Host based Intrusion Detection System

• Host intrusion detection systems run on individual hosts or devices on the network.
• Host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system as well as the network packets on its network.
• A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected.
• It takes a snapshot of existing system files and matches it to the previous snapshot.
• If the critical system files were modified or deleted, the alert is sent to the administrator to investigate.
• An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations.
• A host-based IDS monitors all or parts of the dynamic behaviour and the state of a computer system.
• HIDS might detect which program accesses what resources and discover that, for example, a word-processor has suddenly started modifying the system password database.
• Similarly a HIDS might look at the state of a system, its stored information, whether in RAM, in the file system, log files or elsewhere; and check that the contents of these appear as expected, e.g. have not been changed by intruders.
• One can think of a HIDS as an agent that monitors whether anything or anyone, whether internal or external, has circumvented the system’s security policy.