Host–Based Intrusion Detection Systems: Architectures, Solutions, and Challenges

Background

Numerous intrusion detection systems taxonomies have been proposed in the past. Lazarevic et al. (2005) designates five criteria to be used to classify IDSs: information source, analysis strategy, time aspects, architecture and response. A more detailed taxonomy that also includes classification by alerts and adds further subcategories is outlined by Sabahi and Movaghar (2008).

We recognize two types of IDSs based on the analysis strategy: misuse-based IDSs (i.e., signature-based) and anomaly-based IDSs. Signature-based systems compare observed events with known patterns of malicious activities. Signature-based systems can effectively detect existing threats and, provided signatures were constructed efficiently, have a low false positives rate. Anomaly-based systems compare the actual behavior with pre-created profiles of normal behavior and observe any deviations. Anomaly-based systems can detect previously unknown attacks, but the identification of these attacks can be very vague. A training period without any ongoing intrusions is often required to construct normal profiles. Some anomaly-based systems are adaptive; therefore, they can update their normal profiles in a reaction to the changing properties of the observed system. Commercially available solutions can incorporate both detection approaches (e.g., common antivirus software is predominantly signature-based, but can also include the heuristic analysis that falls into the anomaly-based analysis strategy). Surveys of various intrusion detection analysis strategies as well as comparison of their strengths and weaknesses are provided by Murali and Rao (2005) and by Chandola, Banerjee, and Kumar (2009).

Scarfone and Mell (2012) distinguish four categories of IDSs based on information source (i.e., the type of events they monitor and the ways in which they are deployed): Network-based IDS (NIDS), Host-based IDS (HIDS), wireless IDS and a network behavior analysis system. Sometimes we can also encounter the term “hybrid IDS” that denotes a system that combines two or more IDS categories. In the following text we focus strictly on host-based IDSs.