An intrusion detection and prevention system (IDPS) is defined as a system that monitors a network and scans it for possible threats to alert the administrator and prevent potential attacks. This article explains an intrusion detection and prevention system and its techniques in detail and lists the best practices for 2022.
Table of Contents
What Is an Intrusion Detection and Prevention System?
An intrusion detection and prevention system (IDPS) monitors a network for possible threats to alert the administrator, thereby preventing potential attacks.
How IDPS Functions
Today’s businesses rely on technology for everything, from hosting applications on servers to communication. As technology evolves, the attack surface that cybercriminals have access to also widens. A 2021 Check Point research reported that there had been 50% more attacks per week on corporate networks in 2021 as compared to 2020. As such, organizations of all industry verticals and sizes are ramping up their security posture, aiming to protect every layer of their digital infrastructure from cyber attacks.  Â
A firewall is a go-to solution to prevent unwanted and suspicious traffic from flowing into a system. It is tempting to think that firewalls are 100% foolproof and no malicious traffic can seep into the network. Cybercriminals, however, are constantly evolving their techniques to bypass all security measures. This is where an intrusion detection and prevention system comes to the rescue. While a firewall regulates what gets in, the IDPS regulates what flows through the system. It often sits right behind firewalls, working in tandem.
An intrusion detection and prevention system is like the baggage and security check at airports. A ticket or a boarding pass is required to enter an airport, and once inside, passengers are not allowed to board their flights until the necessary security checks have been made. Similarly, an intrusion detection system (IDS) only monitors and alerts bad traffic or policy violations. It is the predecessor of the intrusion prevention system (IPS), also known as an intrusion detection and prevention system. Besides monitoring and alerting, the IPS also works to prevent possible incidents with automated courses of action.
See More: Top 10 IT Intrusion Detection and Prevention Systems for 2021
Basic functions of an IDPS
An intrusion detection and prevention system offers the following features:
Basic Functions of an IDPSÂ
- Guards technology infrastructure and sensitive data: No system can exist in a silo, particularly in the current era of data-driven businesses. Data is constantly flowing through the network, so the easiest way to attack or gain access to a system is to hide within the actual data. The IDS part of the system is reactive, alerting security experts of such possible incidents. The IPS part of the system is proactive, allowing security teams to mitigate these attacks that may cause financial and reputational damage.Â
- Reviews existing user and security policies: Every security-driven organization has its own set of user policies and access-related policies for its applications and systems. These policies considerably reduce the attack surface by providing access to critical resources to only a few trusted user groups and systems. Continuous monitoring by intrusion detection and prevention systems ensures that administrators spot any holes in these policy frameworks right away. It also allows admins to tweak policies to test for maximum security and efficiency.Â
- Gathers information about network resources: An IDS-IPS also gives the security team a bird’s-eye view of the traffic flowing through its networks. This helps them keep track of network resources, allowing them to modify a system in case of traffic overload or under-usage of servers.
- Helps meet compliance regulations: All businesses, no matter the industry vertical, are being increasingly regulated to ensure consumer data privacy and security. Predominantly, the first step toward fulfilling these mandates is to deploy an intrusion detection and prevention system.
An IDPS works by scanning processes for harmful patterns, comparing system files, and monitoring user behavior and system patterns. IPS uses web application firewalls and traffic filtering solutions to achieve incident prevention.
See More: What Is Fraud Detection? Definition, Types, Applications, and Best Practices
Types of IDPS
Organizations can consider implementing four types of intrusion detection and prevention systems based on the kind of deployment they’re looking for.
IDPS Types
- Network-based intrusion prevention system (NIPS): Network-based intrusion prevention systems monitor entire networks or network segments for malicious traffic. This is usually done by analyzing protocol activity. If the protocol activity matches against a database of known attacks, the corresponding information isn’t allowed to get through. NIPS are usually deployed at network boundaries, behind firewalls, routers, and remote access servers.
- Wireless intrusion prevention system (WIPS): Wireless intrusion prevention systems monitor wireless networks by analyzing wireless networking specific protocols. While WIPS are valuable within the range of an organization’s wireless network, these systems don’t analyze higher network protocols such as transmission control protocol (TCP). Wireless intrusion prevention systems are deployed within the wireless network and in areas that are susceptible to unauthorized wireless networking.
- Network behavior analysis (NBA) system: While NIPS analyze deviations in protocol activity, network behavior analysis systems identify threats by checking for unusual traffic patterns. Such patterns are generally a result of policy violations, malware-generated attacks, or distributed denial of service (DDoS) attacks. NBA systems are deployed in an organization’s internal networks and at points where traffic flows between internal and external networks.Â
- Host-based intrusion prevention system (HIPS): Host-based intrusion prevention systems differ from the rest in that they’re deployed in a single host. These hosts are critical servers with important data or publicly accessible servers that can become gateways to internal systems. The HIPS monitors the traffic flowing in and out of that particular host by monitoring running processes, network activity, system logs, application activity, and configuration changes.
The type of IDP system required by an organization depends on its existing infrastructure and how its plans to scale up in the future. The techniques used by intrusion detection and prevention solutions are also an important consideration.
Let’s summarize the types of intrusion detection and prevention systems.
| IDPS Type | Deployed In | Types of Activity Detected |
| Network-based | Network boundaries, behind firewalls and routers and remote access servers | Network, transport, and application TCP/IP layer activity |
| Wireless | Within the wireless network | Wireless protocol activity, unauthorized WLAN use |
| NBA | Internal networks and at points where traffic flows between internal and external networks | Network, transport, and application TCP/IP layer activity with protocol-level anomalies |
| Host-based | Individual hosts: critical servers or publicly accessible servers | Host application and operating system (OS) activity; network, transport, and application TCP/IP layer activity |
See More: Top 10 Firewall Security Software in 2021
Intrusion Detection and Prevention System Techniques with Examples
IDP systems have two levels of broad functionalities — detection and prevention. At each level, most solutions offer some basic approaches.Â
Detection–level functionalities of IDPS
1. Threshold monitoring
The first step of threshold monitoring consists of setting accepted levels associated with each user, application, and system behavior. Examples of metrics that are used during threshold monitoring include the number of failed login attempts, the number of downloads from a particular source, or even something slightly more complicated such as the accepted time of access to a specific resource.Â
The monitoring system alerts admins and sometimes triggers automated responses when a threshold is crossed.Â
Only having threshold monitoring instead of intrusion detection comes with its own set of problems. More often than not, the complex infrastructure underlying an organization’s operations and offerings cannot be filtered down to a few metrics. These threshold values also tend to vary as the company’s customer base and services grow. Very stringent implementation of threshold monitoring, in these cases, can cause a lot of false positives. A false positive, in the context of IDP solutions, is when benign activity is identified as suspicious.
2. Profiling
Intrusion detection and prevention systems offer two types of profiling: user profiling and resource profiling.Â
User profiling involves monitoring if a user with a particular role or user group only generates traffic that is allowed. For example, only a DevOps user can have access to the cloud server hosting applications. A programmer can only access data in a sandbox server environment. Short-term user profile monitoring allows administrators to view recent work patterns while long-term profiling provides an extended view of resource usage. This comes in handy while creating a baseline for normal behavior and for creating a user role itself.
Resource profiling measures how each system, host, and application consumes and generates data. An application with a suddenly increased workflow might indicate malicious behavior.Â
Executable profiling tells administrators what kind of programs are usually installed and run by individual users, applications, and systems. For example, a host can be running an application that accesses only certain files. Any other file or a rogue database request indicates foul play. This kind of profiling makes it easy to trace malware, ransomware, or Trojan downloaded by mistake.Â
Sometimes, profiling may make it difficult to interpret overall network traffic and the bumps that come along with it. The sweet spot for profiling lies between profiles that are too broad and allow bad actors and those too narrow, which hinder productivity.
Prevention–level functionalities of IDPS
1. Stopping the attack
Otherwise known as ‘banishment vigilance’, intrusion prevention systems prevent incidents before they occur. This is done by blocking users or traffic originating from a particular IP address. It also involves terminating or resetting a network connection. For example, when a particular user is scanning data too frequently, it makes sense to revoke access until these requests have been investigated.
2. Security environment changes
This involves changing security configurations to prevent attacks. An example is the IPS reconfiguring the firewall settings to block a particular IP address.
3. Attack content modification
Malicious content can be introduced into a system in various forms. One way of making this content more benign is to remove the offending segments. A basic example is removing suspicious-looking attachments in emails. A more intricate example is repackaging incoming payloads to a common and pre-designed lot, such as removing unnecessary header information.
Techniques of IDPS
1. Signature-based detection
A signature is a specific pattern in the payload. This specific pattern can be anything from the sequence of 1s and 0s to the number of bytes. Most malware and cyberattacks come with their own identifiable signature. Another example of a signature is something as simple as the name of the attachment in a malicious email.Â
The IDP system maintains a database of known malware signatures with signature-based detection. Each time new malware is encountered, this database is updated. The detection system works by checking the traffic payload against this database and alerting when there’s a match.Â
Signature-based detection obviously cannot work if the malware isn’t previously known. It does not check for the payload’s nature and cannot give administrators information such as the preceding request to a malicious response.
2. Anomaly-based detection
Anomaly detection works on threshold monitoring and profiling. The ‘normal’ behavior of all users, hosts, systems, and applications is configured. Any deviation from this norm is considered an anomaly and alerted for. For example, if an email ID generates hundreds of emails within a few hours, the chances of that email account being hacked are high.Â
Anomaly detection is better than signature-based detection when considering new attacks that aren’t in the signature database. Creating these baseline profiles takes a lot of time (also known as the ‘training period’). Even then, the rates of false positives may be high, especially in dynamic environments.
3. Stateful protocol analysis
Anomaly detection uses host- or network-specific profiles to determine suspicious activity. Stateful protocol analysis goes one step further and uses the predefined standards of each protocol state to check for deviations.
For example, file transfer protocol (FTP) only allows logins when unauthenticated. Once a session is authenticated, users can view, create, or modify files based on their permissions. This information is part of the FTP protocol definition. The intrusion detection system analyzes if these norms are met. This kind of stateful protocol analysis makes it easy to keep track of the authenticator in each session and subsequent activity associated with this request.Â
Stateful protocol analysis relies heavily on vendor-driven protocol definitions. The granular nature means that it is also resource-intensive, taking up precious bandwidth while tracking simultaneous sessions. Each of these techniques either ensures the prevention of incoming attacks or helps administrators spot security vulnerabilities in their systems. Most IDP solutions offer a combination of more than one approach.
See More: What Is a Security Vulnerability? Definition, Types, and Best Practices for Prevention
Top 10 Best Practices of Intrusion Detection and Prevention System for 2022
To get the most out of an intrusion detection and prevention system, here are some best practices that organizations should follow:
IDPS Best Practices
1. Establish a baseline
The premise of an intrusion prevention system is normal behavior vs. unusual activity. So, what constitutes ‘normal’ needs to be discussed, documented, and configured. Establishing a baseline improves accuracy and usability. It can make or break the efficiency of the system. The baseline includes acceptable thresholds, profiles, report settings, and alert settings.Â
2. Define IDP requirements with all stakeholders
As with any other new system, the first step toward implementing an IDP system is to figure out the requirements, and ultimately, the final goals of the system.Â
- Is the intrusion prevention system a cornerstone of the security setup, or are there a host of other tools such as SIEM and content filtering that can take up some of these responsibilities?Â
- Is the primary objective of the system to comply with industry regulations?Â
- Which segments of networks and which hosts must be covered by the system?Â
These are some of the questions that must be answered before designing the IDP solution.
3. Integrate multiple IDP techniques
Each IDP technique has its benefits and drawbacks. Relying on just one to secure network traffic isn’t enough. A truly effective intrusion detection and prevention system uses a mix of these techniques. Based on the requirement, an organization may need a combination of network-based and host-based deployments. Each of these may further need to use a combination of signature, anomaly, and protocol-based detection techniques.
This may require multiple IDPS solutions to be integrated. In such a scenario, the integration model also needs to be decided upon. Some IDP solutions directly feed information into other solutions, while others feed information into a central software such as a security information and event management (SIEM) solution.Â
4. Design process to deal with false positives
No matter how much analysis goes into tuning the system, there is always room for false positives in a system like IDP. The solution must be configured so that false positives do not bring operations to a halt.Â
The most effective mechanism is to alert the administrator of suspicious activity and wait for them to take appropriate action. This may end up becoming tedious for the admins. Prevention systems can be configured to switch to a different network or server until the problem is manually addressed.
5. Ensure optimal resource consumption
The intrusion detection and prevention system is an in-line security component. All resources consumed by the system reduce resource availability for the other operations-related components.Â
While designing or choosing an IDP system, organizations must check for the maximum volume of traffic, number of packets monitored per second, number of events per second, or the number of hosts that can be profiled. Remember, the more complex the solution, the more bandwidth it will require.
The IDP solution can be deployed in the same network while using a virtual management network with a virtual LAN. It can also be deployed on a separate network with additional management networks, servers, interfaces, and consoles. The trade-off between cost, efficiency, and resource consumption is a critical decision that must be taken before implementing the system.
6. Run simulations regularly to fine-tune
Testing an intrusion detection and penetration system is difficult given its nature. This is why some third-party vendors offer a learning or simulation mode that allows admins to turn on the software’s detection and penetration layers. This allows them to change and fine-tune their existing settings and profiles. Regular fine-tuning drastically reduces false-positive rates.
7. Ensure up-to-date information
Signature detection relies on an updated and evolving database of known malware. Stateful protocol analysis relies on up-to-date standards from the corresponding vendor. Protocols are regularly revised and re-implemented by vendors. The protocol models and databases must be updated to reflect these changes. Patch management is also crucial in this context.
8. Create backups
Finely tuned IDP systems are painstaking to achieve. This is why configuration settings must be backed up periodically. Settings and profiles also need to be backed up before applying updates to the system or making significant infrastructure changes.Â
9. Design a reliable and available systemÂ
Designing an intrusion prevention system isn’t just about deciding where to place the components. It is also about identifying which network segments are critical and creating a fail-proof IDP implementation there. For example, multiple sensors can be used to monitor the same activity, or even multiple management servers with backed-up configurations can be used.Â
Usability, redundancy, and load balancing need to be considered. Since the IDPS usually resides within the network, critical components of the system may go down along with the network. This is where deployment options need to be considered.
10. Secure all IDP components
Cybercriminals often attack IDPS components themselves since they house configurations and known vulnerabilities. The security of these components must be part of the overall security agenda. All components must be up to date, with a patch management system running. IDP system users and administrators need separate accounts. Network and access restrictions must be placed on each component, and vulnerability assessments need to be scheduled.Â
See More: What Is Incident Response? Definition, Process, Lifecycle and Planning Best Practices
Takeaway
MarketsandMarkets’ 2021 global forecast says that the global IDPS market size is projected to grow from $4.7 billion in 2019 to $7.1 billion by 2024, at a CAGR of 8.3%. This high market growth comes as no surprise since an IDPS is the first step toward a fully secure digital infrastructure.Â
It is important to consider the cost of acquisition, maintenance, and personnel while deciding on an intrusion detection and prevention system. Costs may seem steep, especially if the organization is building a security system from scratch. However, as detailed above, the benefits of a robust IDP system enormously outweigh these costs. Â
Did this article help you understand intrusion detection and prevention systems in detail? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!
MORE ON SIEM
- What Is Zero Trust Security? Definition, Model, Framework and Vendors
- Top 10 Firewall Security Software in 2021
- What Is Cyber Threat? Definition, Types, Hunting, Best Practices, and Examples
- What Is Cyber Threat Intelligence? Definition, Objectives, Challenges, and Best Practices
- What Is Vulnerability Management? Definition, Lifecycle, Policy, and Best Practices