HIDS/NIDS (host intrusion

detection systems and network

intrusion detection systems)
Host intrusion detection systems (HIDS) and network intrusion detection
systems (NIDS) are methods of security management for computers
and networks. In HIDS, anti-threat applications such as firewalls, antivirus
software and spyware-detection programs are installed on every network
computer that has two-way access to the outside environment such as
the Internet. In NIDS, anti-threat software is installed only at specific points
such as servers that interface between the outside environment and the
network segment to be protected.

All methods of intrusion detection (ID) involve the gathering and analysis of
information from various areas within a computer or network to identify possible
threats posed by hackers and crackers inside or outside the organization. Host-
based and network-based ID systems have their respective advantages and
limitations. The most effective protection for a proprietary network is provided by
a combination of both technologies.

http://searchsecurity.techtarget.com/definition/HIDS-NIDS
The State of the Art in Intrusion Prevention and Detection
edited by Al-Sakib Khan Pathan
Host Based IDS
HIDS can be a good complementary solution to ISP's network based IDS program, as it
provides additional detection capabilities as a result of its access to local operating
system and file structure. HIDS is able to provide additional detection is by installing
agents on monitored systems. The agent software is typically controlled by a central
management server over the network, which maintains agent configuration as defined by
the HIDS administrator and collects events from the agent software. From the collected
events, the central HIDS server is able to correlate activities from all of its monitored
hosts based on predefined signatures and customized rules to produce alerts on
suspicious or malicious behaviours. The collected events can also be sent to log
correlation software (e.g. ISP Log Correlation program) for further analysis.

Some of the additional detection capabilities include:

File level detection
o File integrity checking. This involves periodically generating message
digests or other cryptographic checksums for critical files, comparing them
to reference values, and identifying differences. File integrity checking
can only determine after-the-fact that a file has already been changed,
such as a system binary being replaced by a Trojan horse or a rootkit.
o File attribute checking. This is periodically checking the attributes of
important files, such as ownership and permissions, for changes. Like file
integrity checking, it can only determine after the-fact that a change has
occurred.
o File access attempts. An agent with a filesystem shim can monitor all
attempts to access critical files, such as system binaries, and stop
attempts that are suspicious. The agent has a set of policies regarding file
access, so the agent compares those policies to the characteristics of the
current attempt, including which user or application is trying to access
each file, and what type of access has been requested (read, write,
execute). This could be used to prevent some forms of malware from
being installed, such as rootkits and Trojan horses, as well as preventing
many other types of malicious activity involving file access, modification,
replacement, or deletion.
Code Analysis
o System call monitoring. The agent knows which applications and
processes should be calling which other applications and processes or
performing certain actions. For example, an agent could recognize a
process attempting to intercept keystrokes, such as a keylogger. Agents
can also restrict which drivers can be loaded, which can prevent the
installation of rootkits and other attacks.
o Application and library lists. An agent might monitor each application and
library (e.g., dynamic link library [DLL]) that a user or process attempts to
load and compare that information to lists of authorized and unauthorized
applications and libraries. This can be used not only to restrict which
 applications and libraries can be used, but which versions of them can be
used.
Configuration monitoring
o Some agents can monitor a hosts current network configuration and
detect changes to it. Typically all network interfaces on the host are
monitored, including wired, wireless, virtual private network (VPN), and
modem. Examples of significant network configuration changes are
network interfaces being placed in promiscuous mode, additional TCP or
UDP ports being used on the host, or additional network protocols being
used, such as non-IP protocols. These changes could indicate that the
host has already been compromised and is being configured for use in
future attacks or for transferring data.

https://security.berkeley.edu/intrusion-detection-guideline