Yogesh Chauhan's Blog

What is IPS(Intrusion Prevention System), How Does It Work and What are the Detection Types?

in Miscellaneous on February 5, 2020

Intrusion Prevention System (IPS)

An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents and capturing information about them. 

The IPS reports these events to system administrators and takes preventative action, such as closing access points and configuring firewalls to prevent future attacks. 

IPS solutions can also be used to identify issues with corporate security policies, deterring employees and network guests from violating the rules these policies contain.

IPS is similar to a firewall, but it has deep packet inspection capabilities

It’s like Firewall + something 

In scenario devices are IPS equipped 

So, firewalls with IPS capability for e.g., Cisco Firepower + NGIPS

Intrusion prevention systems expand on the capabilities of intrusion detection systems (IDS), which serve the fundamental purpose of monitoring network and system traffic. 

What makes intrusion prevention systems more advanced than intrusion detection systems is that IPS are located in-line (directly in the path in which the source and destination communicate) and have the capability to prevent or block the malicious activity that is occurring.

IPS and IDS – What is the Difference?

When looking into IPS solutions, you may also come across intrusion detection systems (IDS). Before we look into how intrusion prevention systems work, let's take a look at the difference between IPS and IDS.

The main difference between IPS and IDS is the action they take when a potential incident has been detected.

Intrusion prevention systems control the access to an IT network and protect it from abuse and attack. These systems are designed to monitor intrusion data and take the necessary action to prevent an attack from developing.

Intrusion detection systems are not designed to block attacks and will simply monitor the network and send alerts to systems administrators if a potential threat is detected.

So, what happens when we place IPS?

Vulnerability exploits usually come in the form of malicious inputs to a target application or service that attackers use to interrupt and gain control of an application or machine. 

Following a successful exploit, the attacker can disable the target application (resulting in a denial-of-service state) or can potentially access to all the rights and permissions available to the compromised application.

As mentioned earlier, unlike its predecessor the Intrusion Detection System (IDS)—which is a passive system that scans traffic and reports back on threats—the IPS is placed inline (in the direct communication path between source and destination), actively analyzing and taking automated actions on all traffic flows that enter the network.

Specifically, these actions include:

=> Sending an alarm to the administrator (as would be seen in an IDS)

=> Dropping the malicious packets

=> Blocking traffic from the source address

=> Resetting the connection

How Do Intrusion Prevention Systems Work?

An IPS can be either implemented as a hardware device or software. Ideally (or theoretically) and IPS is based on a simple principle that dirty traffic goes in and clean traffic comes out.

Intrusion prevention systems work by scanning all network traffic. There are a number of different threats that an IPS is designed to prevent, including:

Denial of Service (DoS) attack

Distributed Denial of Service (DDoS) attack

Various types of exploits



Address matching

HTTP string and substring matching

Generic pattern matching

TCP connection analysis

Packet anomaly detection

Traffic anomaly detection

TCP/UDP port matching

The IPS performs real-time packet inspection, deeply inspecting every packet that travels across the network.

If any malicious or suspicious packets are detected, the IPS will carry out one of the following actions:

Terminate the TCP session that has been exploited and block the offending source IP address or user account from accessing any application, target hosts or other network resources unethically.

Reprogram or reconfigure the firewall to prevent a similar attack occurring in the future.

Remove or replace any malicious content that remains on the network following an attack. This is done by repackaging payloads, removing header information and removing any infected attachments from file or email servers.

Detection Types in IPS

The IPS has a number of detection methods for finding exploits, but signature-based detection and statistical anomaly-based detection are the two dominant mechanisms.

1. Signature-based detection

Signature-based detection is based on a dictionary of uniquely identifiable patterns (or signatures) in the code of each exploit. As an exploit is discovered, its signature is recorded and stored in a continuously growing dictionary of signatures. Signature detection for IPS breaks down into two types:

Exploit-facing signatures identify individual exploits by triggering on the unique patterns of a particular exploit attempt.

The IPS can identify specific exploits by finding a match with an exploit-facing signature in the traffic stream.

Vulnerability-facing signatures are broader signatures that target the underlying vulnerability in the system that is being targeted. These signatures allow networks to be protected from variants of an exploit that may not have been directly observed in the wild, but also raise the risk of false positives.

2. Statistical anomaly detection

Statistical anomaly detection takes samples of network traffic at random and compares them to a pre-calculated baseline performance level.

When the sample of network traffic activity is outside the parameters of baseline performance, the IPS takes action to handle the situation.

IPS was originally built and released as a standalone device in the mid-2000s. This, however, was in the advent of today’s implementations, which are now commonly integrated into Unified Threat Management (UTM) solutions (for small and medium size companies) and next-generation firewalls (at the enterprise level).

3. Stateful protocol analysis detection

Stateful protocol analysis detection: This method identifies protocol deviations by comparing observed events with pre-determined activity profiles of normal activity.

Most Read

#1 Solution to the error “Visual Studio Code can’t be opened because Apple cannot check it for malicious software” #2 How to add Read More Read Less Button using JavaScript? #3 How to check if radio button is checked or not using JavaScript? #4 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #5 PHP Login System using PDO Part 1: Create User Registration Page #6 How to uninstall Cocoapods from the Mac OS?

Recently Posted

#Apr 8 JSON.stringify() in JavaScript #Apr 7 Middleware in NextJS #Jan 17 4 advanced ways to search Colleague #Jan 16 Colleague UI Basics: The Search Area #Jan 16 Colleague UI Basics: The Context Area #Jan 16 Colleague UI Basics: Accessing the user interface
You might also like these
Five common features of Angular template syntax (with examples)AngularWhy do we need HAVING Clause in SQL?SQL/MySQLAn Introduction to wp-config file in WordPressWordPressHow SCSS (Sass) finds a module without a file extension?SCSSHow to add a Bar Chart in Angular App?AngularHow to center an image horizontally and vertically?CSS