IDPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports.  Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding.  They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.

This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them.  The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed.  This publication discusses the following four types of IDPS technologies:

Network-Based

Which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity

Wireless

Which monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves

Network Behavior Analysis (NBA)

Which examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations (e.g., a client system providing network services to other systems)

Host-Based

Which monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Implementing the following recommendations should facilitate more efficient and effective intrusion detection and prevention system use for Federal departments and agencies.

Source: “NIST SP 800-94, “Guide to Intrusion Detection and Prevention System”