This guide provides a comprehensive overview of intrusion detection and prevention system (IDPS) technology for security professionals evaluating or deploying these solutions.
What is an IDPS?
An IDPS monitors network and/or system activities for malicious activities or policy violations and produces reports to a management station. Some IDPS can attempt to stop the detected incident. IDPS technologies include network-based, wireless, network behavior analysis, and host-based variants.
Detection Methodologies
Signature-based detection compares observed events against a database of known attack patterns. It is effective against known threats but cannot detect novel attacks. Anomaly-based detection establishes a baseline of normal behavior and alerts on deviations. Stateful protocol analysis compares observed protocols against vendor-defined profiles of legitimate use.
Selection Criteria
- Detection accuracy (both detection rate and false positive rate)
- Performance and scalability
- Ease of management and tuning
- Signature update frequency and quality
- Integration capabilities with existing security infrastructure
- Total cost of ownership