Host-based Intrusion Detection System (HIDS)

Quickly detect malicious activity with unmatched details about your critical systems

See how AnchorPoint’s Integrated Threat Response (ITR) makes host intrusion detection easy.

Simplify Host IDS Deployment and Accelerate Threat Detection

For getting detailed information about what’s happening on your critical systems, nothing beats Host Intrusion Detection Systems (HIDS).

With AnchorPoint’s ITR, the host IDS picks up where the network IDS leaves off, monitoring individual hosts and analyzing data such as operating system log files, changes to system files and software, and network connections made by the host.

With host intrusion detection, you gain granular visibility into the systems and services you’re running so you can easily detect:

  • System compromises
  • Privilege escalations
  • Unwanted applications
  • Modification of critical configuration files (e.g. registry settings,/etc/password)
  • Malware
  • Rootkits
  • Rogue processes
  • Critical services that have been stopped
  • User access to systems and applications

How It Works

The HIDS agent deployed as part of AnchorPoint’s ITR service looks for suspicious or malicious activity on individual hosts. It analyzes operating system log files, looking for changes to system files and software, as well as network connections made by the host.

The host intrusion detection system (HIDS) component in ITR is simple to set up:

  1. We add an agent in the AnchorPoint ITR console.
  2. We deploy the HIDS agent to the target system, either automatically from the ITR console, or by manually downloading and installing it.
  3. We change the configuration file on the agent to specify the files, folders, and registry keys that you would like monitored.
  4. We verify HIDS operations by looking at the HIDS events.


The AnchorPoint HIDS runs on most major operating systems, allowing you to deploy one tool across your heterogeneous environment. Supported OS include:

  • AIX 5.3 and 6.1
  • FreeBSD (all versions)
  • HP-UX 10, 11, 11i
  • GNU/Linux (all distributions, including RHEL, Ubuntu, Slackware, Debian, etc)
  • MacOSX 10
  • NetBSD (all versions)
  • OpenBSD (all versions)
  • Solaris 2.7, 2.8, 2.9 and 10
  • VMWare ESX 3.0,3.5 (including CIS checks)

AnchorPoint Integrated Threat Reponse

HIDS Plus Other Essential Security Tools for Rapid Threat Detection and Response

With ITR, the host intrusion detection system comes integrated out-of-the box with a host of additional security tools. AnchorPoint’s ITR service delivers a complete view into the security of your environment by combining SIEM with automated asset discovery, vulnerability data, visibility to netflow data, network IDS, host IDS and visibility to known malicious hosts.

Detect File Changes

When an attacker or malware changes the attributes of a file, like in a CryptoLocker or ransomware type attack, the HIDS agent within the AnchorPoint ITR deployment can quickly detect the change and our Security Operations Center (SOC) can alert you. With ITR’s built in threat signatures and correlation directives, our SOC Analysts can then intelligently respond to attacks in little time.

Client/Server-Based Architecture for Added Security and Stability

ITR’s host intrusion detection technology protects the data collected by the HIDS agents by utilizing a client/server architecture. Because an attack could compromise the HIDS agent at the same time it compromises the OS, it’s essential to store the forensic and security data centrally, away from the host. This safeguard prevents the data from being altered or obfuscated to avoid detection.

Tuned Event Correlation

With the core data sources already built-in, our 2000+ event correlation rules are already “fine tuned” and optimized, at the time of deployment.

Close the Compliance Gap

If you’re still trying to meet PCI DSS requirements for log inspection and monitoring (section 10) or File Integrity Monitoring (section 10 and 11), AnchorPoint HIDS is for you. You can deploy lightweight HIDS agents on your critical systems, and our Security Operations Center (SOC) will correlate suspicious and malicious activity and combine that analysis from the other included security controls.

Full Threat Context

All you need to know about an incident is captured in each alarm, including asset information (such as OS, software, and identity), vulnerability data, visibility to netflow data, raw log data, and more.

Packet Capture

Any packet that triggers an IDS signature is automatically captured and displayed with the IDS event. Session monitoring and packet capture can then be invoked for more extensive forensic investigation.