What is an Intrusion Prevention System?

An intrusion prevention system (IPS) is a form of network security that works to

detect and prevent identified threats. Intrusion prevention systems continuously
monitor your network, looking for possible malicious incidents and capturing
information about them. The IPS reports these events to system administrators and
takes preventative action, such as closing access points and configuring firewalls to
prevent future attacks. IPS solutions can also be used to identify issues with
corporate security policies, deterring employees and network guests from violating
the rules these policies contain.

With so many access points present on a typical business network, it is essential that
you have a way to monitor for signs of potential violations, incidents and imminent
threats. Today's network threats are becoming more and more sophisticated and
able to infiltrate even the most robust security solutions.

IPS and IDS - What is the Difference?

When looking into IPS solutions, you may also come across intrusion detection
systems (IDS). Before we look into how intrusion prevention systems work, let's take
a look at the difference between IPS and IDS.

The main difference between IPS and IDS is the action they take when a potential
incident has been detected.

 Intrusion prevention systems control the access to an IT network and protect it

from abuse and attack. These systems are designed to monitor intrusion data
and take the necessary action to prevent an attack from developing.
 Intrusion detection systems are not designed to block attacks and will simply
monitor the network and send alerts to systems administrators if a potential
threat is detected.

How Do Intrusion Prevention Systems Work?

Intrusion prevention systems work by scanning all network traffic. There are a
number of different threats that an IPS is designed to prevent, including:

 Denial of Service (DoS) attack

 Distributed Denial of Service (DDoS) attack
 Various types of exploits
 Worms
 Viruses
The IPS performs real-time packet inspection, deeply inspecting every packet that
travels across the network. If any malicious or suspicious packets are detected, the
IPS will carry out one of the following actions:

 Terminate the TCP session that has been exploited and block the offending
source IP address or user account from accessing any application, target
hosts or other network resources unethically.
  Reprogram or reconfigure the firewall to prevent a similar attack occurring in
the future.
 Remove or replace any malicious content that remains on the network
following an attack. This is done by repackaging payloads, removing header
information and removing any infected attachments from file or email servers.

Types of Prevention
An intrusion prevention system is typically configured to use a number of different
approaches to protect the network from unauthorised access. These include:

 Signature-Based - The signature-based approach uses predefined signatures

of well-known network threats. When an attack is initiated that matches one of
these signatures or patterns, the system takes necessary action.
 Anomaly-Based - The anomaly-based approach monitors for any abnormal or
unexpected behavior on the network. If an anomaly is detected, the system
blocks access to the target host immediately.
 Policy-Based - This approach requires administrators to configure security
policies according to organizational security policies and the network
infrastructure. When an activity occurs that violates a security policy, an alert
is triggered and sent to the system administrators.


Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) is a system that monitors network traffic for
suspicious activity and issues alerts when such activity is discovered. It is a software
application that scans a network or a system for the harmful activity or policy
breaching. Any malicious venture or violation is normally reported either to an
administrator or collected centrally using a security information and event
management (SIEM) system. A SIEM system integrates outputs from multiple sources
and uses alarm filtering techniques to differentiate malicious activity from false
alarms.
Although intrusion detection systems monitor networks for potentially malicious
activity, they are also disposed to false alarms. Hence, organizations need to fine-tune
their IDS products when they first install them. It means properly setting up the
intrusion detection systems to recognize what normal traffic on the network looks like
as compared to malicious activity.
Intrusion prevention systems also monitor network packets inbound the system to
check the malicious activities involved in it and at once send the warning
notifications.
Classification of Intrusion Detection System:
IDS are classified into 5 types:
1. Network Intrusion Detection System (NIDS):
Network intrusion detection systems (NIDS) are set up at a planned point
 within the network to examine traffic from all devices on the network. It
performs an observation of passing traffic on the entire subnet and matches
the traffic that is passed on the subnets to the collection of known attacks.
Once an attack is identified or abnormal behavior is observed, the alert can
be sent to the administrator. An example of a NIDS is installing it on the
subnet where firewalls are located in order to see if someone is trying to
crack the firewall.
2. Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS) run on independent hosts or
devices on the network. A HIDS monitors the incoming and outgoing
packets from the device only and will alert the administrator if suspicious or
malicious activity is detected. It takes a snapshot of existing system files
and compares it with the previous snapshot. If the analytical system files
were edited or deleted, an alert is sent to the administrator to investigate. An
example of HIDS usage can be seen on mission-critical machines, which
are not expected to change their layout.
3. Protocol-based Intrusion Detection System (PIDS):
Protocol-based intrusion detection system (PIDS) comprises a system or
agent that would consistently resides at the front end of a server, controlling
and interpreting the protocol between a user/device and the server. It is
trying to secure the web server by regularly monitoring the HTTPS protocol
stream and accept the related HTTP protocol. As HTTPS is un-encrypted
and before instantly entering its web presentation layer then this system
would need to reside in this interface, between to use the HTTPS.
4. Application Protocol-based Intrusion Detection System (APIDS):
Application Protocol-based Intrusion Detection System (APIDS) is a
system or agent that generally resides within a group of servers. It identifies
the intrusions by monitoring and interpreting the communication on
application-specific protocols. For example, this would monitor the SQL
protocol explicit to the middleware as it transacts with the database in the
web server.
5. Hybrid Intrusion Detection System :
Hybrid intrusion detection system is made by the combination of two or
more approaches of the intrusion detection system. In the hybrid intrusion
detection system, host agent or system data is combined with network
information to develop a complete view of the network system. Hybrid
intrusion detection system is more effective in comparison to the other
intrusion detection system.
Detection Method of IDS:
1. Signature-based Method:
Signature-based IDS detects the attacks on the basis of the specific patterns
such as number of bytes or number of 1’s or number of 0’s in the network
traffic. It also detects on the basis of the already known malicious
instruction sequence that is used by the malware. The detected patterns in
the IDS are known as signatures.
 Signature-based IDS can easily detect the attacks whose pattern (signature)
already exists in system but it is quite difficult to detect the new malware
attacks as their pattern (signature) is not known.
2. Anomaly-based Method:
Anomaly-based IDS was introduced to detect unknown malware attacks as
new malware are developed rapidly. In anomaly-based IDS there is use of
machine learning to create a trustful activity model and anything coming is
compared with that model and it is declared suspicious if it is not found in
model. Machine learning-based method has a better-generalized property in
comparison to signature-based IDS as these models can be trained
according to the applications and hardware configurations.
Comparison of IDS with Firewalls:
IDS and firewall both are related to network security but an IDS differs from a
firewall as a firewall looks outwardly for intrusions in order to stop them from
happening. Firewalls restrict access between networks to prevent intrusion and if an
attack is from inside the network it doesn’t signal. An IDS describes a suspected
intrusion once it has happened and then signals an alarm.

----------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------

Today’s computer users and organizations are constantly facing numerous, diverse, and super
sophisticated malware, making cybersecurity researchers conclude that signature-based
solutions are no longer able to work by themselves.

Viruses, worms, and trojans harm device systems and communication channels, steal private
information, and keep users under surveillance. Not only that there are numerous new
malware files daily, but some of them are also capable to modify their configuration and
signature as they move forward.

Solutions such as Network Intrusion Detection Systems (NIDS) that examine internet traffic
and internal network are accessible but they are limited due to the repeated employment of
data encryption on the Web. Also, they can’t protect against menaces spread out from
removable storage media.

A system that can avert assaults at the computer level is a more feasible solution because it
can keep an eye on applications running on a particular PC and halt any unwelcomed activity.
Here is where methods like Host Intrusion Prevention System (HIPS) become operative.

What Is Host Intrusion Prevention System (HIPS)?

An abbreviation for Host-based Intrusion Prevention System, HIPS is an Intrusion
Prevention System (IPS) used to keep safe crucial computer systems holding important
information against intrusions, infections, and other Internet malware.

HIPS surveil a single host for dubious activity by examining incidents happening within that
specific host. To put it differently, a Host Intrusion Prevention System (HIPS) seeks to halt
malware by monitoring the code’s way of behaving.

This helps to keep your system secure without having to rely on a specific threat to be added
to a detection update. If a threat actor or virus tries to change the operating system, the host
intrusion prevention system blocks the activity and notifies the potential victims so they can
take proper action.

Some of the changes that HIPS might consider to be important are assuming command of
other programs, attempting to change major registry keys, ending other programs, or
installing devices.

Besides the action of sending notifications to the device user when it detects malicious
movement, HIPS can also log the malicious activity for future investigation, reset the
connection, and stop future traffic from the dubious IP address.

Host Intrusion Prevention System (HIPS) successfully fights against:

 Private information theft;

 Dubious applications while it stops harmful actions;
 Familiar threats, as it averts them from being initiated;
 The latest threats before antivirus databases are updated while diminishes the probability of
invasion and contamination being scattered.
Different types of devices such as servers, workstations, and computers can have the host
intrusion prevention system implemented.

As studies have recently shown that unprotected systems can be compromised within
minutes, the benefit of intrusion prevention is that there’s no more waiting for a security
administrator to answer before prophylactic steps are taken to maintain host integrity. This
approach can be very helpful when in need.

Usually, a host intrusion prevention system is both signature and anomaly-based.

An anomaly-based HIPS tries to differentiate normal from atypical behavior, unlike signature
based-systems that have the capability to protect against only familiar bad signatures.
Host Intrusion Prevention System (HIPS) Operation Mode
A host intrusion prevention system utilizes a database of systems items supervised to
discover intrusions by investigating system calls, application logs, and file-system changes.

The system also verifies if suitable parts of memory have not been altered. A program that
ignores its permissions is blocked from performing unauthorized actions.

A HIPS has many advantages, the most important one being that business and home users
have intensified defense from hidden malicious cyber assaults.

One more advantage of using HIPS is the necessity to manage numerous security applications
to secure computers, including antivirus, anti-spyware, firewalls, and patch management.

Now that we talked about the benefits, let’s take a quick look at the disadvantage of HIPS. A
drawback would be that the Incorrect user decisions and false positives are also menaces
linked to host intrusion prevention systems.

Host Intrusion Prevention Systems (HIPS) can be an extremely important component of

stratified protection if combined with a minimum of one detection-based security solution.
Users and organizations should definitely benefit from HIPS, but it is essential to have some
knowledge of how to use it successfully.