HIDS (Host-Based Intrusion Detection System)

From Bauman National Library
This page was last modified on 22 June 2016, at 15:09.

Host-based Intrusion Detection System, HIDS — intrusion detection system, that control and handle events, that occurs on the host machine. HIDS monitors only internal activity. This differ it from the network IDS, that mainly control network activity. Sometimes HIDS also take care over packages of the network interfaces of host machine, like NIDS. This type of IDS was developed for using on mainframes, when interactions with network were very seldom.


HIDS first of all handle events, that take places in computer network. HIDS check events for conforming with established security model.

While NIDS detects passing network packages, HIDS checks how software calls particular resources.

For example, it is possible, that text editor suddenly started to change system's password database, monitors on the current system state and check the information in the RAM and HDD. This is necessary for verifying current application activity in the system.

HIDS appears as agent, that monitors internal activity for preventing security politics violation (from the outside or from the inside).


Monitoring dynamic behavior

Many computer users have encountered tools that monitor dynamic system behaviour in the form of anti-virus (AV) packages. While AV programs often also monitor system state, they do spend a lot of their time looking at who is doing what inside a computer - and whether a given program should or should not have access to particular system resources. The lines become very blurred here, as many of the tools overlap in functionality.

Intrusion prevention systems are a type of HIDS software that protects against buffer overflow attacks on system memory and can enforce security policy.

Monitoring state

The principle operation of a HIDS depends on the fact that successful intruders (hackers) will generally leave a trace of their activities. In fact, such intruders often want to own the computer they have attacked, and will establish their "ownership" by installing software that will grant the intruders future access to carry out whatever activity (keystroke logging, identity theft, spamming, botnet activity, spyware-usage etc.) they envisage.

In theory, a computer user has the ability to detect any such modifications, and the HIDS attempts to do just that and reports its findings.

Ideally a HIDS works in conjunction with a NIDS, such that a HIDS finds anything that slips past the NIDS. Commercially available software solutions often do correlate the findings from NIDS and HIDS in order to find out about whether a network intruder has been successful or not at the targeted host.

Most successful intruders, on entering a target machine, immediately apply best-practice security techniques to secure the system which they have infiltrated, leaving only their own backdoor open, so that other intruders can not take over their computers.