An intrusion prevention system (IPS) includes all the capabilities of an
               IDS but can also take additional steps to stop or prevent intrusions. If

               desired, administrators can disable these extra features of an IPS,
               essentially causing it to function as an IDS.

               You’ll often see the two terms combined as intrusion detection and
               prevention systems (IDPSs). For example, NIST SP 800-94, “Guide to
               Intrusion Detection and Prevention Systems,” provides comprehensive
               coverage of both intrusion detection and intrusion prevention systems,

               but for brevity uses IDPS throughout the document to refer to both. In
               this chapter, we are describing methods used by IDSs to detect attacks,
               how they can respond to attacks, and the types of IDSs available. We
               are then adding information on IPSs where appropriate.


               Knowledge- and Behavior-Based Detection

               An IDS actively watches for suspicious activity by monitoring network
               traffic and inspecting logs. For example, an IDS can have sensors or
               agents monitoring key devices such as routers and firewalls in a

               network. These devices have logs that can record activity, and the
               sensors can forward these log entries to the IDS for analysis. Some
               sensors send all the data to the IDS, whereas other sensors inspect the
               entries and only send specific log entries based on how administrators
               configure the sensors.

               The IDS evaluates the data and can detect malicious behavior using
               two common methods: knowledge-based detection and behavior-

               based detection. In short, knowledge-based detection uses signatures
               similar to the signature definitions used by anti-malware software.
               Behavior-based detection doesn’t use signatures but instead compares
               activity against a baseline of normal performance to detect abnormal
               behavior. Many IDSs use a combination of both methods.

               Knowledge-Based Detection The most common method of
               detection is knowledge-based detection (also called signature-based

               detection or pattern-matching detection). It uses a database of known
               attacks developed by the IDS vendor. For example, some automated
               tools are available to launch SYN flood attacks, and these tools have
               known patterns and characteristics defined in a signature database.