Intrusion detection is the process of monitoring the events occurring in network and analyzing them for signs of possible incidents, violations, or imminent threats to security policies. These security measures are available as intrusion detection systems (IDS) and intrusion prevention systems (IPS). At result, IDS and IPS are both parts of the network infrastructure. IDS and IPS constantly monitor network, identifying possible incidents and logging information about them, stopping the incidents, and reporting them to security administrators.
Many IDS/IPS vendors have integrated newer IPS systems with firewalls to create a Unified Threat Management (UTM) technology that combines the functionality of those two similar systems into a single unit.
What Does IDS Do?
IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners. IDS solutions come in two variations:
- Network Intrusion Detection System (NIDS): This type of IDS monitor network traffic for threats through sensors, which are placed throughout the network.
- Host Intrusion Detection System (HIDS): This type of IDS monitors traffic on the device or system where it is installed.
IDS systems do not operate on their own. They require a human or application to monitor scan results and then take action.
What Does IPS Do?
IPS (like firewall) locates between the outside world and the internal network. An IPS is a software platform that analyses network traffic content to detect and respond to exploits. IPS proactively deny network traffic based on a security profile if a packet represents a known security threat. This ensures the traffic doesn’t reach the network.
IPS accepts and rejects network packets based on a specified rule set. The process is simple. If packets are suspicious and go against a specified ruleset, the IPS rejects them. IPS systems also require a database that is consistently updated with new threat profiles because the IPS uses signature-based detection and of course, anomaly detection to identify network threats.
Several varieties of intrusion detection systems are available. We review four of the most common below:
- Network-based IPS (NIPS)
- Network behavior analysis (NBA)
- Wireless IPS (WIPS)
- Host-based IPS (HIPS)
Network-based IPS (NIPS)
This type of IPS detects and prevents malicious activity by analyzing protocol packets throughout the entire network. NIPS gather information from a host console and network to identify permitted hosts, applications, and operating systems commonly used throughout the network.
NIPS can prevent attacks in a variety of ways, such as ending a TCP connection to prevent an attack, limiting bandwidth usage, or even rejecting suspicious network activity. NIPS has some disadvantages:
- NIPS does not analyze encrypted network traffic.
- NIPS does not handle high traffic loads.
Network Behavior Analysis (NBA)
NBA sensors and programs examine network traffic to identify security threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware and policy violations. NBA detection primarily involves the following two methods:
- Anomaly-based detection looks for deviations from what is known as “normal” behavior in system or network activity. Anomaly-based detection requires a training period in which a profile for what is considered normal behavior is constructed over a period of time. There are two problem here. First, a malicious behavior might be logged as normal while a profile is being generated. And second, anomaly-based detection produces many false positives due to benign activity that wasn’t recognized during the initial training period.
- Stateful protocol analysis detection also looks for deviations from normal network or system behavior. This protocol analysis is designed to differentiate between benign and suspicious activity in authenticated and unauthenticated states.
An NBA system should be used as an extension of NIPS or IDS IPS in order to provide layered protection.
Wireless IPS (WIPS)
WIPS collects information on devices connected to the network, and is very effective at detecting and preventing a variety of malicious events, including rogue access points, DoS attacks, unauthorized access, ad hoc networks, spoofing, and man-in-the-middle attacks.
Host-based IPS (HIPS)
HIPS analyze activity within a single host to detect and prevent malicious activity. HIPS does three main purpose:
- Preventing attacks that leverage encryption.
- Preventing access to sensitive information located on the host (this is preventing any potential damage caused by rootkits or Trojan horses).
- Preventing the host machine from processing malicious activity on a network.
The Differences Between IDS and IPS
IDS platform can analyze network traffic for patterns and recognize malicious attack patterns but it can’t block the packets from entering the network while An IPS is a diagnostic and incident response tool that can prevent that traffic from interacting with the network. IDS requires a human or another system to look at the results and determine what actions must do while IPS can decide what to do by according to the rules that have been defined for it.
In other words, IPS combines the analysis functionality of an IDS with the ability to intervene and prevent the delivery of malicious packets.