쥐스킨트의 작은 서재

Intrusion prevention system

Intrusion prevention systems (IPS), alsoknown as intrusion detection and prevention systems (IDPS), are networksecurity appliances that monitor network and/or system activities for maliciousactivity. The main functions of intrusion prevention systems are to identifymalicious activity, log information about this activity, attempt to block/stopit, and report it.

Intrusion prevention systems are consideredextensions of intrusion detection systems because they both monitor networktraffic and/or system activities for malicious activity. The main differencesare, unlike intrusion detection systems, intrusion prevention systems areplaced in-line and are supposed to be able to actively prevent/block intrusionsthat are detected. IPS can take such actions as sending an alarm, droppingdetected malicious packets, resetting a connection and/or blocking traffic fromthe offending IP address. An IPS also can correct Cyclic Redundancy Check (CRC) errors, defragment packet streams,mitigate TCP sequencing issues, and clean up unwanted transport and networklayer options. An ideal IPS would accomplish all of these functions. However,software-based IPS themselves often are the victims of malware that edits theIPS signature file so that the malware itself can move through the IPS.

Classifications

Intrusion prevention systems can be classifiedinto four different types:

1.    Network-based intrusion prevention system (NIPS): monitors the entire network for suspicious traffic by analyzing protocolactivity.

2.    Wireless intrusion prevention systems (WIPS): monitors a wires network for suspicious traffic by analyzingwireless networking protocols.

3.    Network behavior analysis (NBA):examines network traffic to identify to identify threats that generate unusualtraffic flows, such as distributed denial of service (DDos) attacks, certainforms of malware and policy violations.

4.    Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host forsuspicious activity by analyzing events occurring within that host.

Detection methods

The majority of intrusion preventionsystems utilize one of three detection methods: signature-based, statistical anomaly-basedand stateful protocol analysis.

1.    Signature-Based Detection: Signaturebased IDS monitors packets in the Network and compares with pre-configured andpre-determined attack patterns known as signatures.

2.    Statistical anomaly-based detection: Astatistical anomaly-based IDS determines the normal network activity – likewhat sort of bandwidth is generally used, what protocols are used, what portsand devices generally connect to each other – and alerts the administrator oruser when traffic is detected which is anomalous (not normal).

3.    Stateful Protocol Analysis Detection:This method identifies deviations of protocol states by comparing observedevents with “predetermined profiles of generally accepted definitions of benignactivity.”

From: https://en.wikipedia.org/wiki/Intrusion_prevention_system