O'Reilly logo
  • Timothy Smith thinks this is interesting:

a host-based IDS resides on centralized hosts.


Cover of The CISM™ Prep Guide: Mastering the Five Domains of Information Security Management


It's not only on "centralized" hosts. The whole point of HIDS is to be located and running on user and server computer systems dispersed throughout the organization similar to anti-virus programs. Attack behaviors, particularly zero day attacks that aren't detected by signature or heuristic based network IDS. Anti-virus looks at static files, but HID/HIP look at executing programs. When a new attack program executes on a host, then it exhibits characteristics using known attack vectors to compromise the host. Anomalous behavior can also be detected. There should be a centralized HIDS management, configuration, update, and monitoring server for policy configuration/monitoring/audit in a business network, but HIDS...