist?

Network-based Intrusion Detection Systems (NIDS) have long been the tools of choice for analysing network traffic. Here, the network traffic is evaluated at a central location by means of signature recognition. A significant advantage of this is the independence from the software and hardware used by the clients and servers. NIDS are primarily hardware-based components that are connected behind a firewall, for example, in order to analyse the data traffic.

However, the increasing prevalence of encryption makes the use of this type of intrusion detection more difficult or at least reduces the areas of application. Additionally, the bandwidth of the monitored unit may exceed the bandwidth of the NIDS, causing packets to be dropped or traffic to be throttled.

Due to these limitations and the centralized architecture of NIDS, current research is primarily concerned with host-based intrusion detection systems (HIDS). Analysis no longer takes place in the network components, but through the evaluation of system calls or logs of the individual services. This makes the information collected much more versatile than with NIDS. In addition, HIDS are more scalable than NIDS due to their decentralised structure. In order to cope with the evaluation of this large amount of data, machine learning is increasingly used for anomaly detection.

How Host-based intrusion detection systems work

HIDS needs access to all logs in order to be able to analyse them.

HIDS supports the administration of services by regularly summarising and visualising data accumulated during the analysis in reports. The analysed log data is searched for anomalies and logged for later review. This facilitates the investigation and prevents the log data of the individual services from having to be tediously searched through in the event of a breach. The accrued data not only supports in securing services against unwanted actors, but also during troubleshooting in case of failures of individual system components or services.

All this can only work if the HIDS is configured correctly. This also includes regularly checking the detection settings in the changing corporate environment.

For better protection, it is advisable not to rely on just one technology, but to use a symbiosis of HIDS and NIDS, as neither system can provide full protection on its own. NIDS can immediately alert on short-term anomalies in the network, while HIDS can shed light on more complex and long-term attack vectors.

IDS can be divided into two categories based on how they work: Anomaly Detection and Signature Detection.

Anomaly detection works by analysing traffic, system calls or logs to detect deviations from historical or defined normal states.

Signature detection, on the other hand, relies on previously defined properties that relate to specific attack scenarios. An example of this is the Leipzig Intrusion Detection - Data Set (LID-DS): https://github.com/LID-DS/LID-DS.

The LID-DS is a data set that contains known attack patterns. It also has a framework for adding further attack patterns. A distinction is made between "simple" requests, which represent a direct attack step, and "multi" requests, which are part of a longer chain of requests for an attack.

In addition to this research project, a number of HIDS tools exist that bring a large toolbox and are being actively developed. The market situation is very diverse and offers applications for all sizes of organisations.

Difference between IDS and SIEM

Security-savvy people will already have noticed that the way IDS works has some overlaps with SIEM.

SIEM stands for security information and event monitoring. These systems are designed as a holistic approach to monitor one's own hardware and software landscape for undesirable states.

Like a HIDS, a SIEM aggregates its information from various sources into an overview. The difference, however, lies in the diversity of the accepted input data. Data sources can be, among others, servers, hardware components in the network topology and both NIDS and HIDS. Thus, a SIEM combines the functionalities of NIDS and HIDS and serves as a summarising instance. SIEMs offer a scalable way to unite different existing data sources and to extend them with system-specific agents.

This makes SIEM an important layer in the monitoring process of one's own systems to summarise important real-time information and react promptly to anomalies.

Conclusion

Host-based intrusion detection is a useful complement to network-based protection and monitoring mechanisms. For HIDS to work, they need access to the resources of the services. This means that setting up and maintaining a HIDS requires a certain amount of effort. In return, one receives automated reports on the status of the services in operation and can detect issues without having to tediously dig through logs. In a growing company structure, a HIDS can help to keep an eye on the systems under management. In cases of increasing requirements, it can also be supplemented with a SIEM.