📘 Intrusion Detection and Prevention Systems (IDS/IPS) — Exam Notes (Network Security)
🔐 1. Definition
🔹 Intrusion Detection System (IDS)
An IDS is a security system that monitors network or system activities to detect suspicious or malicious behavior and generates alerts.
🔹 Intrusion Prevention System (IPS)
An IPS not only detects threats but also takes action to block or prevent attacks automatically.
👉 Simple idea:
- IDS = Detects & alerts
- IPS = Detects + blocks
🎯 2. Objectives of IDS/IPS
- Detect unauthorized access
- Identify network attacks
- Protect systems from threats
- Reduce damage and response time
- Support security monitoring and analysis
🧱 3. Types of IDS/IPS
🔸 Based on Deployment
1. Network-Based (NIDS/NIPS)
- Monitors entire network traffic
- Installed at key network points
✔ Covers multiple devices
2. Host-Based (HIDS/HIPS)
- Installed on individual systems
- Monitors system logs, files, processes
✔ Detects internal attacks
🔸 Based on Detection Method
1. Signature-Based Detection
- Uses known attack patterns (signatures)
✔ Fast and accurate for known attacks
❌ Cannot detect new attacks
2. Anomaly-Based Detection
- Detects unusual behavior compared to normal patterns
✔ Can detect new attacks
❌ May produce false alarms
3. Hybrid Detection
✔ More effective
🔍 4. How IDS/IPS Works
-
Monitor traffic or system activity
-
Compare with rules/signatures
-
Detect suspicious activity
-
Take action:
- IDS → Alert
- IPS → Block attack
⚠️ 5. Common Attacks Detected
- DoS/DDoS attacks
- Malware activity
- Port scanning
- Brute force attacks
- Unauthorized access
🛡️ 6. IDS vs IPS (Comparison)
| Feature |
IDS |
IPS |
| Function |
Detection |
Detection + Prevention |
| Action |
Alert only |
Blocks attack |
| Placement |
Passive |
Inline (active) |
| Impact |
No delay |
May affect performance |
🔑 7. Benefits of IDS/IPS
- Real-time monitoring
- Early detection of threats
- Automatic attack prevention (IPS)
- Improves network security
❌ 8. Limitations
- False positives (wrong alerts)
- Cannot detect all new attacks
- Requires regular updates
- High cost (advanced systems)
🧠 9. Best Practices
- Regularly update signatures
- Combine IDS and IPS with firewalls
- Monitor alerts continuously
- Tune system to reduce false positives
📊 10. Important Concept
🔸 Detection Rule Concept
If Activity ≠ Normal Behavior → Possible Intrusion
🖼️ 11. Diagram Descriptions
📌 IDS Placement
- Network → IDS (monitoring) → No blocking
📌 IPS Placement
- Network → IPS → Blocks malicious traffic
📌 Detection Flow
- Traffic → Analysis → Detection → Alert/Block
🧾 12. Real-Life Examples
- 🏢 Companies use IDS to monitor network traffic
- 🛡️ IPS blocks suspicious login attempts
- 🌐 Websites protected from DDoS attacks
- 💻 HIDS monitors file changes on servers
📝 Likely Exam Questions
- Define IDS and IPS.
- Differentiate between IDS and IPS.
- Explain types of IDS/IPS.
- Describe signature-based vs anomaly-based detection.
- How does an IDS/IPS work?
- What are advantages and limitations of IDS/IPS?
- Explain NIDS vs HIDS.
- What attacks can IDS detect?
- What is false positive?
- Write short notes on:
- IPS
- Anomaly detection
- Hybrid systems
📌 Quick Summary / Conclusion
- IDS detects threats; IPS detects and prevents them.
- Types include network-based and host-based systems.
- Detection methods include signature and anomaly-based.
- IDS/IPS provide real-time monitoring and protection.
- Best security is achieved by combining IDS/IPS with other tools.
👉 In short:
IDS and IPS are essential tools for identifying and stopping network attacks, improving overall system security.