Host-Based IDS (HIDS)
What is Host-Based IDS (HIDS)?
Host-Based IDS (HIDS)An intrusion-detection agent installed on a server or endpoint that monitors local files, processes, logs, and system calls for malicious activity.
A Host-Based Intrusion Detection System (HIDS) runs as an agent inside the operating system and watches local artefacts — file integrity, registry changes, process creation, system calls, authentication events, and log files — to detect intrusions that may never appear on the wire. Classic examples include OSSEC, Wazuh, Tripwire, and AIDE; modern EDR and XDR products extend HIDS with rich telemetry, behavioural analytics, and response actions. HIDS sees what NIDS cannot: actions on the host itself, encrypted local activity, and post-compromise behaviour. Its limits include agent-management overhead, performance on busy servers, and exposure to tampering if the host is fully compromised, which makes secure storage of logs essential.
● Examples
- 01
Wazuh agent alerting on a suspicious cron job created in /etc/cron.d.
- 02
OSSEC detecting that a critical binary in /usr/bin has changed checksum.
● Frequently asked questions
What is Host-Based IDS (HIDS)?
An intrusion-detection agent installed on a server or endpoint that monitors local files, processes, logs, and system calls for malicious activity. It belongs to the Network Security category of cybersecurity.
What does Host-Based IDS (HIDS) mean?
An intrusion-detection agent installed on a server or endpoint that monitors local files, processes, logs, and system calls for malicious activity.
How do you defend against Host-Based IDS (HIDS)?
Defences for Host-Based IDS (HIDS) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Host-Based IDS (HIDS)?
Common alternative names include: HIDS, Host IDS.