Host Based vs Network Based IDS

Host Based vs Network Based IDS

What is Host-based Intrusion Detection System?

  • Host-based intrusion detection systems are aimed at collecting information about activity on a particular single system, or host 
  • Monitors: “who accessed what,” ie. helping malicious or improper activities 
  • The term “host”refers to an individual computer, thus a separate sensor would be needed for every machine.
  • These host-based agents, which are sometimes referred to as sensors, would typically be installed on a machine that is deemed to be susceptible to possible attacks.
  • Sensors work by collecting data about events taking place on the system being monitored. This data is recorded by operating system mechanisms called audit trails
  • Example of HIDS is OSSEC

Advantages of Host Based Intrusion Detection System

  • Versatile:  ability to operate in environments that are encrypted, as well as over a switched network topology.
  • Scalability: host-based systems are necessarily disbursed throughout a system
  • Reduced deployment costs: can distribute the load associated with monitoring across available hosts on large networks

Disadvantages of Host Based Intrusion Detection System

  • To gather finer levels of detail, sensors accumulate large amounts of data that take up significant storage. 
  • Cannot monitor network traffic or limited to host monitoring only
  • Since audit trails are used as the source of information, they can be very costly
  • Cross-platform issues: Sensors are host-based, so they have to be compatible with the platform they are running over

What is Network based Intrusion Detection System ?

  • These systems collect information from the network itself, rather than from each separate host.
  • Network sensors come equipped with “attack signatures”that are rules on what will constitute an attack and most network-based systems allow advanced users to define their own signatures. 
  • The sensor compares signatures to the traffic that they capture, by inspecting the contents and header information also known as packet sniffing. This is how sensor identify hostile traffic
  • Intrusion detection systems are configured and signatures are carefully written to minimize the instances of false-positives.

Advantages of Network based Intrusion Detection System

  • Low performance cost is due to the fact that the monitors only read each packet as they come across its network segment.
  • Low cost as per financial perspective, since it requires low storage space.
  • Extremely portable: focuses on capturing network packets, regardless of the destination operating system type.

Disadvantages of Network based Intrusion Detection System

  • Signatures are written based on data collected from known and previous attacks, “will always be a step behind the latest underground exploits”
  • NIDS requires, regular updates to their signature databases
  • Scalability: network monitors must inspect every packet that is passed through the segment, but can’t monitor high speed (today in gigabits) networks
  • Encryption: agent cannot scan what’s inside packet.
  • Switched networks: the network switch acts to isolate network connections between hosts so that a host can only see the traffic that is addressed to it”
  • Communication media: network monitors are unable to see traffic travelling in dial-up phone lines


The latest arguments suggest that the best solution is one that will incorporate both methods. A system that integrates both host- and network-based characteristics seems intuitively the most logical approach.

Lab : OSSEC installation and working step by step