HIDS – A Guide To Host Based Intrusion Detection Systems

Joe A. J. Beaumont Headshot
Joe A. J. Beaumont
Chief Security Evangelist
12th March 2021

Defending against cyber attack

With cyber-attacks constantly in the news and the threats becoming more sophisticated and prevalent, you are not alone in your concerns about your business’s security. While simple security measures might have been adequate in the past, today, your company will need a multi-layered security approach to prevent it from hackers and other malicious actors. In this article, we are going to look at an application that monitors a host device for suspicious activity, namely a HIDS or Host-Based Intrusion System.

Typically intrusion detection systems work in conjunction with firewalls.

What is an Intrusion Detection System?

There are two types of Intrusion Detection Systems: Host-Based and Network-Based IDS. In this article, we will discuss host-based systems, but we will also explore the difference between the two. Similar to a burglar or fire alarm in a physical environment, an intrusion detection system will identify potential threats to your network or host. Just like its physical counterparts, when an incident is identified, it will notify someone of the intrusion. In this case, it is likely to be a system administrator or IT security personnel. They will investigate the intrusion and take remedial action if necessary.

An intrusion detection system is a software or tool that monitors traffic on a network or host device and analyses it for signs of malicious intent or policy violations. Common incidents that IDS protects against are malware, unauthorised access attempts, authorised users that attempt to abuse or escalate privileges for which they are unauthorised, and modification of configuration files.

Typically intrusion detection systems work in conjunction with firewalls. The way they deal with traffic is the mirror image of each other. A firewall is configured to allow only specific types of traffic and block the rest. IDS allows all traffic and identifies specific traffic that could be a threat.

A futuristic warning symbol

What is a Host Based Intrusion Detection System?

A Host-based Intrusion Detection System monitors and sends alerts if suspicious activity is detected on a single host such as a computer, server or another endpoint device. Most HIDS deploy software known as an agent on the host that will monitor and report on activity. Some examples of what a HIDS will monitor are network traffic for that specific host, file access, file modifications, configuration changes, running processes and events, application and system logs.

HIDS are typically installed on critical hosts such as servers that contain sensitive data or that are accessible to the public. But as HIDS agents can be deployed on any single host if required. They are available for use on most servers and computers used by a business.

How Does a Host Based Intrusion Detection Work?

HIDS uses two methods to identify potential threats.

Signature-based Detection

Signature-based detection looks at data activity and compares it with a database of recognised threats. The downside to signature-based detection is that if the threat isn’t known, for instance, a brand-new type of malicious attack that has only just appeared will not be flagged.

Anomaly-based Detection

The second method is anomaly-based HIDS rather than checking a database to look for anomalies in usage. An anomaly-based HIDS will sample ‘normal behaviour’ and keep a log of it. Anytime there is a deviation from normal behaviour the HIDS will send an alert. The main issue with anomaly-based detection is that it can flag many false positives.

If an intruder manages to go undetected by the NIDS, it might be identified by the HIDS.

What Is The Difference Between HIDS and NIDS?

The simple answer is that HIDS protects against host-level attacks while NIDS (Network-Based Intrusion Detection System) protects against attacks to a network segment. Both intrusion systems operate by examining event and log messages generated by the system. In addition, NIDS works in real-time, monitoring the packets that are going across the network for evidence of interference. In contrast, HID will look at historical data in logged files for system anomalies.

As each intrusion detection system has its benefits, the best strategy would be to incorporate both into your security systems, utilising their combined strengths. If an intruder manages to go undetected by the NIDS, it might be identified by the HIDS.

Network icons across a rack of servers

What are The Pros and Cons of HIDS?

Host-Based Intrusion Detection offers a wide range of security capabilities, but it has its flaws, just like any other security solution.


  • One of the benefits of host-based solutions is that they can inspect data that may be encrypted as it passes over the network, making it hard for network-based solutions to inspect the traffic. A host-based solution can inspect data in system memory at the points it is unencrypted.
  • A Host-Based Intrusion Detection system is also a useful tool to identify insider threats as it can detect suspicious client-server requests and file permission changes.
  • HIDS has the advantage of being able to monitor specific activities, therefore providing much more detail than network-based systems. For instance, it can track everything a user does when connected to the network. It will know if any user accounts have been changed as soon as the changes have been executed, and monitor when the user has logged on or off. As HIDS can monitor any changes to system files if an attempt is made to overwrite them or deploy backdoors it can be identified. This type of activity is something that NIDS often miss.
  • Another important function of HIDS is File Integrity Monitoring (FIM). It can provide an audit trail to track if important files have been accessed or modified. FIM is often required for compliance requirements such as Requirement 11.5 of the PCI DSS (Payment Card Industry Data Security Standard) if you process credit cards.
  • HIDS also have a lower barrier entry than NIDS, making them more cost-effective for small businesses. Furthermore, additional hardware isn't required, saving on management and maintenance costs.


  • HIDS are more challenging to manage than a similar-sized NIDS setup, especially for a larger organisation where each host that requires monitoring will need to be installed, configured and managed. This could be a complex process for an extensive network with thousands of hosts. The logical solution, in this case, would be to use a combination of the two. A network-based system for most of the network and a host-based intrusion detection system for mission-critical machines.
  • Malware that establishes itself on the host might be able to gain access to privileges and escalate them. This could allow it to turn off anti-malware software and logging during the attack for instance or once compromised even disable the HIDS.
  • An experienced systems administrator is required to administer a HIDS.
Often IPS and IDS solutions will be used in conjunction depending on a business's individual needs.

What's The Difference Between HIDS and HIPS?

While an IDS analyses copied data rather than the actual data, it doesn't interrupt traffic flow, essentially analysing the date offline. In contrast, an Intrusion Prevention System (IPS) monitors data in real-time and makes traffic flow through it. Thus preventing any incoming or outgoing malicious traffic on the network. As with IDS, intrusion prevention systems can be deployed either in the host or the network. Host-based Intrusion Prevention Systems are known as HIPS and Network-based -- NIPS.

So IPS software installed on a host (HIPS) will block activity that it deems malicious and a HIDS will identify the threat but not block it. Basically, HIDS is a passive solution while HIPS is active. Often IPS and IDS solutions will be used in conjunction depending on a business's individual needs.

In Conclusion

Host-Based Intrusion Detection Systems can play a part in a robust security system alongside the other IDPS (Intrusion Detection Prevention systems) solutions we briefly discussed. Each has its advantages and disadvantages, and all of them require the knowledge of IT security professionals to use them optimally.

Joe A. J. Beaumont Headshot

Meet the author

Joe A. J. Beaumont Chief Security Evangelist

Joe is a blogger and security evangelist who’s been raising the profile of cyber security for a decade. He writes about a variety of cyber and compliance topics, with a keen eye on translating events and data into valuable customer insights. Never boring, sometimes controversial, always insightful.

Secure your business data with proactive protection

Bulletproof your business with our next-generation, multi-layered cyber protection that combines managed SIEM with human insight and intelligence.

Learn more

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.