Host-based Intrusion Detection System (HIDS)

Quickly detect malicious activity with unmatched details about your critical systems

For getting detailed information about what’s happening on your critical systems, nothing beats Host Intrusion Detection Systems (HIDS). With AlienVault Unified Security Management (USM), the host IDS picks up where the network IDS leaves off, monitoring individual hosts and analyzing data such as operating system log files, changes to system files and software, and network connections made by the host.

With host intrusion detection, you gain granular visibility into the systems and services you’re running so you can easily detect:

  • System compromises
  • Privilege escalations
  • Unwanted applications
  • Modification of critical configuration files (e.g. registry settings,/etc/password)
  • Malware
  • Rootkits
  • Rogue processes
  • Critical services that have been stopped
  • User access to systems and applications

How It Works

The HIDS agent in AlienVault USM™ looks for suspicious or malicious activity on individual hosts. It analyzes operating system log files, looking for changes to system files and software, as well as network connections made by the host.

The host intrusion detection system (HIDS) component in AlienVault USM is simple to set up:

  1. Add an agent in the AlienVault USM interface.
  2. Deploy the HIDS agent to the target system, either automatically from AlienVault USM, or by manually downloading and installing it.
  3. Change the configuration file on the agent to specify the files, folders, and registry keys that you would like monitored.
  4. Verify HIDS operations by looking at the HIDS events.


AlienVault HIDS runs on most major operating systems, allowing you to deploy one tool across your heterogeneous environment. HIDS Agent Supported OS Options:

  • GNU/Linux (all distributions, including RHEL, Ubuntu, Slackware, Debian, etc)
  • Windows 7, 2003, Vista, 2008, 2012
  • VMWare ESX 3.0,3.5 (including CIS checks)
  • FreeBSD (all current versions)
  • OpenBSD (all current versions)
  • NetBSD (all current versions)
  • Solaris 2.7, 2.8, 2.9 and 10
  • AIX 5.2 and 5.3
  • Mac OS X 10.x
  • HP-UX 11

AlienVault Unified Security Management™

HIDS Plus Other Essential Security Tools for Rapid Threat Detection and Response

With USM™, the host intrusion detection system comes integrated out-of-the box with a host of additional security tools. AlienVault USM delivers a complete view into the security of your environment by combining SIEM with automated asset discovery, vulnerability data, visibility to netflow data, network IDS, host IDS and visibility to known malicious hosts.

Detect File Changes

When an attacker or malware changes the attributes of a file, like in a CryptoLocker or ransomware type attack, the HIDS agent within AlienVault can quickly detect the change and alert you. With AlienVault’s built in threat signatures and correlation directives, you can then intelligently respond to attacks in little time.

Client/Server-Based Architecture for Added Security and Stability

USM’s host intrusion detection technology protects the data collected by the HIDS agents by utilizing a client/server architecture. Because an attack could compromise the HIDS agent at the same time it compromises the OS, it's essential to store the forensic and security data centrally, away from the host. This safeguard prevents the data from being altered or obfuscated to avoid detection.

Tuned Event Correlation

With the core data sources already built-in, our 2000+ event correlation rules are already "fine tuned" and optimized, right out of the box.

Close the Compliance Gap

If you’re still trying to meet PCI DSS requirements for log inspection and monitoring (section 10) or File Integrity Monitoring (section 10 and 11), AlienVault HIDS is for you. You can deploy lightweight HIDS agents on your critical systems, and the USM server will correlate suspicious and malicious activity and combine that analysis from the other built-in security controls.

Full Threat Context

All you need to know about an incident is captured in each alarm, including asset information (such as OS, software, and identity), vulnerability data, visibility to netflow data, raw log data, and more.

Packet Capture

Any packet that triggers an IDS signature is automatically captured and displayed with the IDS event. Session monitoring and packet capture can then be invoked for more extensive forensic investigation.

Detect the Latest Threats with Weekly Threat Intelligence Updates

Researching threats and maintaining your SIEM software, IDS, and vulnerability assessment tools for the latest threat detection isn’t trivial. Let us do the heavy lifting for you.

AlienVault Labs threat research team fuels your USM platform with the latest threat intelligence, so you can focus on detecting and responding to the most critical issues in your network.

AlienVault Labs threat research team spends countless hours mapping out the different types of attacks, the latest threats, suspicious behavior, vulnerabilities, and exploits they uncover across the entire threat landscape. They leverage the power of OTX, the world’s largest crowd-sourced repository of threat data to provide global insight into attack trends and bad actors.

AlienVault Labs delivers eight coordinated rulesets:

  • Network IDS signatures
  • Host-based IDS signatures
  • Asset discovery signatures
  • Vulnerability assessment signatures
  • Correlation rules
  • Reporting modules
  • Dynamic incident response templates
  • Newly supported data source plug‐ins