Skip to content

Page306

Intrusion Detection Systems and Intrusion Prevention Systems

An Intrusion Detection System (IDS) is a detective device designed to detect malicious (including policy-violating) actions. An Intrusion Prevention System (IPS) is a preventive device designed to prevent malicious actions. There are two basic types of IDSs and IPSs: network-based and host-based.

Note: Most of the following examples reference IDSs, for simplicity. The examples also apply to IPSs; the difference is the attacks are detected by an IDS and prevented by an IPS.

IDS and IPS Event Types

There are four types of IDS events: true positive, true negative, false positive, and false negative. We will use two streams of traffic, an attempted exploit of 2021’s infamous Log4Shell [7] vulnerability in Apache’s widely used Log4j2 logging platform and a user surfing the Web, to illustrate these events.

  • True Positive: Attempted exploitation of Log4Shell on a trusted network, and NIDS alerts
  • True Negative: User surfs the Web to an allowed site, and NIDS is silent
  • False Positive: User surfs the Web to an allowed site, and NIDS alerts
  • False Negative: Attempted exploitation of Log4Shell on a trusted network, and NIDS is silent

The goal is to have only true positives and true negatives, but most IDSs have false positives and false negatives as well. False positives waste time and resources, as monitoring staff spends time investigating non-malicious events. A false negative is arguably the worst-case scenario: malicious network traffic is not prevented or detected.