Host Intrusion Prevention Systems & Beyond By Dilsad Sera

Host Intrusion
Prevention Systems
& Beyond
By Dilsad Sera SAHINTEPE
What is Intrusion Detection?
Host Based & Network Based
What does IDS Detect?
Difference btw IDS & Firewall
IDS types
Importance of HIPS
IDS Implementation
Difference btw IDS & Firewall
Passive/Reactive System
Prevention System
What is HIPS?
What is Intrusion Detection ?
It is a device or software application that monitors
network or system activities for malicious activities or
policy violation and produces reports to a management
What does IDS Detect?
It is a system used to detect unauthorized intrusions into computer systems
and network.
Example: It detects attacks to FTP, Data driven attacks at the application
layer such as SQL injection error could be used to crash an application.
IDS Components
Sensors – Generate security events such as log files
Console – Monitors events, alerts and controls sensors
Engine – Analyzes the data using artificial intelligence to generate alerts
from the events received
*** 3 in 1 (sometimes all three are in one appliance)
Types of Intrusion Detection System
NDS – Network
It is an independent platform which identifies intrusion by examining network traffic and monitors multiple
hosts. It gains access to network traffic by connecting to a hub, network switch configured for port mirroring,
or network tap. Example : Snort- KSU (Academic Freedom)
PIDS – Protocol Based
Consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the
communication protocol between a connected device (a user/PC or system)
APIDS – Application Protocol
Consists of a system or agent that would typically sit within a group of servers, monitoring and
analyzing the communication on application specific protocols. For example; in a web server with
database this would monitor the SQL protocol specific to the middleware/business-login as it
transacts with the database.
HIDS – Host Based
Hybrid System
How IDS is implemented?
Host Based Intrusion Detection System
Consists of an agent on a host which identifies
intrusions by analyzing system calls, application logs,
file-system modifications (binaries, password files,
capability/acl databases) and other host activities and
state. An example of a HIDS is OSSEC
IDS vs. Firewalls
Both related to network security.
Firewall looks outwardly for intrusions in order to stop
them from happening.
Firewalls limit access between network to prevent intrusion
and do not signal an attack from inside the network.
IDS evaluates a suspected intrusion once it has taken place
and signals an alarm.
IDS watches for attacks that’s originate from within a
Passive vs. Reactive Systems
In a passive system, the intrusion detection system (IDS) sensor
detects a potential security breach, logs the information and signals an
alert on the console and or owner.
In a reactive system, also known as an Intrusion Prevention System
(IPS), the IDS responds to the suspicious activity by resetting the
connection or by reprogramming the firewall to block network traffic from
the suspected malicious source.
They both has signature based systems depends on activity on host or
tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"Skype client login -- reply from
server"; flags:AP,SUFR12; flow:to_client,established; dsize:5; content:"|17 03 01 00|"; depth:4;
sid:1000010; rev:2; )
Prevention System
An enemy can send packets that the IPS will see but the target
computer will not. For example, the attacker could send packets whose
Time to live fields have been crafted to reach the IPS but not the target
computers it protects. This technique will result in an IPS with
different state than the target.
An intrusion prevention system is a network security device that
monitors network and/or system activities for malicious or unwanted
behavior and can react, in real-time, to block or prevent those activities.
Host Intrusion Prevention System
Host-based intrusion prevention system (HIPS): an installed
software package which monitors a single host for suspicious activity
by analyzing events occurring within that host. They also have
signature based system.
How IDS differ from IPS
* IPSs are designed to sit inline with traffic flows and prevent attacks in
Deep packet inspection; In addition, most IPS solutions have the ability to
look at (decode) layer 7 protocols like HTTP, FTP, and SMTP
RBIPS(Rate) can identify abnormal rates for certain types of traffic (botnetzombie-ddos)
Ex : Connections per second, packets per connection
Attacks are detected when thresholds are exceeded.
The thresholds are dynamically adjusted based on time of day, day of the
week etc., drawing on stored traffic statistics.
Host-based vs. Network
HIPS can handle encrypted and unencrypted traffic equally,
because it can analyze the data after it has been decrypted on
the host.
NIPS does not use processor and memory on computer hosts but
uses its own CPU and memory
NIPS drawback AND benefit, depending on how you look at it
NIPS is a single point of failure, which is considered a
disadvantage; however, this property also makes it simpler to
Use failover or load balancing to combat this NIPS disadvantage
Host-based vs. Network IPS - 2
NIPS can detect events scattered over the network (e.g. low
level event targeting many different hosts, like a worm) and
can react
With a HIPS, only the host’s data itself is available to take a
It would take too much time to report it to a central decision
making engine and report back to block.
Importance of HIPS
Well known security companies realized how important
HIPS and they all published their HIPS products.