Network-based IDSs and Host-Based IDS

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

1)Compare and contrast a Network-based IDSs and Host-Based IDS. What type of events is each capable of detecting and in which way does it achieved the detection of these events?


By using network based and a host based systems we can recognize the deflects the attacks in an Intrusion Detection System (IDS). In the Network Based and the Host Based IDS look for the attack on signatures, which specifies the patterns that usually indicate malicious or doubtful intent. If an IDS looks for these patterns in the network traffic, then it is Network-Based. If an IDS looks for the attack on log files, then it is Host­-Based. The two approaches has its own strengths and weakness and vice versa to each other. An effective intrusion detection system will employ both the techniques i.e. in Host-Based and Network-Based. In this we going on to discuss the difference between the Network-Based and Host-Based IDS techniques and how they are helpful in effective instruction detection.


Network-based IDS (NIDS) is one of the major commercial intrusion detection system. As we know it uses the raw network packets as a source of data. NIDS commonly uses a network adaptor running in promiscuous mode to analyze the traffic in real time and monitor as it travel across the network.


Ø The network-base IDS will detect the attacks that the host-based system missed.

Ø Network-based IDS can be made invisible to many attackers and even made very secure against the attackers.

Ø Network-based IDS make more difficult to remove evidence by the attacker because it uses the live network traffic for real-time detection for an attack.

Ø Network-based IDS also detects the unsuccessful attacks and malicious intent. As this type of detection is can't be found in the host-based system.

Ø Network-based IDS] cannot analyze the information which is encrypted. As we are using more vital private networks this type of problems are increasing in many organizations.

Ø Network-based IDS does not depend on the operating system of the host as a defection source but in the host-based IDS requires specific operating system for comparing and to generate the meaningful results.


Host-based IDS adds a specialized layer for security software to a weak or risk the system such as database servers and administration system. For detecting the behaviour of the suspicious host-based IDS monitors activity in different on the system. The first and foremost advantage of the host-based IDS is it can detect external instruction as well as the internal instruction. This is the detection which we can be able to seen in the network-based IDSs and Firewall.

Host-based IDS is one of the most powerful tool for knowing the previous attacks and shaping previous methods, to conquer the upcoming plans. Still in this IDS they are using audit logs, but they are much more automated, having evolved sophisticated and response detection techniques. In a host-based IDS we can verify the outcomes of the attack as they are directly accessing and monitoring the data in the files and the processing systems are usually targeted by attacks, we can't see this type of things in Network Based IDSs.

The information source used by the HIDS are the operating system audit trails and system logs. The audit trails are usually generated in the innermost kernel. System logs are very easy to compare the obtuse and minor than audit trails. In HIDS some are planned to support the centralized IDS reporting and management infrastructure which can allow a single management console for tracking many hosts. Others produce the messages in a well known format with the network management system.


Ø As we know the host-based IDS uses the audit logs which contains the actually occurred events in it. In this we can measure the attack which is occurred previously is successful or not with great accuracy. As far as in this respect, host-based IDS makes a great balance to the network-based intrusion detection, where the network components gives the early warnings and the host component gives the verifying an attack is successful or not.

Ø Host-based IDS can detects attacks which cannot be seen by the network-base system.

Ø Host-based IDS always based on the existing network infrastructure, Web servers, file servers and the other shared resources.

Ø Host-based IDSs are cheaper in cost when compared to the network-base IDSs.

Ø Host-based IDSs monitors the specific system activity very easily by using file access activity, for changes to permissions of the file, which including file accesses and the attempts to install new executables or to access privileged services. When compared to the network-based systems it is very difficult to provide this event details.

Ø Host-based IDS helps us to detect Trojan horse and other attacks which involves software integrity bleaches, when the operation is carried out on the operating system audit logs.

Ø In Host-based IDS we don't requires no additional hardware such as the shared resources, web servers, including file servers, and network infrastructure.


In network-based IDS we have two detections methods there are anomaly detection and the other one is the signature detection these can be discussed briefly as follows


Ø Worms: It uses bandwidth in large amount and it can be easily penetrates. We can be found these worms in many ways. These worms communicate with host in between each other and these worms can be easily deleted.

Ø Denial-Of-Service (DOS): These attacks grip in major increased packet traffic or major increase connection attempts on the target system.

Ø Scanning: It is a tool which is used to identify the target by an attacker. It will detect all the patterns of typical flows in network layer, application layer and transport layer.


Ø Policy violation: In NIDS these attacks occurs when we are accessing the forbidden application protocols and using inappropriate websites.

Ø Application layer reconnaissance and attacks: In many NIDS technologies there are analyzing many application protocols they are Dynamic Host Configuration Protocol, Finger, Domain Name Systems, SMTP, Network File System, SIP, FTP, IRC, SNMP, POP,TFTP,HTTP and also the database protocols. NIDS always look for the attacks that are identified as these protocols are targeted.

Ø Transport layer reconnaissance and attacks: NIDS analyze the traffic and other transport layer protocols in TCP and UDP.

Ø Network layer reconnaissance and attacks: NIDSs classically analyze all the levels of IPv4, ICMP and IGMP.

Ø Unexpected application services: NIDSs verifies the action on the transport connection is consistent with application protocol. These type of attacks occurs when the host running unauthorized application service.


In host-based IDS also we have two detection methods they are Anomaly and signature detections these are briefly explained as follows


It collects the relevant data to the behaviour of the authorized user for a period of time. The fundamental and the basic point in this anomaly detection is it analyzes the audit logs.

Ø Threshold detection: In this approach involve defining threshold, user independent, for the various events to occur.

Ø Profile based: In this approach it maintains the previous behaviour of the user and other group of the users to detect the attack. Some of the metrics which are useful for profile-based instruction detection are counter, gauge, interval timer, resource utilization.


It detects intrusion by viewing the events in the system and applying a set of rules it takes decision to find the activity is suspicious or good. The historic audit records can be analyzed by identifying patterns and rules to determine those patterns by using rules based pattern. There are different ways of identification of attacks by using rules based penetration. The examination can be done with the help of the scheme audit records.

2) OSSEC is capable of performing the following system-level checks:

a) file integrity checking

b) Windows registry monitoring.

c) rootkit detection, and

d) active response.

Critically discuss each of the above features, the reasons they are how they are implemented in OSSEC.

OSSEC [d] is one of the open source of host-based instruction detection. It is capable of generating the alerts and notifies to the user. This uses the log analysis tool monitoring, IDSs and analyzes firewalls.

a) File Integrity Checking:

The OSSEC host-based intrusion detection system will always monitor the files and the file integrity checking users uses the 32 bit hexadecimal value which is generated on the base of the contents and name of the files. This file integrity checking is always enable on all the OSSEC host-based intrusion detection installation types ( servers, agent & local systems). If there are any changes taken place then hash value always changes which is notified by the host-based intrusion detection then the modification takes place in the file.

OSSEC host-based intrusion detection always calculate the checksum using MD5/ SH1 when it is scanning the file. When user specifies the specific interval system scans periodically in the OSSEC HIDS and also sends the checksums for monitoring the files in the sever.

The algorithm below specifies the clear cut information how the file integrity checking is performed in the OSSEC

Step1 : Start

Step2 : OSSEC will scans the system.

Step3 : It will always generate MD5/SH1 hashing.

Step4 : Server checks whether the file is new or not by checking the hash files.

Step5 : If server finds the new hash file it will save on it and compares the previously saved hash files. Go to step 7.

Step6 : If the server found any changes then it will generate alerts to the user.

Step7 : Server checks whether all the files are scanned or not then go to step 4.

Step8 : else go to step 9.

Step9 : It finishes all the scanning tasks and exits.

Step10: Stop.

For integrity checking of the file OSSEC provide number of options. By using syscheck we can configure integrity checking. We can also check /etc, user/bin, /sbin, user/sbin, /bin in Linux and Unix and in windows by default it monitor on C:\windows\system32. In OSSEC we use <directories></directories> tags to monitor the directories, <frequency></frequency> tags to how the system checks will scan the system, in seconds, <windows_registry></windows_registry> tag is used to specify the windows registry key and <ignore></ignore> tag is used to specify how to ignore files not for scanning.

The default syntax for integrity configuration and monitoring the operating systems files in unix, linux are as follows



<directories check_all=”yes”>/etc,/usr,/bin,/sbin</directories>

<directories check_all=”yes”>/bin/sbin</directories>



In this way the file integrity checking is implemented in OSSEC

b) Windows registry monitoring:

System registry is maintained by the windows system which will registry entries for the hardware and to the settings of the software. By default configuration also monitors a number of keys used by the windows registry entries for changing the registry which contains a lot of variable information when compared to the other files in the operating system. These registry entries are able to store all the settings from the above parameters, for this reason the system will come up with the entries when user rebooted or logged out. For the reason specified above it is very flexible for the administrator for viewing the relationship between kernel and the software or hardware.

When we are configuring a number of local registry entry to be monitored by the syscheck by using the following tags we can configured as

<windows_registry> </windows_registry> to specify OSSEC to monitor those registry entries.

Given below is one of the best example for specifies the syscheck and registry keys.

<!--Check the directions(For performing all the possible verifications)-->

<directory check_all=”yes”>/root,/bin</directory>

<directory check_all=”yes”>/root,/bin</directory>

<!—directions/files to ignore-->








Here the HKEY_LOCOL_MACHINE is a sub registry key which contains the information about the local computer system.

c) Rootkit Detection:

Rootkit is a program to gain control from the operating system when the user interacting with the system. It can be installed on the system can be hide services, parts, files, direction, process and registry key for the rest of the users and operating systems.

We can implement rootkit in OSSEC HIDS in two steps as follows

1) Rootkit is implemented in application level detection by using rootkit_tarjon and rootkit_files on the system, they are stored in /var/ossec/etc/shared/ in OSSEC server, when the changes will be observed by all the agents of OSSEC.

2) Rootkit is implemented in kernel level check. It uses the system calls to change monitors, signatures are not used to detect rootkit.

The host always check for all the file permission and abnormal files present in the system for the scan file systems. Kernel maintains the device information which is present in directory. In several events in operating system call stat, chdir, fopen, opendir and chdir will produce an entry with rootkit_file and rootkit_tarjon.

Rootkits looks for the presence of the hidden ports. We can use bind() for checking every TCP and UDP ports on the system. We cannot bind the port, if it uses but the netstat command doesnot show it, a rootkit might be operated and installed on the port. For using the rootcheck rule we must use <if_group></if_group> tags.

<rule id=“100701” level =“7”>



Every rootkit alerts has different formats depending on the messages. In the same way if we want alert feom the same hidden file in the /dev directory, then we can perform as follows.

*Alert 1200871690.8582 mail-ossec, rooycheck,

2008 Jan 19 19:28:10 copacabana->rootcheck,

Rule:510(level 7)-> Host-based anomaly detection event(rootkit),

Sre IP:(none)


File ‘/dev/.hid' present on /dev possible hidden file.

d) Active Response:

Active response can be created by binding a command to more than one rule, or to specify the security level. The location where the command must be specified by us in the definition itself. In all servers or agents the rules are executed locally, which adds the flexibility and risk to the active response.

We can find active response script in OSSEC HIDS in the active-response/bin/direction where it is installed. We can use active response script packaged with OSSEC HIDS in shall script includes the,,,,,,

Active response can pass the information, such as source IP address or username which is important. When script not works properly then several other firewall scripts come with the OSSEC HIDS, depends on type of the host firewall. We can use active response capabilities of the OSSEC HIDS to work together with any application system or device.

We can remove deployed actions after a period of time by using the <timedout_allowed> </timedout_allowed> tag or by using <timeout></timeout> tag. By using the active response we can also send email to the OSSEC HIDS mailing list.

The configuration of an active response section for the ossec.conf file is specified as below








[a] : I referred the

[b]:William Stallings & Lawrie Brown (2008) Computer Security: Principles and Practice


[d]: e book OSSEC HIDS Andrew, H. dc rb (2009) OSSEC HIDS: Host -Based Intrusion Detection Guide. Burlington: Syngress Publishing, Inc.

[e]: Security Focus (2008) Available at: (Accessed: 20 April 2009).

[f]: I referred the website.