An IDPS monitors network traffic for signs of a possible attack. If potentially dangerous activity is detected, measures are taken to stop the attack. This is often done in the form of dropped packets, blocking network traffic, or re-establishing connections. IDPS often warns security administrators of possible malicious activity.
Today's IDPS solutions generally use two different techniques to identify when an attack could occur. Signature-based detection looks for signs of known exploits. If an activity is found that is associated with a previously identified attack, steps are taken to block the attack. This type of detection is similar to conventional antivirus technology, since only attacks that have already been identified can be stopped. The downside is that you can't identify or prevent new types of attacks that haven't been seen before.
The second technique for identifying attacks is detection based on statistical anomalies. An IDPS using this technique compares current network activity with normal. If you find a discrepancy, you can send a warning or take other preventive measures. The value of this approach is that you can find zero-day attacks. The disadvantage, however, is that this can lead to false alarms. Some newer technologies use artificial intelligence and machine learning algorithms to determine the basis for normal activities and reduce the number of false positives. Many solutions include both signature-based detection and anomaly-based detection to use both techniques.
Many solutions also contain honeypot functions. A honeypot looks like valuable company data or apps, but its real purpose is to catch potential attackers and prevent them from reaching their true goals.
IDPS solutions can be network or host based. Most companies install an online intrusion prevention system (NIPS) behind the firewall. A host-based intrusion prevention system (HIPS) resides on an endpoint, e.g. B. a PC and searches for malicious traffic at the host level. A third category, the Wireless Intrusion Prevention System (WIPS), searches for unauthorized access to Wi-Fi networks.
A NIPS is similar to a firewall, but there are some differences. A firewall monitors all incoming traffic and blocks it if it does not meet the rules according to which it can be forwarded, while a NIPS monitors the traffic already in the network and only blocks traffic that meets certain criteria. One of the best metaphors to explain the differences is to compare them with different types of security forces. A firewall is like the security guard at the door of a facility. The security guard checks the registration information and only lets guests pass if they are listed or can prove that they are doing business there. A NIPS is more like the wandering security guard walking through the building. This security guard watches what the guests are doing and only throws them out if they do anything suspicious. Chek here for more info on mids mips