Ready to Start Your Career?

Intrusion Detection System Vs. Intrusion Prevention System

mohan1994 's profile image

By: mohan1994

December 29, 2018

Intrusion Detection System (IDS) is a computer security system that monitors network traffics for malicious activities and alert the network administrator when malicious activities detected. IDS performs a passive monitoring and implement in passive/promiscuous mode. IDS can detect the malicious activities but cannot prevent it. IDS have these capabilities include:

  • Monitoring about malicious activities
  • Auditing about malicious activities
  • Forensics about malicious activities
  • Reporting about malicious activities

Figure 1: Intrusion Detection System

  1. Attacker sends a malicious traffic via internet to the target host.
  2. Data packets will reach to both network and IDS.
  3. In IDS, packet will be inspected by sensor.
  4. Store the log report on management console.

Intrusion Prevention System (IPS) is a computer security mechanism that inspect a network traffics for malicious activities (security threats or policy violations) and take actions for detected activities. IPS have capabilities include:

  • Identify any malicious activity on the network.
  • Send an alarm to the network administrator when malicious activity detected on the network system.
  • Drop the malicious packets.
  • Block the traffics from the source address that malicious packets arrived.
  • Record the activities on management console.
  • Reset the connection.

IPS performs an active monitoring and implement in inline mode. IPS can be divided into two types. Host-based IPS and network based IPS.

Figure 2: Intrusion Prevention System

  1. Attacker sends a malicious traffic via internet to the target host.
  2. Data packet will reach to IPS and will be inspected by sensor.
  3. Store the log report on management console and record actions.
  4. Send the malicious packet to the bit bucket and drop it.

Step 3 and 4 will happen at the same time.




Implement in passive/promiscuous mode


Implement in inline mode

Performs passive monitoring

Performs active monitoring

Can detect malicious traffics and alert about it in details

Can block malicious traffics and drop them into the bit bucket

No impact on the network performance and even if sensor failure or overload occurs

Some impact on the network performance, slow down the traffics on network and sensor failures stops the traffics flow (single point of failure)

Cannot stop malicious traffics from reaching the destination

Can stop any type of malicious traffics from reaching the destination



There are two types of IPS.

Host-based IPS: The popular technology nowadays because users need basic knowledge about the network. Each host device has an IPS. Inspect and protect Operating System (OS) and its process that specific to the host. The encrypted traffics can be inspected. Need to specify rules for each device. The main disadvantage is IPS doesn’t have a view of the overall network.

Figure 3: Host-based IPS


Network-based IPS: Only one IPS has been implemented to the whole network. Users need to have an advance knowledge about the network. The sensors placed at designated network points. Only plain text traffic can be inspected. Need to specify the rules to overall network. The main advantage is can view the attacks on the overall network because network-based IPS has the overall view of the network. The disadvantages are network bottleneck and single point of failure.

Figure 4: Network-based IPS


Signature: A signature is set of rules that an IDS/IPS used to represent malicious behavior. When IDS/IPS scanning the network traffics, they use signatures to detect known malicious behaviors and take actions against them before reaching the destination. If a new malicious behavior identified which is not contained in current signatures, new signature must be initiated and upload it to the IDS/IPS. The initiated file has been called as “signature file”.

Signatures have three distinct attributes:

Signature type: Atomic signature and Stateful signature

  • Atomic: examine a single packet or activity. If an alarm triggered, perform a single signature action. Do not require IDS/IPS to maintain state information.
  • Stateful: examine multiple packets or activities. Perform multiple signature actions. An IDS/IPS need to maintain state information. The length of time that a signature maintain state information is called “event horizon”.

Signature trigger: Pattern-based, Anomaly-based, Policy-based and Honeypot-based

  • Pattern-based detection: search for a specific known signatures. Triggers an action if a match is detected.
  • Anomaly-based detection: first, specify the normal behaviors of the network. This can be done by monitoring network activities, specific applications. Triggers an action if unknown activity occurs beyond the normal behaviors.
  • Policy-based detection: instead of defining patterns, define behaviors for malicious activities based on past experience.
  • Honeypot-based detection: uses a dummy server to attract attackers and distract from the real network. Able to analyze incoming attacks and malicious traffic patterns to find new types of malicious traffic.

Figure 5: Signature alarm types

Signature action: when a signature detects an activity or series of activities, signature triggers one or more actions.

  • Generating an alert.
  • Reporting the activity.
  • Dropping or preventing the activity.
  • Blocking the future activities.
  • Resetting TCP connection.
Schedule Demo