The scenario describes a host-level monitoring agent installed on a single workstation that records local system events such as file access, configuration changes, and unauthorized process execution. These are classic indicators of Host-Based Intrusion Detection System (HIDS) functionality. A HIDS runs on an endpoint (server or workstation) and monitors activity on that host, including operating system logs, file integrity, registry/config changes, system calls, application logs, and process behavior. Because it has direct visibility into what is happening locally, it can detect suspicious activity that may not be obvious from network traffic alone.
The clue that “attackers often attempt to disable or evade this type of monitoring to avoid being detected at the host level” also aligns strongly with HIDS. Adversaries commonly try to stop endpoint agents, tamper with logs, or evade detection by living-off-the-land techniques precisely because host-based sensors can catch actions like privilege escalation attempts, persistence mechanisms, malicious process launches, or unauthorized modifications to critical files and configurations.
Why the other options are not the best match:
A Network-Based Firewall (A) is a perimeter or network control that filters traffic based on rules (IPs, ports, protocols). It does not typically record detailed local file/process/configuration events on a single workstation.
A Host-Based Firewall (B) resides on the endpoint but primarily controls inbound/outbound network connections at that host. While it can log connection attempts, it is not chiefly designed to track file access, configuration integrity, or process execution.
A Network-Based IDS (C) analyzes traffic on the network segment (via taps/SPAN) to identify suspicious patterns. It does not require installing an agent on a single workstation and lacks direct visibility into local file and process events.
Therefore, the security system Olivia is demonstrating is D. Host-Based Intrusion Detection System.
