Host-Based IDS. What is it and how does it work?

November 13, 2018

In the cyber security community there is a beautiful paradigm about preventing all attacks. The idea is really great, as with human health, it is always better to prevent the disease than to treat it. But is it realistic to implement this idea in the field of cybersecurity? Each year, the growing number of hacker attacks shows us that to protect your system by 100% and prevent any attack is impossible.

Hackers use increasingly complex and sophisticated techniques to crack the system and stay there undiscovered as long as possible.

All this makes us think that prevention is certainly good, but timely detection and incident response are more relevant in the world where you can not prevent hacker attacks by 100%.

What is a host-based ids?

Intrusion detection system (IDS) is the tool detecting an unauthorized use of, or attack upon, a server, network, or telecommunications infrastructure. The basic intent of the IDS tool is to spot something suspicious happening in the system and alert about it.

Although different types of IDS products are available, they all have three common components: sensors, analyzers, and administrator interfaces. The sensors collect traffic and user activity data and send it to an analyzer, which looks for suspicious activity. If the analyzer detects an activity it is programmed to deem as fishy, it sends an alert to the administrator’s interface.

IDSs come in two main types: network-based, which monitor network communications, and host-based IDS, which can analyze the activity within a particular server.

What does a host-based ids do?

The Host-Based Intrusion Detection System (HIDS) gives you in-depth information about what's happening on your critical assets. So that, you can detect and respond to malicious or abnormal actions found in your environment.

Web server security is especially important for any organization that has a physical or virtual web server connected to the Internet. HIDS helps to control unauthorized or unusual access attempts, suspicious outgoing connections, detects viruses on your internet facing servers and alerts about it. This way, your IT team has all the necessary information to respond to an incident.

What are the well-known host-based ids products?

Dhound Host-Based IDS collects and analyzes security events on your web servers and in the cloud (Amazon Cloud), audits outgoing traffic for ineligible connections, detects and alerts about intrusions and suspicious activity. With Dhound you are able to monitor all login attempts and create custom rules to track events that are critical for your web application.