Home » Network Security Tutorial

Intrusion Detection System and Intrusion Prevention System

By IncludeHelp Last updated : July 28, 2024

What is an Intrusion Detection System (IDS)?

An Intrusion Detection System (IDS) is a network security device used to monitor network traffic for any malicious activity and possible threats. It analyses and compares the traffic against known attack patterns (signatures) or unusual behavior (anomalies). In case of detection of a threat, the IDS warns the network administrator but does not take any direct action to prevent the threat.

Types of IDS

1. Network-Based IDS (NIDS): This type of IDS is used to monitor traffic to and from all devices, and hence deployed at strategic points within the network. For example, a NIDS placed at the network perimeter can detect external threats trying to breach the network.
2. Host-Based IDS (HIDS): This type of IDS monitors the incoming and outgoing traffic and is deployed on individual devices (hosts). For example, when there is an unauthorized access attempt by an attacker, a HIDS device can easily detect it.

How does IDS Detect Threats?

1. Signature-Based Method: This method detects attacks by searching for specific patterns in network traffic, like the number of bytes or sequences of 1s and 0s. It also looks for known malicious code sequences, called signatures. While it works well for known threats, it has difficulty identifying new malware without existing signatures.
2. Anomaly-Based Method: By this method, unknown malware is easily detected using machine learning algorithms. Any deviation from normal behaviour is said to be suspicious. It is more flexible than signature-based methods as it can recognize patterns after getting trained .

What is an Intrusion Prevention System (IPS)?

An Intrusion Prevention System (IPS) is a device which not only detects possible threats but also takes immediate action against them. It is integrated with the network traffic to easily monitor and control the flow of data.

Types of IPS

1. Network-Based IPS (NIPS): Positioned at the network edge to monitor and protect the entire network. For example, a NIPS can block a Distributed Denial of Service (DDoS) attack before it reaches internal systems.
2. Host-Based IPS (HIPS): Installed on individual devices to protect them from threats. For instance, a HIPS on a database server can block SQL injection attempts.

IPS Techniques

1. Signature-Based Detection: Similar to IDS, it uses known threat signatures to detect and block malicious traffic.
2. Anomaly-Based Detection: Identifies unusual behavior and takes action to prevent potential threats.
3. Stateful Protocol Analysis: Ensures protocol compliance and blocks deviations that could indicate an attack.

How does IPS detect threats?

The IDS devices can detect threats by three methods:

1. Signature-Based Detection: The incoming network traffic is compared against a database of known threat signatures. For example, a known malware signature is easily detected in the traffic.
2. Anomaly-Based Detection: Anomaly-basedIDS examines network traffic and compares it to a predefined baseline. The baseline will determine what is usual for that network and which protocols are utilised. It may, however, cause a false alert if the baselines are not appropriately adjusted.
3. Stateful Protocol Analysis: Monitors the state of network protocols to ensure they conform to expected behaviour. For instance, it can detect protocol violations that might indicate an ongoing attack.

Benefits of IDS and IPS

1. Enhanced Security: Undoubtedly, both IPS and IDS devices offer an additional layer of security against known and unknown threats by regularly monitoring the traffic.
2. Real-Time Threat Detection and Prevention: With the help of IDS, potential threats can be minimised by alerting administrators, while IPS actively blocks them, hence reducing the risk of data breaches.
3. Compliance: The sensitive data is easily secured as many regulatory standards are only implemented with IDS and IPS.
4. Cost-Effective: Businesses can get rid of high costs related to security breaches and data loss by using IDS and IPS.
5. Increased Network Visibility: Both systems identify and resolve security threats by providing valuable insights into network activity.

Examples of IDS and IPS in Action

1. E-commerce Website: Both these systems can be useful for e-commerce websites to fight against DDoS attacks. An IDS identifies the attack by detecting malware traffic, while the IPS immediately blocks this traffic. In this way, the users can easily navigate to the website.
2. Corporate Network: A malware threat can be easily identified in an employee’s system with the help of HIDS. Then, the IPS prevents the spread of malware by blocking the unusual incoming traffic.