Host-Based IDS (HIDS)

A Host-Based Intrusion Detection System (HIDS) runs as an agent inside the operating system and watches local artefacts — file integrity, registry changes, process creation, system calls, authentication events, and log files — to detect intrusions that may never appear on the wire. Classic examples include OSSEC, Wazuh, Tripwire, and AIDE; modern EDR and XDR products extend HIDS with rich telemetry, behavioural analytics, and response actions. HIDS sees what NIDS cannot: actions on the host itself, encrypted local activity, and post-compromise behaviour. Its limits include agent-management overhead, performance on busy servers, and exposure to tampering if the host is fully compromised, which makes secure storage of logs essential.