Intrusion Prevention in 2024: How does it work? & 3 Methods

Data privacy Cybersecurity

Updated on Mar 29

7 min read

Share on Linkedin Share on Twitter

Written by

Intrusion Prevention in 2024: How does it work? & 3 Methods

Table of contents

What is an intrusion prevention system (IPS)?How does an intrusion prevention system (IPS) work?Why is intrusion prevention important?Intrusion prevention system methods 4 Types of intrusion prevention systems (IPS)The difference between IPS and IDS Further reading

The number of outbreak alerts issued in 2023 increased by 35% over 2022, indicating a surge in cyber threats across multiple sectors.¹

Intrusion prevention tools help network security teams autonomously detect and prevent potential threats including malicious activity or policy violations.

This article covers intrusion prevention systems, their working principle, types, and techniques to enable organizations to stay informed and proactive while protecting their networks.

What is an intrusion prevention system (IPS)?

An intrusion prevention system (IPS) detects potential threats (e.g. third-parties) and risks in network traffic. It blocks them by informing the network security team, terminating insecure links, deactivating dangerous device connections, or activating additional security devices.

IPS technologies originated from intrusion detection systems (IDSs), which detect and transmit threats. An IPS performs the same threat detection tasks as an IDS but also includes computerized threat prevention capabilities, which is why they are often known as “intrusion detection and prevention systems” (IDPS).

How does an intrusion prevention system (IPS) work?

An intrusion prevention system works by directing network information to discriminate between malicious movements and predicted assault patterns. The IPS engine inspects network traffic and compares it to its internal signature data set regularly to detect actual assault initiatives. Assuming an is not predetermined to be violent, an IPS may drop it and then block all future traffic from the aggressor’s IP address. Real traffic can continue to stream without causing any visible assistance change.

When an intrusion activity emerges, the IPS can automatically handle it depending on the set defense action, which may include issuing an alarm, deleting data packets, blocking traffic from the originating address, or reconnecting the connection.

As illustrated in the graphic below, the IPS detects intrusion patterns using signature-based and security policy-based technologies.

Figure 1: Working process of IPS

Source: Huawei²

Security policy matching: The IPS process begins when traffic matches a security policy that corresponds to the permit action.
Packet reassembly: The device reassembles IP fragments and transmission control protocol (TCP) flows to maintain application-layer data stability. In this manner, the device may successfully detect threats that avoid IPS detection in the following process.
Application-layer protocol identification and parsing: Using the packet data, the device determines the application-layer protocol and conducts in-depth parsing to extract packet attributes. Compared to the traditional method of identifying protocols, which relies solely on IP addresses, application protocol identification significantly enhances the detection rate of attacks at the application layer. In addition, during this phase, the device can detect protocol abnormalities and remove data packets that do not follow the protocol requirements.
Signature matching: The device compares the parsed packet features to the signatures in the IPS signature database. If a match is identified, the device replies accordingly. Signatures describe the traits of intrusive activities.
Response: When a packet matches a signature, the IPS profile decides whether to reply and how to handle it (alert or block). An IPS profile consists of two components: a signature filter and an exception signature.

Why is intrusion prevention important?

During 2022, the global number of malware infections reached 5.5 billion, a 2% rise over the previous year.³Intrusions are increasingly centered on multifaceted penetration which creates risks for organizations.

An intrusion prevention system is important since it serves as a customizable defense innovation for framework security with the capacity to avoid multifaceted attacks. Intrusion prevention systems can also use an automated process that does not require IT association resulting in lower costs and greater execution flexibility.

Organizations that leverage an IPS can prevent the following infiltration actions:

Injection attacks are conducted to gain database modification authorization on the server.
System software vulnerabilities.
Large-scale DDoS attacks.
Malicious code on external websites that company employees routinely access.
Phishing emails are sent to employees to deceive them into clicking on false website links.

Read more: Most common cyber attack vectors.

Intrusion prevention system methods

IPS can protect against intrusion actions, which are often detected using the following methods:

1. Signature-based detection — Compares network traffic to signatures of known threats. A signature describes the features of intrusion activity. If the data transmitted matches the signature, it is considered suspicious traffic for the intrusion activity. However, this technology can only detect intrusions with existing signatures, not new ones.

2. Anomaly-based detection — Collects random data points of network activity and matches them to benchmark criteria to determine whether they constitute intrusion activities.

Because anomaly-based intrusion prevention systems respond to any unusual activity, they can frequently prevent new intrusions that would otherwise evade signature-based detection. They may even identify zero-day attacks, which are assaults that exploit vulnerabilities in software before the developer is aware of them or has had time to resolve them.

However, anomaly-based IPSs may be more likely to produce false positives. Even neutral action, such as an authorized user using a sensitive server for the first time, can activate an anomaly-based intrusion prevention system. As an outcome, authorized users may be banned from the system.

3. Policy-based detection — Relies on security policies established by the security team. When a policy-based IPS identifies an action that breaches a security policy, it stops the assault.

For example, a SOC may establish access control policies that specify which people and devices have access to a host. If a hacker attempts to connect to the host, a policy-based IPS blocks them.

4 Intrusion prevention system (IPS) threat prevention practices

When an IPS identifies a threat, it records the incident sends it to the security operations center (SOC), and automatically responds to the threat by employing approaches such as:

Preventing risky traffic: An IPS can terminate a user’s session, limit a specific IP address, or even prevent all connections from flowing to a target. Some IPSs can reroute traffic to fool hackers into thinking they’ve succeeded when, in reality, the SOC is monitoring them.

Read more: Network visibility.

Filtering risky content: An IPS may enable communication while filtering out risky information, such as discarding malicious data from a stream or deleting malicious files from a message.

Activating other security systems: An intrusion prevention system (IPS) may urge other security appliances to act, such as adjusting firewall rules to stop a threat or modifying router configurations to stop hackers from accessing their objectives.

Maintaining cybersecurity policies: Some intrusion prevention systems (IPS) may delay attackers and unauthorized individuals from violating enterprise security policies. For example, if a user attempts to share sensitive information from a database where it is not permitted, the IPS will deny it.

4 Types of intrusion prevention systems (IPS)

IPS solutions might be programs installed on devices, dedicated or endpoints connected to a network, or cloud-based services. Because IPSs need to be able to detect malicious behavior in real-time, they are always put “inline” on the network, which means that traffic travels across the IPS before reaching its intended destination.

IPSs are classified according to where they are in the network and the type of activities they analyze. Several companies utilize a variety of IPSs in their networks. Some of them are listed below.

Network-based intrusion prevention systems (NIPS)

A network-based intrusion prevention system (NIPS) analyzes inbound and outbound traffic to networked devices, evaluating specific packets to detect suspicious activities. NIPS monitors are positioned strategically throughout the network. They frequently reside behind firewalls at the network perimeter to prevent malicious traffic from passing through. NIPSs can also be deployed within a system to track traffic to and from vital assets such as data centers.

Wireless Intrusion Prevention Systems (WIPS)

A wireless intrusion prevention system (WIPS) analyzes wireless network protocols to detect suspicious activities, such as unauthorized devices connecting to the company’s wireless. If a WIPS identifies an unidentified person on a wireless network, it may terminate the interaction. A WIPS may additionally identify malfunctioning or insecure devices on a wifi network and prevent insider attacks, in which an attacker secretly monitors user conversations.

Network Behavior Analysis (NBA)

Network Behavior Analysis (NBA) technologies track network traffic flows. NBAs, like other IPSs, may check packets, however’ several NBAs are more concerned with the higher-level aspects related to communication sessions, such as both origin and destination IP addresses, routes used, and packet quantity.

NBAs employ anomaly-based detection methods, that alert and deny any transactions that depart from typical patterns, such as a DDoS attack or a malware-infected device connecting with an unidentified control server.

Host-based intrusion prevention systems (HIPS)

A host-based intrusion prevention system (HIPS) is configured on a single endpoint, such as a laptop or server, and it exclusively analyzes traffic traveling from that device. HIPS are commonly used in conjunction with NIPS to provide additional security to critical assets. HIPS can also prevent malicious processes on a vulnerable network node, such as ransomware transmitting from an infected machine.

Table: Comparison of various kinds of IPS technologies

IPS technology type	Types of malicious activity detected	Scope	Strengths
Network-based (NIPS)	Network, transport, and application TCP/IP layer activity	Multiple network subnets and groups of hosts	Analyzing wide range of application protocols
Wireless (WIPS)	Wireless protocol activity, WLAN	Multiple WLANs and groups of wireless clients	Only IDPS that can predict wireless protocol activity
NBA	Network, transport, and application TCP/IP layer activity	Multiple network subnets and groups of hosts	Identifying reconnaissance scanning and DoS attacks, and at reconstructing major malware infections
Host-based	Host application and operating system (OS) activity, network, transport, and application TCP/IP layer activity	Individual host	Analyzing end-to-end encrypted communications

Source: Geeksforgeeks⁴

The difference between IPS and IDS

The IDS device does not respond to intrusion behaviors. Rather, it is a risk-management-oriented security mechanism.

IPS and IDS differ primarily in the following ways:

Deployment mode:

IDS is typically deployed in off-path mode, which does not transmit data flows. All traffic must be duplicated to the IDS port.
IPS is often installed in in-path mode on the network. Data flows must be handled by the IPS before they are transmitted.

Function:

IDS is a detecting device. It cannot prevent attacks and can only trigger alerts. To protect against incidents, the IDS must interact with the firewall. The firewall’s security protocols block threats.
IPS can identify and process incidents without relying on other network devices.

Response speed:

IDS detects incidents by analyzing data flows. During the detection, network devices route data flows and the IDS performs a post-event analysis via alarm notification or firewall interaction, which causes slower response times compared to IPS.
An IPS, on the other hand, is intended to take action and stop whatever it considers to be a threat to the protected system, enabling faster responses.

1. Fortinet”FortiGuard Labs Outbreak Alerts Annual Report 2023: A Glimpse into the Evolving Threat Landscape“. (PDF). Fortinet. 2023. Retrieved March 13, 2024.
2. ”What is IPS?“. Huawei. 2022. Retrieved March 13, 2024.
3. Statista”Annual number of malware attacks worldwide from 2015 to 2022“. Statista. June 23, 2023. Retrieved March 13, 2024.
4. ”Intrusion Prevention System (IPS)“. Geeksforgeeks. March 14, 2023. Retrieved March 13, 2024.

Access Cem's 2 decades of B2B tech experience as a tech consultant, enterprise leader, startup entrepreneur & industry analyst. Leverage insights informing top Fortune 500 every month.

Cem is the principal analyst at AIMultiple since 2017. AIMultiple informs hundreds of thousands of businesses (as per Similarweb) including 60% of Fortune 500 every month.

Cem's work has been cited by leading global publications including Business Insider, Forbes, Washington Post, global firms like Deloitte, HPE, NGOs like World Economic Forum and supranational organizations like European Commission. You can see more reputable companies and media that referenced AIMultiple.

Throughout his career, Cem served as a tech consultant, tech buyer and tech entrepreneur. He advised enterprises on their technology decisions at McKinsey & Company and Altman Solon for more than a decade. He also published a McKinsey report on digitalization.

He led technology strategy and procurement of a telco while reporting to the CEO. He has also led commercial growth of deep tech company Hypatos that reached a 7 digit annual recurring revenue and a 9 digit valuation from 0 within 2 years. Cem's work in Hypatos was covered by leading technology publications like TechCrunch and Business Insider.

Cem regularly speaks at international technology conferences. He graduated from Bogazici University as a computer engineer and holds an MBA from Columbia Business School.

Sources:

AIMultiple.com Traffic Analytics, Ranking & Audience, Similarweb.
Why Microsoft, IBM, and Google Are Ramping up Efforts on AI Ethics, Business Insider.
Microsoft invests $1 billion in OpenAI to pursue artificial intelligence that’s smarter than we are, Washington Post.
Data management barriers to AI success, Deloitte.
Empowering AI Leadership: AI C-Suite Toolkit, World Economic Forum.
Science, Research and Innovation Performance of the EU, European Commission.
Public-sector digitization: The trillion-dollar challenge, McKinsey & Company.
Hypatos gets $11.8M for a deep learning approach to document processing, TechCrunch.
We got an exclusive look at the pitch deck AI startup Hypatos used to raise $11 million, Business Insider.