Intrusion Prevention (IPS) is a new generation of intrusion detection systems (IDS) that make up for the weaknesses of IDs in both proactive and false-positive/negative properties. IPs can identify the intrusion, correlation, impact, direction, and appropriate analysis of events, and then transfer the appropriate information and commands to firewalls, switches, and other network devices to mitigate the risk of the event.
Key technical components of IPS include the combined global and local host access control, IDS, global and local security policies, risk management software, and consoles that support global access and manage IPs. As in IDs, there is also a need to reduce false positives or false negatives in IPs, which typically use more advanced intrusion detection techniques such as heuristic scanning, content checking, state and behavior analysis, and combined with conventional intrusion detection techniques such as signature based detection and anomaly detection.
As with intrusion detection system (IDS), IPS systems are divided into two types: host-based and network.
host-based IPs
host-based IPs rely on proxies that are installed directly in the protected system. It is tightly bundled with the operating system kernel and services to monitor and intercept system calls to the kernel or API to prevent and record attacks. It can also monitor the flow of data and specific applications, such as the file location and registration entries of a Web server, so that the application can be protected to avoid common attacks that do not yet have a signature.
Network-based IPs
Network-based IPs combines the capabilities of the standard IDs, which is a hybrid of IPs and firewalls and can be called embedded IDs or gateway IDs (Gids). A network-based IPs device can only block malicious information flow through the device. In order to improve the efficiency of the use of IPs devices, it is necessary to use the method of forcing the flow of information through the device. More specifically, the protected flow of information must represent data that is sent to or from networked computer systems, and in which:
The designated network domain requires a high level of security and protection and/or
There are very likely internal outbreaks in this network area
The configuration address can effectively divide the network into the smallest protection area and can provide the maximum range of effective coverage.IPS: Intrusion Protection (blocking) system