7.3. Host-Based IDS
Until now we have focused on intrusion detection systems that run on a dedicated server and monitor all passing network traffic. These devices control traffic within an entire collision domain. Host-based IDS products are designed to protect only a single system.
Host-based IDS functions similarly to a virus scanner. The software runs as a background process on the system you want to protect as it attempts to detect suspicious activity. Suspicious activity can include an attempt to pass unknown commands though an HTTP request or even modification to the file system. When suspicious activity is detected, the IDS can then attempt to terminate the attacking session and send an alert to the system administrator.