Approaches to Intrusion Prevention

Approaches to Intrusion Prevention

Signature Based :-

Although Cisco uses a blend of detection and prevention technologies, signature-based IPS is the primary tool that Cisco IPS solutions use. Cisco releases signatures that are added to the device; they identify a pattern that the most common attacks present.
This tool is much less prone to false positives and ensures that the IPS devices stop common threats. This type of approach is also called pattern matching. As different types of attacks are created, these signatures can be added, tuned, and updated to deal with the new attacks.

Anomaly Based :-

This type of intrusion prevention technology is often called profile based. It attempts to discover activity that deviates from what an engineer defines as “normal.” Because it can be so difficult to define what is normal activity for a given network, this approach tends to be prone to a high number of false positives.


The two common types of anomaly-based IPSs are statistical anomaly detection and nonstatistical. The statistical approach learns about the traffic patterns on the network itself, and the nonstatistical approach uses information coded by the vendor.

Policy Based :-

With this type of technology, the security policy is “written” into the IPS device. Alarms are triggered if activities are detected that violate the security policy coded by the organization. Notice how this differs from signature based. Signature based focuses on stopping
common attacks, and policy based is more concerned with enforcing the organization’s security policy.

Protocol Analysis Based :-

This approach is similar to signature based, but it looks deeper into packets because of a protocol-based inspection of the packet payload that can occur. Whereas most signatures examine rather common settings, protocol analysis based can do much deeper packet
inspection and is more flexible at finding some types of attacks.

Reputation Based :-

This combines any of the previous approaches with knowledge of the attacker. Cisco makes extensive use of reputation-based IPS beginning with the IPS Version 7.0 software. A cloud-based database assigns a reputation score to every IP address in the world, ranging
from a positive ten to a negative ten. Hosts that have a history of malicious activity, such as attacking or performing reconnaissance activities, receive a negative score. As the sensor identifies traffic originating from negatively scored hosts, it can take stronger action
against the traffic than it might if relying only on a signature.