PC Intrusion Detection

PC Intrusion Detection is part of the personal computer’s intrusion prevention system. The PC intrusion detection system is also called a host based intrusion detection system. It has advantages compared to a network based intrusion prevention or intrusion detection system. Sometimes network based IPS can be used in addition to host based IPS in a manner that combines the advantages of both types of systems.

Why have PC intrusion detection systems become so important? Data worth many billions of dollars is exchanged over networks through VOIP, teleconferencing and cellular networks. In addition, data stored in the personal computer of a top executive could be worth a fortune to a potential intruder. Cyber terrorists would want to get hold of and destroy data that could help them fulfill their goals. Financial as well as other kinds of losses can result due to inadequate PC intrusion detection.

A PC intrusion detection system is essential to prevent against attacks by elite and newbie hackers using automated tools. PC Intrusion detection systems offer a higher level of protection than firewalls. Conventional firewalls often cannot detect host based insider attacks. These include malware, privilege escalation, unauthorized logins and sensitive file access.

Sometimes PC intrusion detection is thought to be similar to PC intrusion prevention, but prevention of intrusion is another form of access control. It includes logging restricting and cutting off unauthorized access. Intrusion prevention systems also need to be good at PC intrusion detection. Since PC intrusion detection systems operate at the receiving end, rather than in transit, they operate when the data packets have already been decrypted. This is a major advantage of PC intrusion detection and prevention. However they have to be installed on each PC and cannot handle rate based denial of service (DOS) attacks.

The PC intrusion detection system collates data from scanners like virus scanners, log information of the PC, and other systemic activity to determine whether there is an occurrence of unauthorized intrusion in the host. The process of intrusion prevention requires the administrator to provide checksums, file sizes and dates, directory contents, and a list of running processes using good tools that provide this data.

HIDS or the host based intrusion detection system can operate on a local level, remotely or intrusion detection can be distributed. PC intrusion detection often relies on a method known as checksums. Often intruders replace system files with “root kits” that enable them to "sniff". Without delving into the flora and fauna of intrusion detection, the checksum of the files replaced by the root kits would be different from the regular checksum. This is an effective way of PC intrusion detection.

One way of classifying intrusion detection systems is signature based intrusion detection systems and anomaly based intrusion detection systems. A signature based intrusion detection system usually can only detect known types of intrusions. Its efficacy depends on its database of attack signatures that it compares with packets. The anomaly based intrusion detection system uses "normal" activity as a basis and compares it with current activity. The parameters that define normal activity include packet size, traffic load, breakdown and protocol.

PC intrusion detection is essential to the work environment due to the use of laptops and laptop security issues. Corporate security and secrecy make it essential for companies to implement a good PC intrusion detection program.