Guide to Intrusion Detection Prevention System

Guide to Intrusion Detection Prevention System

Guide to Intrusion Detection Prevention System

  • IDPS security guidance

Executive Summary

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.  Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.  Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.  In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring ndividuals from violating security policies.  IDPSs have become a necessary addition to the security infrastructure of nearly every organization.

IDPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports.  Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding.  They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.

This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them.  The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed.  This publication discusses the following four types of IDPS technologies:


Which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity


Which monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves

Network Behavior Analysis (NBA)

Which examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations (e.g., a client system providing network services to other systems)


Which monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Implementing the following recommendations should facilitate more efficient and effective intrusion detection and prevention system use for Federal departments and agencies.

Source: “NIST SP 800-94, “Guide to Intrusion Detection and Prevention System”


Leave Reply

Your email address will not be published. Required fields are marked *