Day 7 - Identification: Host-based Intrusion Detection Systems

Host-based IDS can be a powerful tool for identifying potential incidents.  There are some major advantages in host-
based IDS over network-based IDS such as target-specific knowledge, identifying file modifications, and identifying rootkits that use encrypted network communication channels.  However, the additional features usually result in additional maintenance and alerts.

How do you use host-based IDS to identify suspicious activity?  Is there any organizations that rely solely on host-based IDS while ignoring network-based IDS?  Since host-based IDS should be able to provide more concrete evidence that a host has been compromised - do you sometimes move straight to a forensic evaluation of the host upon receiving alerts from a host-based IDS?  Is anyone using honeypots (or known-vulnerable hosts) anymore as an input to their host-based IDS systems for identifying targetted attacks?

Please send us your thoughts and comments via our contact page.  We will update the diary as new submissions come in.


112 Posts
Oct 7th 2008

Sign Up for Free or Log In to start participating in the conversation!