3.1 Describe the functionality of these endpoint technologies in regard to security
monitoring utilizing rules, signatures, and predictive AI
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
What is HIDS?
A Host-Based Intrusion Detection System (HIDS) is a security technology installed directly on a computer or server (the “host”) to monitor its activities for suspicious behavior. Unlike network-based detection, which watches traffic on the network, HIDS focuses on what is happening on that specific device.
- Host examples: Windows server, Linux workstation, database server.
- Goal: Detect attacks, misconfigurations, or malicious activity on that specific host.
How HIDS Works
HIDS uses three main approaches to detect threats: rules, signatures, and predictive AI.
1. Rules-Based Detection
- HIDS can monitor host activities using predefined rules.
- Rules define normal behavior. Anything outside the rule triggers an alert.
- Example in IT environment:
- Rule: Only system administrators can change files in
/etc/(Linux) orC:\Windows\System32(Windows). - If another user tries to modify these files, HIDS raises an alert.
- Rule: Only system administrators can change files in
2. Signature-Based Detection
- HIDS uses a database of known attack patterns, called signatures, to identify malicious activity.
- Example:
- A signature detects a known malware that tries to modify the Windows registry key for startup.
- When HIDS sees this activity, it matches it to the signature and alerts security staff.
3. Predictive AI / Anomaly Detection
- Modern HIDS can use machine learning or AI to detect new, unknown threats.
- It monitors host behavior and learns what “normal” looks like.
- If it detects abnormal activity that deviates from normal patterns, it flags it.
- Example:
- If a user account suddenly starts sending thousands of emails at midnight, HIDS recognizes this is unusual and generates an alert, even if no signature exists for this attack.
What HIDS Monitors
HIDS watches for changes or suspicious activity in several areas of the host:
- System files
- Detects changes to important OS files.
- Log files
- Monitors login attempts, failed access attempts, or unusual processes.
- Processes and applications
- Watches for unknown programs running or system resource abuse.
- Configuration changes
- Alerts if system settings are modified unexpectedly.
HIDS in Security Monitoring
HIDS plays a key role in security monitoring by providing alerts and reports to IT security teams.
- Centralized monitoring: Alerts from multiple hosts can be sent to a Security Information and Event Management (SIEM) system for correlation.
- Incident detection: Detects unauthorized access, malware infections, or insider threats.
- Compliance: Helps organizations meet regulatory requirements by logging and alerting suspicious host activities.
Key Advantages of HIDS
- Works directly on the host, so it sees local activity that network monitoring might miss.
- Can detect insider threats or malware that doesn’t generate network traffic.
- Supports both rule/signature detection and AI-based anomaly detection.
Key Limitations
- Only protects the host it is installed on.
- Requires updates for signatures and AI models to stay effective.
- High number of alerts can cause alert fatigue, requiring careful tuning.
Summary Table
| Feature | Description |
|---|---|
| Location | Installed on individual host computers or servers |
| Detection Methods | Rules, Signatures, Predictive AI/Anomaly detection |
| Monitored Areas | System files, logs, processes, configurations |
| Strengths | Detects local threats, insider attacks, malware on the host |
| Weaknesses | Needs updates, only protects one host, can generate many alerts |
| Integration | Can send alerts to SIEM for centralized security monitoring |
✅ Exam Tip:
- Know the difference between HIDS (host-based) and NIDS (network-based).
- Understand the detection methods: rules, signatures, and predictive AI.
- Be able to describe what HIDS monitors (files, logs, processes).
