Describe host-based intrusion detection.

What will be an ideal response?

---

In host-based intrusion detection, every computer (host) on the network is responsible for examining its network traffic and recognizing the signatures of different types of intrusions. These may be denial of service attacks, buffer overflow attacks, and malicious code such as worms and scripts. These problems may be discovered and prevented through the use of a software firewall and an anti-virus application. It may, however, be necessary to verify the integrity of a system, as firewalls and anti-virus programs are not perfect. Sometimes the malicious code gets through because it is new and the signatures for its detection are not yet distributed. One way to help detect that a system is not compromised is to examine critical system files for changes. This may be done by creating a secure hash of a set of files and periodically rehashing the files to look for any changes.

Host-based intrusion detection may be expensive to implement due to having to purchase firewall, anti-virus, or other protective software for every system on the network. It is also a decentralized approach, since the intrusion detection is being performed on individual systems. This may require a significant amount of time for IT personnel to maintain the systems and respond to individual problems.