ABSTRACT
An intrusion prevention system (IPS) is considered an “upgraded” version of an intrusion detection system [69]. Both monitor network traffic and/or system activities for malicious activity; however, unlike an IDS, an intrusion prevention system is able to actively block intrusions that are detected. Typically, an IPS does so by generating alarms, dropping malicious packets, resetting the connection, and/or blocking traffic from the offending IP addresses. A generic view of an intrusion prevention system is shown in Figure 5.1. The managing system, monitoring component, and detection component are almost similar to those in an IDS, but instead of the reaction component in this system, prevention procedures are applied. The prevention engine applies a set of procedures based on the pattern of behavior of the suspicious traffic by working closely with the managing system. The responsibility of the managing system is to manage the traffic flow and to apply the procedures provided by the prevention engine.
