With the increase in computer system attack, information security is of grave concern in the view of many users. As the breach of security scales upwards with each passing moment, the vulnerability assessment tools also become more available. An intrusion occurs when an attacker tries to invade information with the aim of compromising its confidentiality, availability, or integrity. Intrusion detection system is a technology that monitors the network activities and analyzes them for possible malicious incidents, imminent security threats, or policy violations. An intrusion prevention system, on the other hand, has the capability of the IDS as well as being able to terminate possible incidents. An IDPS prepares for such intrusion and deals with the attacks whenever they arise. They achieve this prevention by monitoring and analyzing information collected from different systems. In order to understand the operations of the IDPS, their features and components are distinguished using the description and the classification systems.
The classification of the IDPS plays a significant role in the comparison of its features and components. IDPS can be classified into several classes based on various parameters. These categories include the methods employed by the IDPS to detect intrusion, and the functionality such as passive systems (IDS), and re-active systems (IPS), and the types of events which they monitor. The fourth category is the Network Behavior Analysis IDPS.
There are three different types of IDPS classified on the basis of detection methodologies. The first being the signature-based IDPS, which identifies events by comparing the known malicious intrusions to the events observed. It is instrumental in identifying known threats as opposed to unknown ones. Furthermore, it cannot detect attacks resulting from multiple events. Secondly, there is the anomaly-based detection which detects the unknown attacks (Anderson, 2001). It is effective in detecting new attacks. However, it requires a more processing capacity and is likely to generate false positives. Stateful protocol analysis is the last type of IDPS in this category (Whitman, 2012). It uses protocol analyzers that natively decode application network protocols such as HTTP. It detects the deviations of the protocol states by comparing the observed event to those of predetermined profiles of generally acknowledged definitions of benign protocol activity.
The classification of IDPS also extends to the types such as network-based, host-based, wireless, and Network Behavior Analysis (NBA). The network-based IDPS monitors suspicious traffic in the whole network through the analysis of the protocol activity. According to Bace (2000), these IDPS are deployed inline and may allow some threats such as the network service worms to pass through. Host-based IDPS, on the other hand, monitors the threats in a particular host by analysis of the characteristic activities within that host. This form of IDPS finds use in critical hosts that carry sensitive information such as publicly accessible servers. Wireless intrusion prevention systems analyze the wireless network protocol in order to monitor the wireless network for any suspicious activity. The NBA examines the network traffic so as to identify malicious traffic that is likely to develop unusual traffic flows, as well as causing a denial of service., and some forms of malware. They are useful in monitoring the internal networks of organizations.
In conclusion, IDPS are security software that monitors the activities of the system for threats. Owing to the fact that they both monitor the network traffic for malicious activities, IDPS is considered as an extension of the IDS. The IDPS identifies and logs information about the threat, reports, and tries to stop it. Through the classification such as the methods employed to detect intrusion, the functionality, and the types of the event they monitor, the features and components of IDS have been determined.