Intrusion detection and prevention systems (IDPS) automate the process of monitoring events that occur in a computer system or network, and attempt to identify possible incidents, log information about them, stop them, and report them to security administrators. They are typically used to record information related to observed events, notify security administrators of important observed events, and automatically generate reports with some remediation actions performed manually after human review of the reports. Many IDPSs can also be configured to respond to a detected threat using a variety of techniques, including changing security configurations or blocking the attack.

For pre-infection threat prevention, IDPS blocks exploitation of known application vulnerabilities. Their anti-malware functions block exploitation of data-driven application vulnerabilities. The IDPS enforces protocols and data compliance. Post-infection threat prevention detects and blocks interactions with bot command and control servers. IDPS controls block leakage of sensitive data to destinations outside of the organization.

Figure 1 shows an IDPS located at a network node protecting multiple subnets.

Figure 1 - An example of an IDPS as part of a firewall.

Related Patterns: