Difference Between IDS and IPS


IDS (Intrusion Detection System) are systems that detect activities that are inappropriate, incorrect or anomalous in a network and report them. Furthermore, IDS can be used to detect whether a network or a server is experiencing an unauthorized intrusion. IPS (Intrusion Prevention System) is a system that actively disconnects connections or drops packets, if they contain unauthorized data. IPS can be seen as an extension of IDS.


IDS monitor the network and detect inappropriate, incorrect or anomalous activities. There are two main types of IDS. First one is the Network intrusion detection system (NIDS). These systems examine the traffic in the network and monitor multiple hosts for identifying intrusions. Sensors are used to capture the traffic in the network and each packet is analyzed to identify malicious content. The second type is the Host-based intrusion detection system (HIDS). HIDS are deployed in host machines or a server. They analyze data that are local to the machine such as system log files, audit trails and file system changes to identify unusual behavior. HIDS compare the normal profile of the host with the observed activities to identify potential anomalies. In most places, IDS installed devices are placed in between the boarder router and the firewall or outside the boarder router. In some cases IDS installed devices are placed outside the firewall and boarder router with the intension of seeing the full breadth of attempted attacks. Performance is a key issue with IDS systems since they are used with high bandwidth network devices. Even with high performance components and updated software, IDS tend to drop packets since they cannot handle the large throughput.


IPS is a system that actively takes steps to prevent an intrusion or an attack when it identifies one. IPS are divided in to four categories. First one is the Network-based Intrusion Prevention (NIPS), which monitors the entire network for suspicious activity. The second type is the Network Behavior Analysis (NBA) systems that examine the traffic flow to detect unusual traffic flows which could be results of attack such as distributed denial of service (DDoS). The third kind is the Wireless Intrusion Prevention Systems (WIPS), which analyzes wireless networks for suspicious traffic. The fourth type is the Host-based Intrusion Prevention Systems (HIPS), where a software package is installed to monitor activities of a single host. As mentioned earlier, IPS takes active steps such as dropping packets that contain malicious data, resetting or blocking traffic coming from an offending IP address.

What is the difference between IPS and IDS?

An IDS is a system that monitors the network and detects inappropriate, incorrect or anomalous activities, while an IPS is a system that detects intrusion or an attack and takes active steps to prevent them. Main deference between the two is unlike IDS, IPS actively takes steps to prevent or block intrusions that are detected. These preventing steps include activities like dropping malicious packets and resetting or blocking traffic coming from malicious IP addresses. IPS can be seen as an extension of IDS, which has the additional capabilities to prevent intrusions while detecting them.