Intrusion Detection and Prevention Systems

IDS: Intrusion Detection System

• Detects an attack as it occurs

IPS: Intrusion Prevention System

• Attempts to block an attack

HIDS: Host Intrusion Detection System

HIPS: Host Intrusion Prevention System

EDR: Endpoint Detection and Response

• Aggregates data from multiple endpoints to a centralized database; able to perform more sophisticated analysis

Monitoring Methodologies

1. Anomaly monitoring

• Designed to detect statistical anomalies
• Create a baseline over time

2. Signature-based monitoring

• Examine network traffic and behavior and look for well-known patterns
• Requires access to a current database of signatures and a way to compare and match behavior against those signatures

3. Behavioral monitoring

• Tries to overcome the limitations of anomaly-based and signature-based monitoring
• Continuously analyzes the behavior of processes and programs on a system and alerts the user if any abnormal behavior occurs

4. Heuristic monitoring

• Very different approach
• Uses an algorithm to determine if a threat exists