Host intrusion detection systems run on individual hosts or devices on the network.
Host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system as well as the network packets on its network.
A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected.
It takes a snapshot of existing system files and matches it to the previous snapshot.
If the critical system files were modified or deleted, the alert is sent to the administrator to investigate.
An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations.
A host-based IDS monitors all or parts of the dynamic behaviour and the state of a computer system.
HIDS might detect which program accesses what resources and discover that, for example, a word-processor has suddenly started modifying the system password database.
Similarly a HIDS might look at the state of a system, its stored information, whether in RAM, in the file system, log files or elsewhere; and check that the contents of these appear as expected, e.g. have not been changed by intruders.
One can think of a HIDS as an agent that monitors whether anything or anyone, whether internal or external, has circumvented the system’s security policy.
