Advertisement

The threat to the network is prevented using a device or technology known as the intrusion prevention system. The system is made vulnerable by feeding malicious inputs that target an application or a service. The attackers use these kinds of malicious inputs to disturb and get control of the service, application, or machine.

Result of the attack

Once an attack has taken place, the application or machine is disabled by the attacker, which results in denial-of-service state. Or, they could access all the permissions and rights that is available on the compromised application or machine. The use of an intrusion detection system (IDS) helps one to identify policy violations, malicious activity, and unlawful activity on the internet. The network intrusion prevention system detects and prevents any such unwanted activity.

Two common groups

The two common classifications of intrusion detection and prevention systems include the network intrusion detection system (NIDS) and the host-based intrusion detection system (HIDS). Together they make up most of the detection and prevention systems in use today. One example of the HIDS is a system that monitors important files in an operating system. In contrast, NIDS will analyse incoming traffic in the network.

The IDS are grouped according to the approach they take into recognising bad patterns – signature based recognition that make up malware – and detecting deviations from the normal pattern of good traffic – anomaly based detection. For anomaly based detection you need to have machine learning. You have many IDS that respond immediately when they detect intrusions. These types of systems that have this capacity are termed as the intrusion prevention systems.

Reporting bad activity

When any illegal activity is detected it is collected centrally or reported to an administrator through the security information and event management (SIEM). You will see many source outputs contributing to the SIEM system. There is a need to know which of these threats are real. SIEM system use alarm filtering techniques for this purpose.

TheIPS intrusion prevention system distributes the sensor images within the network to monitor many VLANs along with the subnets. This works in VMware and virtual environments. Some of them do not have the configuration to work as an IPS but will function well as an IDS. In most cases, they can work to detect both network and host intrusion.

Comparison with a firewall

When you compare these systems to the firewall you find them both different. The firewall looks outward at the possibility of intrusion. The IDS look inward. The use of a firewall limits the access between networks to prevent intrusions but they do not indicate when an attack occurs from within the network. The IDS watch for attacks that originate from within the system.

Method of analysis

Historically, this work is done by analysing the network communication patterns using mathematical analysis methods and artificial intelligence. These analysed patterns are termed as signatures. When a system detects the signature of an attack, it informs the operators.

We have seen that we identify IDS according to the place where the attack takes place as NIDS and HIDS. You also have other types of intrusion prevention systems such as the network based and the wireless based systems.