An Intrusion Prevention System (IPS) is a technology that can automatically detect and control security attacks, both known and unknown. The focus of this system is threat prevention — though a related technology, IDS, works to better detect threats.
Let’s take look at how IPS prevents intrusions and the most common ways IPS can work.
How IPS works
Intrusion prevention systems may use advanced AI algorithms that run on large volumes of data collected at different nodes of the network and technology layers. These algorithms may rely on additional support strategies — standalone Intrusion Detection Systems (IDS), simple firewalls and anti-virus systems — that provide additional security controls.
An IPS algorithm itself operates only at the application layer and interacts with the network layer controls to deliver an active defense capability to your network.
One of the leading challenges in the domain of cybersecurity pertains to unknown attacks referred to as zero-day exploits or 0-day exploits. These cyberattacks target new vulnerabilities that have not been discovered by the vendor.
Because the vulnerability is not yet discovered, a security patch does not exist. Users will continue operating the vulnerable system until the vendor issues and deploys the security patch.
Types of Intrusion Prevention Systems
The following types of IPS systems may be used to address unknown timeline-based cyberattacks:
This class of behavior-based Intrusion Prevention Systems analyzes the behavior of technology systems and the nature of traffic requests in order to uncover such timeline-based attacks.
The IPS is not equipped with controls against specific networking requests but identifies the class of activities that is known to resemble a cyberattack situation. The IPS solution is trained on some form of supervised-learning mechanism where the ground-truth labels for some metrics class may be available — and thus correspond to a network intrusion situation.
Here, to determine a security infringement, algorithms evaluate the text and binary string patterns in the network requests. The IPS may use pattern matching languages such as Regex to compare the network communications with signatures or identifiers of a possible intrusion.
The IPS may also use an obfuscation technique, which abstracts the inner workings of a network from cybercriminals who may be able to access system firmware with a zero-day exploit. This may be achieved with simple operations such as changing variable names and syntax while preserving the system workflows and network algorithms.
While the IPS does not prevent the timeline-based attack itself, the process of obfuscation may render the exploit ineffective.
These technologies are highly data-driven. These IPS algorithms have modeled the behavior of the network system and watch out for activities that deviate from the expected system behavior.
The challenge for such a mechanism is to ensure that the AI models are adequately trained to generalize a true system behavior, such as the user base grows or new third-party services are integrated. The IPS algorithm adapts the model of the network behavior to accurately reflect these adaptations. This is important to reduce any false positives that compromise system performance by triggering unnecessary security controls and reducing false negatives that inadvertently overlook anomalous system behavior.
A platform-based intrusion prevention system interacts with the Intrusion Detection System and identifies the incident location. These locations may be either on:
- The host side: Host-based IPS (HIPS)
- The network side: Network-based IPS (NIPS)
The NIPS solution analyzes network traffic to identify the impacted network segment. It may be installed at the edge of the network firewall and it evaluates…
- Packet header information
- Communication protocols
- Data flow
- Network stats
It is aimed at protecting devices inside the network and typically relies on anomaly-detection or rule-matching mechanisms.
The HIPS solution is installed on the hosts and analyzes the system calls, I/O operations and access requests. It is designed to protect the hardware operating the corresponding application layer where the IPS is deployed. Common techniques used for HIPS include:
- Signature based detection
- Anomaly-based detection
- Behavior-based detection
Both NIPS and HIPS solutions address timeline-based attacks as well as platform-based attack categories, but the security controls and monitoring is limited to the network segment and host location respectively.
These technologies monitor the radio spectrum for unauthorized intrusions and trigger automated control actions to prevent the intrusion.
WIPS typically operate in the Local Area Network (LAN) segments as an overlay to existing policy and rule-based intrusion detection systems. WIPS consists of sensor devices and an application-layer solution that runs the IPS algorithms against sensor measurements on wireless packet transfer.
Policy-based access controls in modern IPSs
An important value proposition for using intelligent IPS systems is the ability to enforce evolving policy-based security controls. Unlike traditional firewall and antivirus systems that can enforce security controls on well-defined thresholds, modern IPS systems allow the flexibility to enforce consistent policies across geographically disparate servers and data centers, applications and remote users.
The main idea is to automate threat intelligence, which requires the ability of AI models to learn from data and determine the possibility of an unknown or zero-day exploit taking place.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.