An intrusion prevention system is a network security
device that monitors network and/or system activities for malicious or
unwanted behavior and can react, in real-time, to block or prevent
those activities. Network-based IPS, for example, will operate in-line
to monitor all network traffic for malicious code or attacks. When an
attack is detected, it can drop the offending packets while still
allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection
(IDS) technology. The term "Intrusion Prevention System" was coined by
Andrew Plato who was a technical writer and consultant for *NetworkICE
Intrusion prevention systems (IPS) evolved in the late 1990s to
resolve ambiguities in passive network monitoring by placing detection
systems in-line. Early IPS were IDS that were able to implement
prevention commands to firewalls and access control changes to routers.
This technique fell short operationally for it created a race condition
between the IDS and the exploit as it passed through the control
mechanism. Inline IPS can be seen as an improvement upon firewall
technologies (snort inline is integrated into one), IPS can make access
control decisions based on application content, rather than IP address or ports as traditional firewalls
had done. However, in order to improve performance and accuracy of
classification mapping, most IPS use destination port in their
signature format. As IPS systems were originally a literal extension of
intrusion detection systems, they continue to be related.
Intrusion prevention systems may also serve secondarily at the host
level to deny potentially malicious activity. There are advantages and
disadvantages to host-based IPS compared with network-based IPS. In
many cases, the technologies are thought to be complementary.
An Intrusion Prevention system must also be a very good Intrusion
Detection system to enable a low rate of false positives. Some IPS
systems can also prevent yet to be discovered attacks, such as those
caused by a Buffer overflow.
A host-based IPS (HIPS) is one where the
intrusion-prevention application is resident on that specific IP
address, usually on a single computer. HIPS compliments traditional
finger-print-based and heuristic antivirus detection methods, since it
does not need continuous updates to stay ahead of new malware. As
ill-intended code needs to modify the system or other software residing
on the machine to achieve its evil aims, a truly comprehensive HIPS
system will notice some of the resulting changes and prevent the action
by default or notify the user for permission.
Extensive use of system resources can be a drawback of existing HIPS
systems, which integrate firewall, system-level action control and sandboxing
into a coordinated detection net, on top of a traditional AV product.
This extensive protection scheme may be warranted for a laptop computer
frequently operating in untrusted environments (e.g. on cafe or airport
Wi-Fi networks), but the heavy defenses may take their toll on battery
life and noticeably impair the generic responsiveness of the computer
as the HIPS protective component and the traditional AV product check
each file on a PC to see if it is malware against a huge blacklist.
Alternatively if HIPS is combined with an AV product utilising whitelisting
technology then there is far less use of system resources as many
applications on the PC are trusted (whitelisted). HIPS as an
application then becomes a real alternative to traditional antivirus products.