A network-based intrusion prevention system (IPS) is a program that performs packet sniffing and analyzes network traffic to identify and stop suspicious activity. Network-based IPS products are typically deployed inline, which means that the [[software] acts like a network firewall. It receives packets, analyzes them, decides whether they should be permitted, and allows acceptable packets to pass through. The network-based IPS architecture allows some attacks to be detected on networks before they reach their intended targets. Most network-based IPS products use a combination of attack signatures and analysis of network and application protocols, which means that they compare network activity for frequently attacked applications (e.g., e-mail servers, Web servers) to expected behavior to identify potentially malicious activity.
Network-based IPS products are used to detect many types of malicious activity besides malware, and typically can detect only a few instances of malware by default, such as recent major worms. However, some IPS products are highly customizable, allowing administrators to create and deploy attack signatures for many major new malware threats in a matter of minutes. Although there are risks in doing this, such as a poorly written signature triggering false positives that block benign activity inadvertently, a custom signature can block a new malware threat hours before antivirus signatures become available. Network-based IPS products can be effective at stopping specific known threats, such as network service worms, and e-mail-borne worms and viruses with easily recognizable characteristics (e.g., subject, attachment filename). However, network-based IPS products are generally not capable of stopping malicious mobile code or Trojan horses. Network-based IPS products might be able to detect and stop some unknown threats through application protocol analysis.
DDoS attack mitigation software Edit
A specialized form of network-based IPS, known as DDoS attack mitigation software, attempts to stop attacks by identifying unusual network traffic flows. Although these products are primarily intended to stop DDoS attacks against an organization, they can also be used to identify worm activity and other forms of malware, as well as use of attacker tools such as backdoors and e-mail generators. DDoS attack mitigation software typically works by monitoring normal network traffic patterns, including which hosts communicate with each other using which protocols, and the typical and peak volumes of activity, to establish baselines. The software then monitors network activity to identify significant deviations from the baselines. If malware causes a particularly high volume of network traffic or uses network or application protocols that are not typically seen, DDoS attack mitigation software should be able to detect and block the activity.
Another way of limiting some malware incidents is by configuring network devices to limit the maximum amount of bandwidth that can be used by particular hosts or services. Also, some types of network monitoring software can detect and report significant deviations from expected network activity, although this software typically cannot specifically label the activity as malware-related or block it.
Host-based intrusion prevention Edit
Host-based IPS products are similar in principle and purpose to network-based IPSs, except that a host-based IPS product monitors the characteristics of a single host and the events occurring within that host. Examples of activity that might be monitored by host-based IPSs include network traffic, system logs, running processes, file access and modification, and system and application configuration changes. Host-based IPS products often use a combination of attack signatures and knowledge of expected or typical behavior to identify known and unknown attacks on systems. For example, host-based IPS products that monitor attempted changes to files can be effective at detecting viruses attempting to infect files and Trojan horses attempting to replace files, as well as the use of attacker tools, such as rootkits, that often are delivered by malware. If a host-based IPS product monitors the host's network traffic, it offers detection capabilities similar to a network-based IPS's.
Like antivirus software and spyware detection and removal utilities, network-based and host-based IPS products cause false positives and false negatives. IPS software typically offers tuning capabilities, which can improve accuracy; however, the effectiveness of tuning varies widely among products and environments. Because a false positive could cause benign activity to be stopped, organizations should consider the implications of this and consider configuring the IPSs to block activity only for signatures or anomalous condition definitions that are very unlikely to trigger false positives. Most IPS products allow blocking capabilities to be enabled or disabled for each signature or anomalous condition definition. Some organizations disable all blocking capabilities by default and enable them only when facing a major new threat, such as a worm.
For malware prevention, host-based IPS software might be able to improve an organization's ability to detect and stop unknown threats. If an organization can tune host-based IPS software to a high degree of detection accuracy, it can be helpful for stopping unknown threats that cannot be recognized by antivirus software and other technical controls. IPS software can be particularly helpful in identifying threats that use network services that are not monitored by antivirus software, such as Domain Name System (DNS).
For malware threats that generate a high volume of traffic, such as network service worms, network-based IPS products deployed along the network perimeter can significantly reduce the load that the malware places on the organization's networks. Using a combination of antivirus software and IPS software not only can improve the overall malware incident prevention rate, but also can be helpful in splitting the load of malware handling between two sets of technical controls. During a major incident, antivirus software alone can become overloaded due to the number of malware events; sharing the work among multiple types of controls can reduce slowdowns caused by malware processing.