An intrusion prevention system (IPS) is a security solution for detecting and stopping potentially dangerous activity on a computer network or individual device. Unlike an intrusion detection system (IDS), upon identifying suspicious activity — such as an attempt to penetrate a network through a vulnerability — an IPS not only notifies the respective information security team, but can also block the activity.
IPS functions can be performed either by a specialized program or a device. They can also be implemented in other solutions, for example a next-generation firewall (NGFW).
An IPS is also sometimes referred to as an intrusion detection and prevention system (IDPS).
IPS scope
Intrusion prevention systems are classified as network security solutions. They can monitor:
- Traffic between a local network and the internet, as well as traffic within the local network
- Data packets sent to and from a specific host (such as a workstation or server)
- Devices that connect to a Wi-Fi network
Depending on the location and type of filtered traffic, intrusion prevention systems can be divided into network IPS (NIPS), host IPS (HIPS), network behavior analysis (NBA) systems, and wireless IPS (WIPS).
Detecting potentially dangerous activity
Intrusion prevention systems detect unwanted activity in one of three ways:
- Signature-based detection. The IPS compares network activity with known attack signatures. If they match, the system takes the respective necessary protection measures.
- Abnormal behavior detection. The IPS compares network activity with the normal behavior of the monitored object. If the system detects a deviation, it takes the needed measures.
- Policy-based detection. The IPS monitors compliance with the respective company security policies. If the system detects a policy violation, it takes the necessary action — such as alerting a system administrator.
Countering malicious activity
The protection measures that an IPS can take independently upon detection of a network attack depend on both the nature and severity of the threat. The protection measures include:
- Blocking the IP address of the attack source
- Sifting out incoming packets with potentially harmful data
- Terminating the connection
- Making changes to the firewall security rules
- Restricting network or device access for applications using an unreliable data-transfer protocol