Which deployment refers to monitoring a single host for suspicious activity?

Monitoring a single host for suspicious activity means watching everything happening on that specific machine—its system calls, file changes, logins, and process behavior—directly on the host. That’s the role of a Host-Based IDS: it’s installed on the target machine and analyzes local events to detect intrusions or policy violations. This differs from a Network-Based IDS, which looks at traffic flowing across the network rather than focusing on one machine. The other terms describe how detection is performed (signature-based looks for known patterns, anomaly-based looks for deviations from a baseline) and can be features of either host- or network-based systems, but the deployment that corresponds to monitoring a single host is the host-based approach.