Question

How do intrusion detection systems differ from intrusion prevention systems? Give an example from either a network or a host point of view

Answer 1

Intrusion detection systems and intrusion prevention systems are two tools used to detect and deal with cyber-attacks.

Intrusion detection system (IDS) analyzes network traffic for patterns of possible malicious acts and violations of security protocols. It contains of database of known dangerous network patterns and compares the inbound traffic with the database.

Intrusion prevention system (IPS) analyzes network traffic to detect as well as respond to the possible dangerous network traffic. When the system detects an anomaly, it follows up with an automated response such as blocking of the traffic source address, dropping of the malicious packets and sending alerts to the user.

So, the main difference between IDS and IPS is that IDS only monitors the network traffic and alerts of potential threats whereas the IPS has the ability to automatically respond to the detcted threats as well and prevent damage to the system.

From network point of view, it can be understood by the following example. If a potentially harmful network packet  is sent to the host, the IDS will run through its database and check if incoming traffic is malicious and if detected, it will alert the user and won't take any further action. Whereas, in IPS, when a network packet arrives, IPS looks through its list of rules to check for some reason to block the packet. If no reason is found, then the packet is allowed to pass through whereas if a reason is detected, the network packet is not sent further and blocked.