The increased rate of intrusive activities on organizations’ networks and the sophistication of cyberattacks present challenges in accurately detecting and preventing cyber intrusions. This calls for the use of various advanced network security devices like intrusion prevention and intrusion detection systems to detect and prevent malicious traffic from reaching critical information systems at the network and host levels. Intrusion detection systems (IDS) are devices or software applications used to monitor network traffic for indicators of malicious activities such as cyber-attacks, malware, or policy violations and alert security administrators (Karatas et al., 2018). On the other hand, intrusion prevention systems (IPS) are network security tools, hardware, or software that continuously monitor the network for malicious activities detect and prevent identified threats by blocking or dropping identified malicious traffic before it reaches critical systems. Two types of IPS/IDS exist, Network-based and Host-based (Cyntia Vargas & Vogel-Heuser, 2018).

Signature-Based and Heuristic IDS/IPS Solutions

IDS and IPS technology serve as a mandatory line of defense in protecting critical network infrastructures from cyber intrusions. Two primary methods are used to implement IDS and IPS technologies; signature-based IDS/IPS and heuristic, or behavioral-based techniques, also known as anomaly-based IDS/IPS (Khraisat et al., 2019). Signature intrusion detection/prevention systems, also called definition-based or knowledge-based detection, use a database of known vulnerabilities or known attack patterns to identify a threat or malicious traffic (Sawant, 2018). When an intrusion signature matches an existing signature in the vulnerability database, the IDS/IPS takes appropriate actions of alerting an administrator (IDS) or alerting and dropping the connection (IPS). However, the increased prevalence of zero-day attacks has made Signature-based techniques less effective in detecting these attacks as no prior signature exists for zero-day vulnerabilities (Khraisat et al., 2019).

The Heuristic/behavioral-based or Anomaly-based intrusion detection system (AID) is preferred to detect zero-day attacks. With this technique, a standard model of network behavior is created using machine learning and statistical-based methods. This model represents a performance baseline of the network under normal operating conditions. Any significant deviations between the observed network behavior and the created baseline are seen as anomalies. Thus, an alert is generated, which indicates a potential attack or intrusion. Although anomaly-based detection safeguards unknown attacks, it is prone to false positives and negatives (Sawant, 2018).

Which is Best, IDS or IPS

Within an enterprise, the implementation of an Intrusion Prevention System (IPS) provides more protection than an Intrusion Detection System (IDS). While IDS is excellent at raising alerts, the incident still needs to be resolved manually by an administrator. On the other hand, with IPS, the incident is identified and blocked in real-time while still triggering an alert to security administrators. However, IPS could adversely affect business operations if not configured correctly, as authentic connections could be dropped (Cai et al., 2019). On the other hand, implementing the IPS, I would prefer an anomaly-based detection technique given the never-ending zero-day vulnerabilities that pop up every day.

Placing IDS on the Network

Given that two types of Intrusion Detection Systems exist, Network-based and Host-based, the positions on which they are placed within the network are different. The Network-based IDS are placed after the firewall in the network to achieve maximum efficiency so that it monitors and analyzes incoming and outgoing traffic. Thus, any malicious packet that bypasses the firewall is detected at this level. Examples of IDS include Snort, IBM security systems, Cisco IOS. For a host-based intrusion detection system (HIDS), an agent program is installed on the host, where all signature rules related to the particular host are assigned to the agent program. HIDS monitors traffic to and from the host and alerts administrators regarding anomalies. Examples of HIDS include Trend Micro Deep Security Manager, Tripwire, Wazuh.

References

Cai, C., Shue, M., & Zhong, W. (2019). Configuration of intrusion prevention systems based on a legal user: the case for using intrusion prevention systems instead of intrusion detection systems. Information Technology and Management, 20(2), 55-71. https://doi.org/http://dx.doi.org/10.1007/s10799-018-0291-6            

Cyntia Vargas, M., & Vogel-Heuser, B. (2018). Towards Industrial Intrusion Prevention Systems: A Concept and Implementation for Reactive Protection. Applied Sciences, 8(12). https://doi.org/http://dx.doi.org/10.3390/app8122460          

Karatas, G., Demir, O., & Sahingoz, O. K. (2018, 3-4 Dec. 2018). Deep Learning in Intrusion Detection Systems. 2018 International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism (IBIGDELFT),           

Khraisat, A., Gondal, I., Vamplew, P., & Kamruzzaman, J. (2019). Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity, 2(1). https://doi.org/http://dx.doi.org/10.1186/s42400-019-0038-7           

Sawant, A. (2018, 16-18 Aug. 2018). A Comparative Study of Different Intrusion Prevention Systems. 2018 Fourth International Conference on Computing Communication Control and Automation (ICCUBEA),            

Website | + posts