Intrusion prevention system

From Wikipedia, the free encyclopedia
  (Redirected from Intrusion Prevention System)
Jump to: navigation, search

Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it.[1]

Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected.[2][3] More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address.[4] An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options.[2][5]


Intrusion prevention systems can be classified into four different types:[1][6]

  1. Network-based intrusion prevention system (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity.
  2. Wireless intrusion prevention systems (WIPS): monitor a wireless network for suspicious traffic by analyzing wireless networking protocols.
  3. Network behavior analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware and policy violations.
  4. Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

Detection methods[edit]

The majority of intrusion prevention systems utilize one of three detection methods: signature-based, statistical anomaly-based, and stateful protocol analysis.[3][3][7]

  1. Signature-Based Detection: Signature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures.
  2. Statistical anomaly-based detection: A statistical anomaly-based IDS determines the normal network activity like what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous (not normal).
  3. Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by comparing observed events with “predetermined profiles of generally accepted definitions of benign activity.”[3]

See also[edit]


  1. ^ a b "NIST – Guide to Intrusion Detection and Prevention Systems (IDPS)". February 2007. Retrieved 2010-06-25. 
  2. ^ a b Robert C. Newman (19 February 2009). Computer Security: Protecting Digital Resources. Jones & Bartlett Learning. pp. 273–. ISBN 978-0-7637-5994-0. Retrieved 25 June 2010. 
  3. ^ a b c d Michael E. Whitman; Herbert J. Mattord (2009). Principles of Information Security. Cengage Learning EMEA. pp. 289–. ISBN 978-1-4239-0177-8. Retrieved 25 June 2010. 
  4. ^ Tim Boyles (2010). CCNA Security Study Guide: Exam 640-553. John Wiley and Sons. pp. 249–. ISBN 978-0-470-52767-2. Retrieved 29 June 2010. 
  5. ^ Harold F. Tipton; Micki Krause (2007). Information Security Management Handbook. CRC Press. pp. 1000–. ISBN 978-1-4200-1358-0. Retrieved 29 June 2010. 
  6. ^ John R. Vacca (2010). Managing Information Security. Syngress. pp. 137–. ISBN 978-1-59749-533-2. Retrieved 29 June 2010. 
  7. ^ Engin Kirda; Somesh Jha; Davide Balzarotti (2009). Recent Advances in Intrusion Detection: 12th International Symposium, RAID 2009, Saint-Malo, France, September 23–25, 2009, Proceedings. Springer. pp. 162–. ISBN 978-3-642-04341-3. Retrieved 29 June 2010. 

External links[edit]