Learning Objectives
- Differentiate IDS from IPS architectures
- Compare signature-based, anomaly-based, and behavior-based detection
- Recognize evasion techniques
- Understand deployment considerations
Watching vs Stopping
An Intrusion Detection System (IDS) monitors network traffic and alerts when suspicious activity is detected. It operates out-of-band — traffic passes through the network as usual, and the IDS quietly observes a copy of it. An Intrusion Prevention System (IPS) operates inline. Traffic flows through the IPS, and it can drop or block malicious packets in real time.
The difference is placement and action. An IDS generates alerts; an IPS actively stops threats.
Detection Methods
Detection methods fall into three categories. Signature-based detection matches traffic against known attack patterns (like antivirus signatures). Anomaly-based detection establishes a baseline of normal behavior and alerts on deviations. Behavior-based detection analyzes the intent of file and process actions, similar to modern endpoint protection.
Signature-based detection is extremely accurate for known attacks but cannot detect zero-day exploits. Anomaly-based detection can find novel attacks but generates more false positives. Modern deployments use all three in layers.
Match each detection method to its characteristics.
Hints
- The first three describe how attacks are identified.
- The fourth describes the deployment architecture.
- False positive rate is a key trade-off between methods.
Evasion Techniques
Attackers use several techniques to evade detection. Fragmentation splits malicious payload across multiple packets so no single packet looks suspicious. Encryption hides the payload entirely. TTL manipulation tricks the IDS into reassembling packets differently than the destination host.
Modern IPS systems handle common evasions — they reassemble fragmented flows, decrypt SSL where permitted, and maintain IP state to detect TTL mismatches.
What should the IPS administrator do to detect the attack?
Deployment Considerations
An IPS inline introduces latency and is a single point of failure — if the IPS fails, traffic stops. Bypass taps or fail-open hardware can mitigate this. An IDS introduces no latency but cannot block attacks in real time. Most enterprises deploy IPS at the perimeter (internet edge) and IDS on internal network segments for monitoring.
Proper tuning is critical. Too-sensitive signatures cause alert fatigue and false positives that desensitize the security team. Regular signature updates and baseline retraining are essential maintenance tasks.
Key Takeaways
- IDS monitors passively; IPS blocks traffic inline
- Signature detection is accurate for known attacks but misses zero-days
- Anomaly detection finds novel threats but generates more false positives
- Evasion techniques include fragmentation, encryption, and TTL manipulation
- IPS must reassemble fragmented flows to detect split attacks
- IDS is better for internal monitoring; IPS is essential at the perimeter