Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

CHAPTER 1 Systems Security > Host intrusion detection system - Pg. 6

6 Eleventh Hour Security : Exam SY0-201 Study Guide Rootkits can make it easy for hackers to install remote control programs or software that can cause significant damage. A bot is a type of program that runs automatically as robots performing specific tasks without the need for user intervention. Bots have been developed and used by Google, Yahoo, and MSN to seek out Web pages and return information about each page for use in their search engines. This is a legitimate use for bots, and do not pose a threat to machines. Botnets are one of the biggest and best-hidden threats on the Internet. The botnet controller is referred to as the bot herder, and he or she can send commands to the bots and receive data (such as passwords or access to other resources) from them. Bots can be used to store files on other people's machines, instruct them to send simultaneous requests to a single site in a DoS attack, or for send- ing out SPAM mail. A Web server or IRC server is typically used as the Command and Control (C&C) server for a group of bots or a botnet. Logic bombs A logic bomb is a type of malware that can be compared to a time bomb. Designed to execute and do damage after a certain condition is met, such as the passing of a certain date or time, or other actions like a command being sent or a specific user account being deleted. Attackers will leave a logic bomb behind when they've entered a system to try to destroy any evidence that system administrators might find. HOST INTRUSION DETECTION SYSTEM Intrusion detection is an important piece of security in that it acts as a detective control. An intrusion detection system (IDS) is a specialized device that can read and interpret the contents of log files from sensors placed on the network as well as monitor traffic in the network and compare activity patterns against a database of known attack signatures. Upon detection of a suspected attack, the IDS can issue alarms or alerts and take a variety of automatic action to terminate the attack. There are two types of IDSs that can be used to secure a network: host-based IDS (HIDS) and network-based IDS (NIDS). The two types are further broken down into signature-based and behavior-based IDSs. A behavior-based IDS is also known as an anomaly-based IDS. A host-based IDS is one that is installed on a single system or server and monitors the activity on that server through log analysis and server traffic analysis. A network-based IDS is a system or appliance that monitors all traffic on a network segment and compares that activity against a database of known attack signatures in an attempt to identify malicious activity.