In this lesson, we introduced host-based Intrusion Detection System. Host Intrusion Detection System is a software program run within a host machine. It can be server, it can be local user machine. It aims at detecting and examining malicious activities by periodically monitoring and analyze log, detecting escalating of privilege from a user or system. For example, you switch from normal user to the one with system admin privilege like or switching to super users. The third one, perform the integrity check on critical file. What are those? Password file, configuration file,library, shell commands, pki certificates and private key. Network Intrusion Detection System cannot see or interpret such actions which takes place within the host. So host,intrusion deduction has its memory. Tripwire is a host intrusion detection system. The original version was developed by Purdue University in 1992 by Dr. Eugene Spafford and his master student Gene Kim, who is the former CTO of Tripwire. Here is a site for downloading older versions of Tripwire. Version 2.4.2.2 is on sourceforge. Given the set of files to be monitored, tripwire produces the multiple hashes of the same file, and it saves them for future periodically verification. Labels the severity of the violation using the color coding. Here we show the command .com of the Windows systems that has been modified since the expect very of the hatch including SSA SAVAL MD5 CSC32. Those four are all changed. You see the left column and the right column there their value is different. Know that a vector may not be up to changing the content for all of the hash. It may be able to change one still matching the content but not two or more. And what we do is save those hash and hiding somewhere. Check against the current content. Here we show a list of frag of win DLL library and that has been changed from 0 to 1. In this slide the host intrusion detection system can be improved by allowing the specification of export policy where the frequency and the date for the update is enforced. And what kind of accounts are used on how to update a file. Any violations in terms of what is the frequency of update. What is the date of update will be detected and blocked and then alert raised and reported in real time to the system administration. We should be able to including easy to use duration compliance manager to look at all the software package. And see how they're configured and see whether they are what stray from the original configuration file.
