IDS & IPS: What is the Difference & Which Is Best For You?

Image credits: EDUCBA

IDS and IPS can detect attack signatures with the main difference being their response to the attack. However, it’s important to note that both IDS and IPS can implement the same monitoring and detection methods.

The main difference between intrusion detection systems (IDS) and intrusion prevention systems (IPS) is that IDSs are monitoring systems and IPSs are control systems. IDS won’t alter network traffic while IPS prevents packets from delivering based on the contents of the packet, similar to how a firewall prevents traffic by IP address.

IDS are used to monitor networks and send alerts when suspicious activity on a system or network is detected. An IPS reacts to cyberattacks in real-time to prevent them from reaching targeted systems and networks.

What is a Network Intrusion?

A network intrusion is any unauthorized activity on a computer network. Detecting an intrusion depends on having a clear understanding of network activity and common security threats. A properly designed and deployed network intrusion detection system and network intrusion prevention system can help block intruders who aim to steal sensitive data, cause data breaches, and install malware.

Networks and endpoints can be vulnerable to intrusions from threat actors who can be located anywhere in the world and look to exploit your attack surface.  

Common network vulnerabilities include:

  • Malware. Malware, or malicious software, is any program or file that is harmful to a computer user. Types of malware include computer viruses, worms, Trojan horses, spyware, adware and ransomware.
  • Outdated or unpatched software and hardware. Outdated or unpatched software and hardware can have known vulnerabilities like those listed on CVE. A vulnerability is a weakness that can be exploited by a cyber attack to gain unauthorized access to or perform unauthorized actions on a computer system. Wormable vulnerabilities like the one that led to the WannaCryransomware are particularly high risk.
  • Social engineering attacks. Social engineering is an attack vector that exploits human psychology and susceptibility to manipulate victims into divulging confidential information and sensitive data or performing an action that breaks usual security standards. Common examples of social engineering include phishing, spear phishing, and whaling attacks.
  • Data storage devices. Portable storage devices like USB and external hard drives can introduce malware into your network. 

What is an Intrusion Detection System (IDS)?

An intrusion detection system (IDS) is a device or software application that monitors a network or system for malicious activity and policy violations. Any malicious traffic or violation is typically reported to an administrator or collected centrally using a security information and event management (SIEM) system. 

How does an IDS work?

There are three common detection variants that IDS employ to monitor intrusions: 

  • Anomaly-based detection. An intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. This type of security system was developed to detect unknown attacks, in part due to the rapid development of malware.

The basic approach is to use machine learning to create a model of trustworthy activity and compare new behavior to the model. Since these models can be trained according to specific application and hardware configurations, they have better generalized properties when compared to traditional signature-based IDS. However, they also suffer from more false positives.  

  • Signature-based detection. Detects attacks by looking for specific patterns, such as byte sequences in network traffic or use signatures (known malicious instruction sequences) used by malware. This terminology originates from antivirus software which refers to these patterns as signatures.

While signature-based IDS can easily detect known cyberattacks, they struggle to detect new attacks where no pattern is available. 

  • Reputation-based detection. Recognizes the potential cyber threats according to the reputation scores.

Types of IDS

IDS solutions come in a range of different types and varying capabilities. Common types of intrusion detection systems (IDS) include:

  • Network intrusion detection system (NIDS). Deployed at strategic points within an organization’s network to monitor incoming and outgoing traffic. This IDS approach monitors and detects malicious and suspicious traffic coming to and going from all devices connected to the network.
  • Host intrusion detection system (HIDS). Installed on individual devices that are connected to the internet and an organization’s internal network. This solution can detect packets that come from inside the business and additional malicious traffic. It can also discover malicious threats coming from the host.
  • Signature-based intrusion detection system (SIDS). Monitors all packets on an organization’s network and compares them with attack signatures on a database of known threats. 
  • Anomaly-based intrusion detection system (AIDS). Monitors traffic on a network and compares it with a predefined baseline that is considered “normal.” It detects anomalous activity and behavior across the network, including bandwidth, devices, ports, and protocols. An AIDS solution uses machine-learning techniques to build a baseline of normal behavior and establish a corresponding security policy.
  • Perimeter intrusion detection system (PIDS). Detects intrusion attempts taking place on the perimeter of organizations’ critical infrastructures.
  • Virtual machine-based intrusion detection system (VMIDS). detects intrusions by monitoring virtual machines. It enables organizations to monitor traffic across all the devices and systems that their devices are connected to.
  • Stack-based intrusion detection system (SBIDS). Integrated into an organization’s Transmission Control Protocol/Internet Protocol (TCP/IP), which is used as a communications protocol on private networks. This approach enables the IDS to watch packets as they move through the organization’s network and pulls malicious packets before applications or the operating system can process them.

What is an Intrusion Prevention System (IPS)?

An intrusion prevention system (IPS) or intrusion detection and prevention system (IDPS) is a network security application that focuses on identifying possible malicious activity, logging information, reporting attempts, and attempting to prevent them. IPS systems often sit directly behind the firewall. 

In addition, IPS solutions can be used to identify problems with security strategies, documenting existing threats, and deter individuals from violating security policies. To stop attacks, an IPS may change the security environment, by reconfiguring a firewall, or by changing the attack’s content. 

Many consider intrusion prevention systems as extensions of intrusion detection systems as they both monitor network traffic and/or system activities for malicious activity. 

How IPS works

Intrusion prevention systems (IPS) work by scanning all network traffic via one or more of the following detection methods: 

  1. Signature-based detection. Signature-based IPS monitors packets in a network and compares them with pre-configured and pre-determined attack patterns known as signatures.
  2. Statistical anomaly-based detection. An IPS which is anomaly-based monitors network traffic and compares it against an established baseline. This baseline is used to identify what is “normal” in a network, e.g. how much bandwidth is used and what protocols are used. While this type of anomaly detection is good for identifying new threats, it can also generate false positives when legitimate uses for bandwidth exceed a baseline or when baselines are poorly configured. 
  3. Stateful protocol analysis detection. This method identifies deviations in protocol states by comparing observed events with pre-determined profiles of generally accepted definitions of benign activity.

Once detected, an IPS performs real-time packet inspection on every packet that travels across the network and if deemed suspicious, the IPS will perform one of the following actions:

  • Terminate the TCP session that has been exploited
  • Block the offending IP address or user account from accessing any application, host, or network resource
  • Reprogram or reconfigure the firewall to prevent a similar attack from occurring at a later date
  • Remove or replace malicious content that remains after an attack by repackaging the payload, removing header information, or destroying infected files

When deployed correctly, this allows an IPS to prevent severe damage being caused by malicious or unwanted packets and a range of other cyber threats including:

  • Distributed denial of service (DDOS)
  • Exploits
  • Computer worms
  • Viruses
  • Brute force attacks

Types of IPS

Intrusion prevention systems are generally classified into four types:

Network-based intrusion prevention system (NIPS)

NIPSs detect and prevent malicious activity or suspicious activity by analyzing packets throughout the network. Once installed, NIPS gather information from the host and network to identify permitted hosts, applications, and operating systems on the network. They also log information about normal traffic to identify changes from the baseline. They can prevent attacks by sending a TCP connection, limiting bandwidth usage, or rejecting packets.

While useful, they typically can’t analyze encrypted network traffic, handle high traffic loads, or handle direct attacks against them. 

Wireless intrusion prevention system (WIPS)

WIPSs monitor the radio spectrum for the presence of unauthorized access points and automatically take countermeasures to remove them. These systems are typically implemented as an overlay to an existing Wireless LAN infrastructure, although they may be deployed standalone to enforce no-wireless policies within an organization. Some advanced wireless infrastructure has integrated WIPS capabilities.

A good WIPS can prevent the following types of threats:

  • rogue access points,
  • misconfigured access points, 
  • man-in-the-middle attacks,
  • MAC spoofing,
  • honeypot, and
  • denial of service attacks.

Network behavior analysis (NBA)

This type of intrusion prevention system relies on anomaly-based detection and looks for deviations from what is considered normal behavior in a system or network. This means it requires a training period to profile what is considered normal. Once the training period is over inconsistencies are flagged as malicious. While this is good for detecting new threats, issues can arise if the network was compromised during the training period, as malicious behavior may be considered normal.

Additionally, these security tools can produce false positives.  

Host-based intrusion prevention system (HIPS)

This is a system or program employed to protect critical computer systems. HIPSs analyze activity on a single host to detect and prevent malicious activity, primarily through analyzing code behavior. They are often praised for being able to prevent attacks that use encryption. HIPS can also be used to prevent sensitive information like personally identifiable information (PII) or protected health information (PHI) from being extracted from the host.

Since HIPS live on a single machine, they are best used alongside network-based IDS and IPS, as well as IPS.

IDS & IPS: Differences & Similarities 

Should you choose an IDS or an IPS? Let’s examine how they’re alike and what sets them apart. 

Both systems can:

  • Monitor. After setup, these programs can look over traffic within the parameters you specify, and they will work until you turn them off.
  • Alert. Both programs will send a notification to those you specify when a problem has been spotted.
  • Learn. Both can use machine learning to understand patterns and emerging threats.
  • Log. Both will keep records of attacks and responses, so you can adjust your protections accordingly. 

IDS & IPS differ due to:

  • Response. An IDS is passive, while an IPS is an active control system. You must take action after an IDS alerts you, as your system is still under attack.
  • Protection. Arguably, an IDS offers less help when you’re under threat. You must figure out what to do, when to do it, and how to clean up the mess. An IPS does all of this for you.
  • False positives. If an IDS gives you an alert about something that isn’t troublesome at all, you’re the only one inconvenienced. If an IPS shuts down traffic, many people could be impacted. 

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) constantly watch your network, identifying possible incidents and logging information about them, stopping the incidents, and reporting them to security administrators. In addition, some networks use IDS & IPS to identify problems with security policies and deter individuals from violating security policies.

IDS & IPS have become a necessary addition to the security infrastructure of most organizations. This is because they can stop attackers while they are gathering information about your network.


Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like