The Difference Between IDS and IPS

The main goal of Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) is to add protection and security over your network. They monitor packets of data that enters the system and analyze these packets to know what solution can be applied according to the capacity of each tools.


What are the differences between IDS and IPS?


IDS – as stated, it is a tool to detect intrusion of packets and determine which of the packets can be threat or not. It is only to detect not to block. It is a combined tool of hardware and software security system that deals with internal and external attacks and monitors network activity in real-time.


There are two types of IDS:


Host-Based Intrusion Detection System (HIDS)
  • This is a Host-based Sensor that needs software application as agents installed on workstations. HIDS are the ones who monitored these agents. The agents monitor activities and logs files of a certain operating system where the agents are installed
  • Uses logs of activities and determines whether an attack actually occurred. They give more accurate detection of an attack.
  • If there is any untoward change of activity and starts the job right away after installation the monitoring of activities is used . They can monitor attack based on the changes of activities of the internal system
  • Sensors are installed at the host only thus it doesn’t need any additional hardware
  • The cost is lower
Network-Based Intrusion Detection System
  • They are Network-based Sensor (Ethernet or WIFI), which are places in segment points or boundaries and monitors data packets that go through and from the system
  • This system does not affect existing system and independent so it’s much easier to deploy
  • They can detect attacks that travels the network by the packets’ content at real-time
  • They use real-time monitoring so attackers can no longer hide, make changes or remove the evidence that’s why evidence of an attack is retained. These are very useful in forensic study.
  • The system can also detect at real-time and can have a quick response over an attack because they are deployed in the network
  • Even the failed attacks can also be detected


IPS – this tool can make action and does not need administrators’ decision to make actions to prevent any packet of data that the IPS tool detects as a threat. IPS are also placed to actively analyse and take actions automatically to all packets that enter the network.

They can:

  • Send an alarm
  • Drop malicious packets
  • Can block packets from the source address
  • Reset connection
  • Does not require human intervention to take an action


Two Detection Methods of IPS


Signature –Based detection (or Misuse Detection). This method uses significant identifiable patterns each kind of attacks. The signature can be Exploit-facing signature where they monitor packets by finding a match from their stored file of exploit attacks. There is also Vulnerability-facing signature where they recognize an attack as to which part of the system is vulnerable to this kind of attack.

Statistical Anomaly Detection. They use samples of network traffic at random and compares them with each other. They use bandwidth, protocols used, ports, and devices that connect each other.