5Star CyberSecurity
Intrusion Detection and Prevention Systems

Intrusion Detection and Prevention Systems

Intrusion Detection and Prevention System

An Intrusion Detection and Prevention System (IDPS) monitors network traffic for indications of an attack, alerting administrators to possible attacks. IDPS solutions monitor traffic for patterns that match with known attacks. Traditionally, they used signature-based or statistical anomaly detection methods, but IDPS increasingly leverages machine learning technologies to process vast amounts of data and identify threats that signature and anomaly detection would miss.
IDPS solutions are usually deployed behind an organization’s firewall to identify threats that pass through the network’s first line of defense. Typically, an intrusion detection and prevention system accomplishes this by using a device or software to gather, log, detect, and prevent suspicious activity.

Type of Intrusion Detection and Prevention System

When determining which type of intrusion detection and prevention system your organization should use, you’ll need to consider factors like the characteristics of the network environment, the goals and objectives for using an IDPS, and current organization security policies. Ultimately, there are two types of IDS/IPS: network-based and host-based. A network-based IDPS runs on network segments, including wireless or any other network that is selected. A host-based IDPS, on the other hand, runs on servers. The four common types of IDPS, as defined by NIST, include the following:

Network-Based IDPS:

This type of IDPS monitors network traffic for specific network segments and devices. It analyzes the network and application protocol activity to identify suspicious and abnormal activity.

Wireless IDPS:

This IDPS is a sub-type of network-based IDPS. It monitors wireless network traffic and analyzes it to identify suspicious activity involving networking protocols.

Network Behavior Analysis (NBA) System:

This IDPS is a sub-type of network-based IDPS. It is used to examine network traffic in order to identify threats that generate unusual traffic flows (i.e. malware, DDoS attacks, and policy violations).

Host-Based IDPS:

This IDPS is used to monitor the characteristics of a single host and the events occurring within that host for suspicious activity.

Type of Detection Should Your IDPS Use

Signature-based:

The signature-based IDS is used to match the signatures of known attacks that have already been stored in your database to detect attacks on your network.

Anomaly-based:

The anomaly-based IDS method identifies abnormal behavior in your organization’s network.

Protocol-based:

The protocol-based IDS method monitors and analyzes protocols used by the computing system.