Intrusion Prevention System (IPS). The Intrusion Prevention Systems (IPS) are the network security appliances that maintains the systems and networks activities for malicious acts. It is also called as Intrusion Detection and Prevention Systems (IDPS).
The core functions of intrusion prevention systems are to log information about malicious activities, identify and try to stop or block these activities and report them. These systems are taken as the extension of intrusion detection system since they both maintain the system and network activities for malicious acts.
The main difference between intrusion detection and prevention systems are that intrusion prevention systems are held in line, and unlike intrusion detection system they possess the ability to actively block or prevent intrusions which are thereby detected. More importantly, IPS can take such activities like dropping of malicious packages, sending an alarm, resting the connection, blocking the traffic from the malicious IP address.
The IPS are also able to dis-fragmentation packet streams, Cyclic Redundancy Check (CRC) errors, stop TCP sequencing problems and wash the unwanted network layer and transport choices.
The IPS can be categorized into following categories: Network-based intrusion prevention system (NIPS) which controls the whole network for suspicious traffic by learning about the protocol activity ; Wireless intrusion prevention systems (WIPS) that maintains a wireless network for malicious traffic by analyzing wireless networking protocols; Network behavior analysis (NBA) that checks network traffic to detect threats that produce unusual traffic flows like some malware and policy violations and distributed denial of service (DDoS) attacks; Host-based intrusion prevention system (HIPS) which is an pre-installed software package that controls a single host for malicious activity by analyzing events occurring within that host.
Most of the IPS systems nowadays use three detection techniques. These are: Signature-Based Detection- that controls packets in the Network and it compares with pre-determined and pre-configured attack patterns known as signatures; Statistical anomaly-based detection that maintains the regular network activity such as what protocols are used, what sort of bandwidth is generally used, what devices and ports are usually connected to each other and alerts the user or administrator when traffic is detected which is not normal; and Stateful Protocol Analysis Detection that detects deviation of protocols with the help of comparisons of the events observed.
