Host-Based Anomaly Intrusion Detection

Network security has become an essential component of any computer network. Despite significant advances having been made on network-based intrusion prevention and detection, ongoing attacks penetrating network-based security mechanisms have been reported. It is being realized that network-based security mechanisms such as firewalls or intrusion detection systems (IDS) are not effective in detecting certain attacks such as insider attacks and attacks without generating significant network traffic. The trend of network security will be to merge host-based IDS (HIDS) and networkbased IDS (NIDS). This chapter will provide the fundamentals of host-based anomaly IDS as well as their developments. A new architectural framework is proposed for intelligent integration of multiple detection engines. The novelty of this framework is that it provides a feedback loop so that one output from a detection engine can be used as an input for another detection engine. It is also illustrated how several schemes can be derived from this framework. New research topics for future research are discussed. The organization of this chapter is as follows. Section 13.1 is about background material. It provides a brief introduction to computer (host) operating systems and networking systems, which are needed to understand computer and computer network security and IDS. Section 13.2 presents the basic concepts in HIDS and their developments. Practical examples are provided to illustrate the implementation procedures in a step-by-step approach. Section 13.3 introduces powerful hidden Markov models (HMM) and HMM-based anomaly intrusion detection schemes. Section 13.4 discusses emerging HIDS architectures. It also proposes a new theoretic framework for designing new IDS architectures. Conclusions are given in Sect. 13.5. Muchmaterial on HIDS schemes is drawn from the author’s own published research work. This chapter is suitable as a text for final-year undergraduate students or postgraduates in advanced security courses. It is also useful as a reference for academic researchers intending to conduct research in this field.