An intrusion detection system (IDS) detects unwanted manipulations to computer systems. The manipulations may be attacks through the Internet by malicious hackers or script kiddies using automated tools, for example.
The IDS detects malicious network traffic and computer usage that typically cannot be detected by firewalls. More specifically, a firewall looks outwardly for intrusions in order to stop them from happening; whereas, the IDS evaluates a suspected intrusion once it has taken place and signals an alarm. That is, the IDS watches for attacks that originate from within a system. For example, the IDS can detect network attacks against vulnerable services, data driven attacks on applications, host based attacks such unauthorized logins and access to sensitive files, as well as viruses, trojan horses, and worms.
To detect such attacks or other network failures, the IDS is composed of several components including sensors which generate security events. In a network-based IDS, the sensors are located at choke points in the network to be monitored, or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic. In older systems, the IDS was a passive system. In such systems, the IDS sensor detects a potential security breach, logs the information and signals an alert on a console. That is, basically, the sensors only detected traffic as it passed by the sensor, itself.
In a reactive system, also known as an intrusion prevention system (IPS), the IPS responds to the suspicious activity by resetting the connection or blocking the traffic in-line or by reprogramming the firewall to block network traffic from the suspected malicious source. This can happen automatically or at the command of an operator. Thus, in an IPS, once a suspicious activity is detected, the connection may be terminated.
More specifically, the IPS is a computer security device that exercises access control to protect computers from exploitation. The IPS resolves ambiguities in passive network monitoring by placing detection systems in-line. The IPS makes access control decisions based on application content, rather than IP address or ports as traditional firewalls. The IPS may also serve secondarily at the host level to deny potentially malicious activity. Thus, in contrast to IDS, the IPS is designed to sit inline with traffic flows and prevent attacks in real-time. However, the IPS has the potential to cause network outages when it detects a network failure.
Accordingly, there exists a need in the art to overcome the deficiencies and limitations described hereinabove.