1. Host-Based Intrusion Detection Systems
   1. Intrusion Detection System (IDS):
      1. A software application that monitors a network or systems for malicious activity or policy violations.
      2. Host-based Intrusion Detection Systems (HIDS):
         1. Software installed directly on an OS that monitors changes in file integrity.
         2. Examples of HIDS applications:
            1. Trend Micro OSSEC:
            2. https://ossec.github.io/index.html
            3. Verisys:
            4. https://www.ionx.co.uk/products/verisys
            5. Tripwire:
            6. https://www.tripwire.com/products/tripwire-file-integrity-monitoring/
      3. Two types of monitoring can be performed by an IDS:
         1. Statistical Anomaly (Heuristic) Monitoring:
            1. A baseline (based on normal network traffic) is established, and compared to sampled traffic.
            2. Traffic outside the set baseline parameters triggers a notification.
         2. Signature-Based Monitoring:
            1. Traffic is matched against patterns of known malicious code snippets known as signatures.
            2. These signatures are stored in a database that must be updated regularly.
      4. Four types of traffic identification are possible. This is not exclusive to an IDS:
         1. True Positive:
            1. An attack is correctly identified as malicious and filtered (discarded)
         2. True Negative:
            1. Non-threatening traffic is correctly identified as legitimate and permitted
         3. False Positive:
            1. Non-threatening traffic is incorrectly identified as malicious and filtered (discarded)
         4. False Negative:
            1. An attack is incorrectly identified as legitimate and permitted
   2. Malicious activities and violations are typically reported either to an administrator or collected centrally using a Security Information and Event Management (SIEM) system.
2. Host-Based Intrusion Prevention Systems
   1. Software designed not only to detect incidents and attacks, but also to attempt to prevent them from doing any real damage to the computer or to the network.
   2. Providers:
      1. McAfee
      2. Symantec
   3. There are also downloadable implementations for Linux that prevent malicious code from executing, such as Security-Enhanced Linux (SELinux). It is a set of kernel modifications originally developed by the National Security Agency (NSA) but was released to the open source community for download.