What is an intrusion detection system Intrusion Prevention System IDS IPS that uses patterns of known malicious activity similar to how antivirus applications work?

An intrusion prevention system (IPS) – sometimes referred to as an intrusion detection prevention system (IDPS) – is a network security technology and key part of any enterprise security system that continuously monitors network traffic for suspicious activity and takes steps to prevent it. Largely automated, IPS solutions help filter out this malicious activity before it reaches other security devices or controls, effectively reducing the manual effort of security teams and allowing other security products to perform more efficiently.

IPS solutions are also very effective at detecting and preventing vulnerability exploits. When a vulnerability is discovered, there is typically a window of opportunity for threat actors to exploit it before a security patch can be applied. An intrusion prevention system is used here to quickly block these types of attacks.

IPS appliances were originally built and released as stand-alone devices in the mid-2000s. This functionality, however, has been integrated into unified threat management (UTM) solutions for small and medium-sized companies as well as next-generation-firewalls at the enterprise level today. Next-generation IPS solutions are now connected to cloud-based computing and network services that enable them to provide a sophisticated approach to protect against ever-increasing cybersecurity threats facing local and global organizations worldwide.

How Intrusion Prevention Works

Unlike its predecessor the intrusion detection system (IDS) – which is a passive system that scans traffic and reports back on threats – the IPS is placed inline, directly in the flow of network traffic between the source and destination. Usually sitting right behind the firewall, the solution is actively analyzing and taking automated actions on all traffic flows that enter the network. These actions can include:

• Sending an alarm to the administrator (as would be seen in an IDS)
• Dropping the malicious packets
• Blocking traffic from the source address
• Resetting the connection
• Configuring firewalls to prevent future attacks

As an inline security component, the IPS must work efficiently to avoid degrading network performance. It must also work fast because exploits can happen in near-real time and be able to detect and respond accurately so as to eliminate threats and false positives (i.e., legitimate packets misread as threats). To do this successfully, there are several techniques used for finding exploits and protecting the network from unauthorized access. These include:

• Signature-based detection is based on a dictionary of uniquely identifiable patterns (or signatures) in the code of each exploit. As an exploit is discovered, its signature is recorded and stored in a continuously growing dictionary of signatures. Signature detection for IPS breaks down into two types:
  • Exploit-facing signatures identify individual exploits by triggering on the unique patterns of a particular exploit attempt. The IPS can identify specific exploits by finding a match with an exploit-facing signature in the traffic stream.
  • Vulnerability-facing signatures are broader signatures that target the underlying vulnerability in the system that is being targeted. These signatures allow networks to be protected from variants of an exploit that may not have been directly observed in the wild but also raise the risk of false positives.

• Anomaly-based detection takes samples of network traffic at random and compares them to a pre-calculated baseline performance level. When the sample of network traffic activity is outside the parameters of baseline performance, the IPS takes action to handle the situation.
• Policy-based detection requires system administrators to configure security policies based on an organization’s security policies and network infrastructure. If any activity occurs that breaks a defined security policy, an alert is triggered and sent to the admins.

Types of Intrusion Prevention Systems

There are several types of IPS solutions, which can be deployed for different purposes. These include:

• Network intrusion prevention system (NIPS), which is installed only at strategic points to monitor all network traffic and proactively scan for threats.
• Host intrusion prevention system (HIPS), which is installed on an endpoint and looks at inbound and outbound traffic from that machine only. Often combined with NIPS, an HIPS serves as a last line of defense for threats.
• Network behavior analysis (NBA) analyzes network traffic to detect unusual traffic flows and spot new malware or zero-day vulnerabilities.
• Wireless intrusion prevention system (WIPS) simply scans a Wi-Fi network for unauthorized access and removes any unauthorized devices from the network.

Deep Learning for Evasive Threat Detection

To protect against the increase of sophisticated and evasive threats, intrusion prevention systems should deploy inline deep learning, which significantly enhances detections and accurately identifies never-before-seen malicious traffic without relying on signatures. Similar to the way neural networks function in our brains, deep-learning models go through several layers of analysis and process millions of data points in milliseconds. These sophisticated pattern recognition systems analyze network traffic activity with unparalleled accuracy, identifying never-before-seen malicious traffic inline with extremely low false-positive rates.

This additional layer of intelligent protection that can be used by an IPS solution provides further protection of business's sensitive information and prevents sophisticated attacks that can paralyze an organization.

To learn more about how IPS solutions work within a security infrastructure, check out this paper: Palo Alto Networks Approach to Intrusion Prevention.

Network administrators need to employ tools to protect their network and prevent malicious actors from gaining access. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are categories of tools commonly used for this purpose. It’s important to know the difference between them, which are best for certain types of organizations, and how to maximize their effectiveness.

In this article, we’ll go over the differences between the two systems to help you decide which is best for your organization.

Basic overview: IDS vs. IPS

An intrusion detection system is more of an alerting system that lets an organization know if anomalous or malicious activity is detected. An intrusion prevention system takes this detection a step forward and shuts down the network before access can be gained or to prevent further movement in a network.

What is an IDS? Five types and their functions

An IDS monitors and detects behavior across a network and should be considered a diagnostic solution. The system, if it detects something problematic, will alert the security team so they can investigate.

The five types of IDS leverage two types of detections:

• Signature-based detection: Signature-based IDS solutions alert administrators based on pre-existing signatures that refer to a type of attack or malicious behavior. This allows for accurate and automated alerting because the system references an existing signature database.

This kind of system often looks for indicators of compromise such as scanning file hashes, traffic going to known malicious domains, malicious byte sequences, and even email subject lines that are known phishing attacks.

• Anomaly-based detection: Anomaly-based IDS solutions are considered more effective than signature-based solutions because they’re monitoring malicious or suspicious patterns of behavior. This allows them to detect new kinds of threats, which is nearly impossible for signature-based systems.

Anomaly-based detection is often looking for behavior that differs from an established baseline. For example, if you have set normal working hours for employees, an anomaly-based IDS may flag a login occurring over the weekend. The system may also alert you based on the amount of traffic connecting to your network, or new devices being added without the right authorization.

IDS types vary based on where they’re monitoring threats and how they’re detecting them.

1. Network intrusion detection systems (NIDS)

A network intrusion detection system will monitor traffic through various sensors — placed either via hardware or software — on the network itself. The system will then monitor all traffic going through devices across the multiple sensor points.

2. Host intrusion detection systems (HIDS)

A HIDS is placed directly on devices to monitor traffic, giving network administrators a bit more control and flexibility. However, this can become burdensome depending on the organization’s size. If an organization is only leveraging HIDS, the company would have to account for every new device added within the organization, leaving room for error while also taking up a lot of time.

3. Protocol-based intrusion detection systems (PIDS)

A protocol-based IDS is often placed at the front of a server and monitors traffic flowing to and from devices. This is leveraged to secure users browsing the internet.

4. Application protocol-based intrusion detection systems (APIDS)

An APIDS is similar to a protocol-based system but monitors traffic across a group of servers. This is often leveraged on specific application protocols to specifically monitor activity, helping network administrators better segment and classify their network monitoring activities.

5. Hybrid intrusion detection systems

Hybrid IDS solutions provide a combination of the above types of intrusion detection. Some vendors' offerings cross multiple categories of IDS to cover multiple systems in one interface.

What is an IPS? Four types and how they work

An IPS has the same functionality as IDS systems in terms of detection but also contains response capabilities. An IPS solution has more agency and takes action when a potential attack, malicious behavior, or an unauthorized user is detected.

The specific functions of an IPS depend on the type of solution, but in general, having an IPS in place is helpful to automate actions and contain threats without the need for an administrator.

1. Network-based intrusion prevention system (NIPS)

A NIPS monitors and protects an entire network from anomalous or suspicious behavior. This is a broad-based system that can be integrated with additional monitoring tools to help provide a comprehensive view of an organization’s network.

2. Wireless intrusion prevention system (WIPS)

WIPS are also quite common, often monitoring any wireless networks owned by an organization. This type is similar to a NIPS but is localized to wireless networks for a more targeted detection and response.

3. Host-based intrusion prevention system (HIPS)

HIPS are often deployed on key devices or hosts that an organization needs to secure. The system will then monitor all traffic flowing through and from the host to detect malicious behavior. 

4. Network behavioral analysis (NBA)

As opposed to NIPS, an NBA solution will look for anomalous behavior within patterns of a network itself, making it key for detecting incidents such as DDoS attacks, behaviors against the policy, and other types of malware.

IDS vs. IPS: Similarities and differences

An IDS and an IPS are quite similar, particularly because of their similar detection process. However, their differences will dictate whether an organization opts for one over the other.

IDS and IPS similarities

Across the two solutions, you can expect a similar level of:

• Monitoring: Both systems monitor networks, traffic, and activity across devices and servers, varying only in how targeted or broad their capabilities are.

• Alerting: Upon discovering a potential threat, only an IPS will take the next required step but both solutions first alert you to the discovery and associated action.

• Learning: Depending on the detection system used by either an IPS or IDS system, both will likely learn to spot suspicious behaviors and minimize false positives.

• Logging: Both systems will keep an account of what’s monitored and what action has been taken, so you can review performance accordingly.

IDS and IPS differences

Depending on how resourced your security team is, the differences between the systems can be very important:

• Response: This is the most important difference between the two systems. An IDS will stop at the detection phase, leaving you and your department free to decide what action to take. An IPS, depending on the settings and policy, will take action to try and contain the threat or prevent unauthorized users from embedding themselves further into your network.

• Protection: Because of the differences listed above, an IPS does offer more protection because it acts automatically, leaving little time for an attacker to continue compromising an organization.

• Impact: As a side effect of that automation, false positives may negatively impact your organization. An IPS may shut down your network or stop traffic to and from a certain device in the name of precaution and security — even if the threat didn’t require such drastic action (or the alert was a false positive).

Why both IDS and IPS solutions are critical for cybersecurity

Organizations shouldn’t necessarily consider choosing one solution over another; both are extremely helpful and many vendors offer an intrusion detection and prevention system, or IDPS, as a solution that provides the benefits of both systems.

Detection and response capabilities have proven to be crucial for organizations to not only know when an attack has reached their perimeter but also to act accordingly. By employing effective detection and response solutions, companies are catching bad actors and reducing dwell time, minimizing the impact these actors can have.

Security leaders should have an understanding of their organization’s needs as well as a list of what data requires monitoring before choosing the right IDS and/or IPS solution. They should also take stock of their own security department to determine whether they want an automated solution, they have an agency to react accordingly, or they’d prefer to have a hybrid approach.

We recommend leveraging both systems or a combination IDPS for effective protection. As organizations grow and scale, additional IDS/IPS solutions may be brought on to account for additional servers, networks, or devices.

For a deeper look at network security and how you can enhance it, Varonis Edge has solutions to explore.