Contents

Contents....................................................................................................................1
Introduction.............................................................................................................1
Intrusion Detection and Prevention Principles.....................................................2
Common Detection Methodologies........................................................................2
Signature-Based Detection.....................................................................................2
Stateful Protocol Analysis......................................................................................3
Anomaly-Based Detection.....................................................................................3
IDPS Technology Types...........................................................................................4
IDPS Technology Types...........................................................................................5
IDS vs. IPS: Differences & Similarities.................................................................6
Differences.............................................................................................................6
Similarities.............................................................................................................7
IDPS examples.........................................................................................................8
IDPS advantages......................................................................................................9
Conclusion..............................................................................................................10
References...............................................................................................................11
Introduction
An Intrusion Detection and Prevention System (IDPS) is a security tool designed
to monitor networks, systems, and applications for malicious activity or policy
violations. Its primary goal is to detect, prevent, and respond to security threats in
real-time. IDPSs come in two main categories: network-based and host-based.
They use various techniques, such as signature-based and anomaly-based
detection, to identify potential threats. Once a threat is detected, the IDPS can take
various actions to prevent the attack, such as blocking network traffic and
quarantining infected systems. IDPSs are essential for any effective cybersecurity
strategy to detect and respond to security incidents before they cause significant
damage. They provide an additional layer of protection against cyber attacks and
help organizations protect their critical assets.
Intrusion Detection and Prevention Principles
The principles of intrusion detection and prevention involve the following:
 Monitoring: IDPSs must continuously monitor network traffic, system logs,
and user activity to detect signs of security breaches.
 Detection: IDPSs must use various techniques, such as signature-based
detection and anomaly-based detection, to identify potential security threats.
 Prevention: IDPSs must take appropriate actions to prevent security
incidents from occurring, such as blocking network traffic, quarantining
infected systems, and alerting security personnel.
 Response: IDPSs must respond to security incidents in a timely and effective
manner to minimize the impact of the attack and prevent further damage.
 Adaptation: IDPSs must be able to adapt to changing threats and evolving
attack methods to maintain their effectiveness over time.
 Integration: IDPSs must be integrated with other security tools and systems
to provide a comprehensive security solution.
 Compliance: IDPSs must comply with industry and regulatory standards to
ensure the security and privacy of sensitive data.
By following these principles, IDPSs can help organizations protect their critical
assets and maintain a strong security posture against a wide range of threats.

Common Detection Methodologies

IDPS technologies use many methodologies to detect incidents. Most IDPS
technologies use multiple detection methodologies, either separately or integrated,
to provide more broad and accurate detection.

Signature-Based Detection
A signature is a pattern that corresponds to a known threat. Signature-based
detection is the process of comparing signatures against observed events to identify
possible incidents. Examples of signatures are as follows:
 A telnet attempt with a username of “root”, which is a violation of an
organization’s security policy.
  An e-mail with a subject of “Free pictures!” and an attachment filename of
“freepics.exe”, which are characteristics of a known form of malware.

Stateful Protocol Analysis

Stateful protocol analysis is the practice of identifying deviations by comparing
preset profiles of generally agreed definitions of benign protocol activity for each
protocol state to actual occurrences. 6 Stateful protocol analysis, as opposed to
anomaly-based detection, depends on vendor-developed universal profiles that
govern how certain protocols should and should not be utilized. The term "stateful"
in stateful protocol analysis refers to the IDPS's ability to comprehend and track
the state of network, transport, and application protocols that contain a concept of
state.

Anomaly-Based Detection
Anomaly-based detection is the technique of identifying substantial deviations by
comparing definitions of what activity is deemed normal to observed events. A
profile in an IDPS that uses anomaly-based detection represents the usual behavior
of entities like users, hosts, network connections, or applications. The profiles are
created by tracking the features of usual activity over time. For example, a network
profile may reveal that during typical business hours, Web traffic accounts for an
average of 13% of network bandwidth at the Internet border.
The IDPS then compares the features of current activity to profile-related criteria,
such as recognizing when Web activity consumes much more bandwidth than
expected and notifying an administrator of the anomaly. Many behavioral
parameters, such as the number of e-mails sent by a user, the number of
unsuccessful login attempts for a host, and the degree of processor consumption for
a host in a certain period of time, can be profiled.
IDPS Technology Types
IDPS technology come in a variety of flavors. They are classified into three classes
based on the kind of events they monitor and the methods through which they are
deployed:
1. Network-based, in which network traffic is monitored for specific network
segments or devices and network and application protocol activity is
analyzed to detect suspicious activities. It can recognize a wide range of
interesting occurrences. It is most typically used at network boundaries, such
as near border firewalls or routers, virtual private network (VPN) servers,
remote access servers, and wireless networks.

2. Wireless, which monitors wireless network traffic and analyzes wireless

networking protocols to detect suspicious activities employing the protocols.
It cannot detect suspicious activity in the application or higher-layer network
protocols (e.g., TCP, UDP) used by wireless network traffic. It is most
typically used to monitor an organization's wireless network, but it may also
be used to detect unlawful wireless networking.
3. Host-based, which looks for suspicious behavior by monitoring the
characteristics of a particular host and the events that occur within that host.
Network traffic (just for that host), system logs, ongoing processes,
application activity, file access and modification, and system and application
configuration changes are some of the features that a host-based IDPS may
monitor. Host-based IDPSs are typically installed on key hosts such as
publicly accessible servers and servers carrying sensitive data.
Because they have been in use for a longer period of time, certain kinds of IDPS
are more mature than others. For more than a decade, network-based IDPS and
various versions of host-based IDPS have been commercially accessible.

IDPS Technology Types

There are several types of IDPS technologies that can be used to detect and prevent
security threats in different ways. Some common types of IDPS technologies
include:
1. Signature-based detection: This technology uses a database of known attack
signatures to identify potential threats. The IDPS compares network traffic
against the database and alerts security personnel if a match is found.
2. Anomaly-based detection: This technology uses machine learning
algorithms to detect abnormal behavior in network traffic and user activity.
The IDPS creates a baseline of normal behavior and alerts security personnel
when activity deviates from that baseline.
3. Heuristic-based detection: This technology uses a set of rules and algorithms
to analyze network traffic and detect potential threats. The IDPS looks for
patterns of behavior that are indicative of an attack and alerts security
personnel if a match is found.
4. Network-based IDPS: This technology monitors network traffic in real-time
and can be deployed as an inline device to block suspicious traffic.
5. Host-based IDPS: This technology is installed on individual systems and
monitors system logs and user activity to detect anomalies and potential
security breaches.
 6. Behavior-based IDPS: This technology uses machine learning algorithms to
detect anomalous behavior, such as unusual file access or changes to system
settings, that may indicate a security breach.
7. Reputation-based IDPS: This technology uses threat intelligence feeds to
identify known malicious IP addresses, domains, and URLs and block traffic
from those sources.
By using a combination of these technologies, organizations can implement an
effective IDPS solution that can detect and prevent a wide range of security threats.

IDS vs. IPS: Differences & Similarities

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are two
related but distinct technologies used to protect computer networks from security
threats. Here are some of the key differences and similarities between IDS and IPS:

Differences
1. Functionality: IDS is a passive monitoring system that detects and alerts
security personnel to potential security threats. IPS, on the other hand, is an
active system that not only detects threats but also takes action to prevent
them.
2. Response: IDS alerts security personnel to potential security threats, but it is
up to the personnel to respond to the alert and take appropriate action. IPS,
on the other hand, can automatically take action to prevent threats without
the need for human intervention.
3. Placement: IDS can be placed at various points in the network, such as at the
perimeter or within the network. IPS is typically placed at the network
perimeter to block incoming threats.
4. Traffic Handling: IDS can handle high volumes of traffic since it only
passively monitors traffic. IPS, on the other hand, needs to actively inspect
and block traffic, which can limit its ability to handle high volumes of
traffic.
Similarities
1. Purpose: Both IDS and IPS are designed to protect computer networks from
security threats.
2. Detection: Both IDS and IPS use similar detection methods, such as
signature-based detection, anomaly-based detection, and behavior-based
detection.
3. Prevention: While IDS does not actively prevent security threats, it can be
used to identify potential threats and prevent them from causing harm. IPS,
on the other hand, actively prevents threats from entering the network.
4. Management: Both IDS and IPS require skilled security personnel to
manage and maintain them effectively.

In summary, while IDS and IPS share similar detection technologies, they differ in
terms of their functionality, response, placement, and traffic handling. IDS is a
passive monitoring system that alerts security personnel to potential threats, while
IPS is an active prevention system that can take action to block threats
automatically.
IDPS examples
Some common examples of Intrusion Detection and Prevention Systems (IDPS)
include:
• Snort - Open source IDPS that detects anomalies and threats using signature-
based and anomaly-based detection. It can also be used to generate IDS
alerts and log suspicious activity.
• Suricata - Open source IDPS similar to Snort that uses signatures and
anomalies to detect threats. It adds some additional features like file
extraction and HTTPS traffic decryption.
• Zeek (formerly Bro) - Open source network security monitoring tool that can
analyze network traffic in real-time and detect intrusions. It uses signature-
based and anomaly-based detection and can generate IDS alerts.
• OSSEC - Open source host-based IDPS that monitors logs and filesystems
for intrusions, rootkits, malware, and other suspicious activity. It uses
signature-based and anomaly-based detection to generate alerts.
• Tripwire - Commercial host-based IDPS that detects malware, rootkits,
and filesystem changes by calculating file hashes and comparing against a
baseline. It uses anomaly-based detection to monitor for suspicious file
changes.
• FireEye - Commercial network and endpoint IDPS that uses signature-based,
anomaly-based, and behavioral analytics detection methods to detect zero-
day, advanced persistent threats, and other elusive cyber attacks.
• Palo Alto Networks - Commercial network IDPS (included in their next-gen
firewalls) that uses a combination of signatures, anomalies, machine
learning, and sandboxing to detect advanced threats, malware, exploits, and
command and control activity.
• Cisco - Commercial network IDPS (included in Cisco Firepower next-gen
firewalls and sold as a separate IPS appliance) that uses signatures,
anomalies, behavioral detection, and machine learning to detect
sophisticated threats.
• McAfee - Commercial network and endpoint IDPS that provides signature-
based, anomaly-based, and machine learning detection techniques to identify
malware, exploits, command and control, and insider threats.
IDPS advantages
Here are some advantages of using an IDPS:
1. Real-time threat detection: IDPSs can detect and respond to security threats
in real-time, which can help prevent or minimize the impact of an attack.
2. Comprehensive protection: IDPSs can detect a wide range of security
threats, including known and unknown threats, providing a
comprehensive security solution for organizations.
3. Increased situational awareness: IDPSs can provide organizations with
increased situational awareness of their network security posture, allowing
them to identify potential vulnerabilities and take appropriate action.
4. Reduced false positives: IDPSs use multiple detection techniques, which can
help reduce false positives and improve the accuracy of threat detection.
5. Automated response: Some IDPSs can automatically respond to security
threats, which can help prevent attacks from succeeding without the need for
human intervention.
6. Customizable: IDPSs can be customized to meet the specific needs of an
organization, including the types of threats they are most concerned about,
and the level of protection required.
7. Compliance: IDPSs can help organizations comply with industry
and regulatory standards, such as HIPAA and PCI DSS, by providing a layer
of security against cyber attacks.
Overall, IDPSs are an essential component of any effective cybersecurity strategy.
Conclusion
In conclusion, Intrusion Detection and Prevention Systems (IDPS) are essential
tools for protecting computer networks from security threats. IDPSs use various
detection methodologies, including signature-based detection, anomaly-based
detection, and reputation-based detection, to identify potential threats and prevent
them from causing harm. By using a combination of these techniques, IDPSs can
provide a comprehensive security solution that protects against a wide range of
threats.
IDPSs provide organizations with real-time threat detection, increased situational
awareness, and the ability to respond to security incidents in a timely and effective
manner. They can help organizations comply with industry and regulatory
standards, and reduce the risk of data breaches, financial losses, and reputational
damage.
While IDPSs are an essential component of any effective cybersecurity strategy, it
is important to note that no single security solution is foolproof. Organizations
should use a layered approach to security, including IDPSs, firewalls, antivirus
software, and other security tools, to provide the best possible protection against
security threats.
Overall, IDPSs are a critical tool for organizations looking to protect their critical
assets from a wide range of security threats. By implementing an effective IDPS
solution, organizations can improve their overall security posture and reduce the
risk of cyber attacks.
References
[1] “Information Security Topics - SearchSecurity.”
https://www.techtarget.com/searchsecurity/resources (accessed May. 15, 2023).
[2] R. Veizi and F. Marcantoni, “IDS/IPS : INTRUSION DETECTION/PREVENTION
SYSTEM,” INTRUSION Detect., p. 66, 2013.
[3] K. A. Scarfone and P. M. Mell, “Guide to Intrusion Detection and Prevention
Systems (IDPS),” National Institute of Standards and Technology, Gaithersburg,
MD, NIST SP 800-94, 2007. doi: 10.6028/NIST.SP.800-94.
[4] “What is IDS and IPS? | Juniper Networks.”
https://www.juniper.net/us/en/research-topics/what-is-ids-ips.html (accessed
May. 15, 2023).
[5] “IDS vs. IPS: What is the Difference?” https://www.varonis.com/blog/ids-vs-
ips (accessed May. 15, 2023).