Host-based intrusion detection system

[2] HIDS was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent.

[4] A host-based IDS is capable of monitoring all or parts of the dynamic behavior and the state of a computer system, based on how it is configured.

Besides such activities as dynamically inspecting network packets targeted at this specific host (optional component with most software solutions commercially available), a HIDS might detect which program accesses what resources and discover that, for example, a word-processor has suddenly and inexplicably started modifying the system password database.

A HIDS could also check that appropriate regions of memory have not been modified – for example, the system call table for Linux, and various vtable structures in Microsoft Windows.

For each object in question a HIDS will usually remember its attributes (permissions, size, modifications dates) and create a checksum of some kind (an MD5, SHA1 hash or similar) for the contents, if any.

An alternate method to HIDS would be to provide NIDS type functionality at the network interface (NIC) level of an end-point (either server, workstation or other end device).

Persons in charge of computer security need to control this process tightly in order to prevent intruders making un-authorized changes to the database(s).

Such initialization thus generally takes a long time and involves cryptographically locking each monitored object and the checksum databases or worse.

Architecturally this provides the ultimate (at least at this point in time[update]) host-based intrusion detection, as depends on hardware external to the CPU itself, thus making it that much harder for an intruder to corrupt its object and checksum databases.