IDS and IPS are security appliances or sometimes software that can be installed on a network or a server to analyze the traffic flowing through the wire, air or network card. An IDS views data flowing through the network interface at wire-speed or over the air at the transmission rate and searches for key signatures within the payload. These signatures are known identifiable parameters for most if not all studied malware (viruses, worms, Trojans, spyware, etc) and suspicious behavior, to date. As a result, effective IDS require regular updates to its libraries of malware signatures in order to identify and handle the suspicious traffic.
An IDS, detects and raises alerts on recognizing a known threat’s signature. An IPS on the other hand takes pre-determined action to stop the attack, either by stopping the traffic flow, ending the IP session, an perhaps quarantining the source of the suspicious traffic. IPS is therefore more autonomous and can not only detect and protect and prevent threats from materializing or spreading on the network. However, IDS/IPS is only as accurate as their ability to identify knows signatures at wire speed. As a result, attackers have used various methods to disguise suspicious behavior or the threats signature – for example fragmenting packets to spread the signature over several packets to prevent an IDS/IPS detecting and performing signature matching. This can result in a false negative, – real attack going undetected. IDS/IPS can also produce high levels of false positives – identifying non-threatening traffic. The wide spread use of encryption by both IT and attackers has rendered many IDS/IPS systems practically redundant however they are still in common use in SME environments.