IDS / IPS

Intrusion Detection System (IDS)

Intrusion Detection System main function is to analyze and monitor network traffic for possible dangerous activity like malware injection security policy violations and unwanted port scanning. All these activities indicate that attackers are using a known cyber threat to infiltrate or steal data from your network. IDS system compares the current network activity including inbound and outbound transfer packets and browsing history to a known threat database to detect them. 

Intrusion Prevention System (IPS)

IPS’s main function is to prevent the internal network from the cyber threat which is detect by the IDS. It is present in the same area of the network as a firewall. It undertakes many different tasks to prevent from cyber threat or outside world like filtration of network packets, blocking traffic from the offending IP address. IPS strictly blocks or denies those packets which detects as malicious or security threats by IDS. It also sends packet rejection commands to firewalls and servers.

Intrusion Detection System  VS  Intrusion Prevention System

IDSIPS
IDS are detection and monitoring tools.IPS is a control system.
These tools do not take action on their own.The IPS control system accepts and rejects a packet based on the security policy.
IDS requires a human or another system to look at the result.IPS requires the cyber threat database gets regularly updated with new threat data.
False positives for IDS will only cause alerts.False positives for IPS could cause the loss of important data or functions.

Similarity: Both read network packets & compare the content to the database of known threats.

Types of Intrusion Detection System:

1) Network-Based Intrusion Detection System (NIDS)

Network Intrusion Detection System was deploy at high severity points throughout the network. it intends to cover those places where network traffic is most likely to be vulnerable to attack.

NIDS monitors and analyzes a large amount of network traffic, which means they have low specificity. This means sometimes they might miss a low severity cyber-attack or might not detect something happening in encrypted traffic. It particularly performs an analysis of passing traffic on the entire subset network, and matches the traffic that is pass on the subnets to the database of known attacks.

2) Host-Based Intrusion Detection System (HIDS)

Host intrusion detection systems run on individual hosts/devices on the main network including subset networks. HIDS have many advantages over NIDS, due to their focused scanning ability to internal network traffic, it also works as a second layer of defence against malicious packets where NIDS has failed to detect.

It simply takes a snapshot of existing system files and matches it to the previous snapshot files. If the critical system files were modified or deleted, an alert is directly sent to the administrator to investigate network traffic.

Types of Intrusion Prevention System

  • Wireless intrusion prevention system (WIPS)

WIPS monitors all wireless networks for suspicious traffic by analyzing wireless networking protocols.

  • Network behaviour analysis (NBA)

NBA monitors network traffic to identify threats that increase usual traffic flows in the network, such as Distributed Denial of Service (DDoS) attacks, policy violations and certain forms of malware.

  • Network-based intrusion prevention system (NIPS)

NIPS analyze protocol activity to monitor the entire network for suspicious traffic

  • Host-based intrusion prevention system (HIPS)

The installed software packages analyze events occurring within the host that monitors a single host for suspicious activity.

Methodologies:

  1. Signature-Based:- Every threat has their unique digital signature through which that can be recognized. These Signatures are stored in the database for detection in the future. This terminology originates from anti-virus software technology which refers to these detected patterns as signatures. Although signature-based can easily detect known attacks, it is difficult to detect new attacks, for which no pattern is available in the current database.
  2. Anomaly-Based:- The Anomaly methodology is developed for unknown or new attacks. In this method a trustworthy model should be created by using machine learning, then we have to compare the new behaviour with that model. The model should be trained as per the hardware configuration or system demand. It generates more false positives as compared to signature-based.

Can IDS and IPS work together?

Yes IDS and IPS can work together and their combination is known as IDPS (Intrusion Detection Prevention System). Moreover, there are many modern vendors who try to combine IDPS with firewalls and develop NGFS (Next Generation Firewall System). 

How are IDS and IPS different from Firewall?

No doubt that Firewall does the filtering, blocking and allowing of addresses, ports, service, but it also allows some of these through the network as well. Hence Firewall fails at the judgement point; it does not have any clever way to decide whether it is positive or false-positive. This is where IDS and IPS systems play their role.

Firewall detects the suspicious activity and blocks the traffic whereas IDS and IPS first detect the traffic then analyze it and then block if it requires

Written By: Nikhil Mehra

Reviewed By: Sayan Chatterjee

If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs

Leave a Comment

Your email address will not be published. Required fields are marked *