Network Intrusion Detection and Prevention

What is Network Intrusion Detection and Prevention?

A Network Intrusion Detection and Prevention System (IDPS) represents the intersection between intrusion detection and intrusion prevention. It monitors and analyzes network traffic for suspicious or abnormal activity. Identifying a potential threat is based on a combination of deep learning and predefined rules.  

Sometimes, this might involve sending an alert to a network administrator. The IDPS might block traffic from the source address or even engage other cybersecurity solutions to mitigate a potential attack. Some IDPS solutions can even neuter attacks by removing malicious software or code.

Like most criminals, threat actors work best when they can operate in the shadows, away from the prying eyes of security teams. Allowing them to do so is not an option. It’s your job to shine a light on your attackers and stop them in their tracks.

Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) together allow you to do precisely that.

Types of Intrusion Detection and Prevention

In addition to network intrusion detection and prevention, there are several additional types of IDPS technology.


Wireless IDP systems are designed to analyze wireless networks and networking protocols. Though they have the same primary purpose as a network-based IDPS, they generally don’t analyze higher network protocols. This is because, unlike an NIDPS, a WIDPS doesn’t see all traffic on a network—rather, it operates by continuously sampling network traffic.


A host-based IDPS is deployed as an agent on a single device, host, or endpoint—typically business-critical or highly sensitive. Characteristics monitored by this type of solution include system logs, running processes, network traffic, file access and modification activity, and configuration changes.

Network Behavior Analysis

While a network-based IDPS specifically inspects traffic at network access points, a network behavior analysis system examines the network, leveraging artificial intelligence to identify and flag abnormal behavior.

Types of Intrusion Detection and Prevention

As the name suggests, there are two sides to the functionality of an IDP—detection and prevention. Or, to put it another way, how the system identifies and remediates threats. Per the National Institute of Standards and Technology, there are three primary classes of detection methodologies.

1. Signature-based detection is based on matching activity or behavior patterns with known threats. This could include known malware characteristics, abnormal system configurations, or apparent violations of an organization’s security policy. The primary shortcoming of signature-based detection is that it’s not capable of understanding or assessing complex communications or recognizing a previously unknown threat.

2. Anomaly-based detection compares network activity against an established baseline, flagging any deviations as potentially malicious. The only real drawback of anomaly-based detection is that it requires time to train the system and establish a behavioral profile for every entity on a network. An inexperienced user could also inadvertently include malicious activity as part of a profile.

3. Stateful protocol analysis is similar to anomaly-based detection, save that it leverages vendor-developed behavioral profiles which can be applied universally. Although they can be resource-intensive, they often identify attacks that other methods miss. With that said, it’s possible to fool a stateful protocol analysis system by masking malicious activity with acceptable protocol behavior.

Prevention capabilities can be either passive or active and include:

  • Ending a TPC session
  • Activating an inline firewall
  • Throttling bandwidth usage
  • Altering or removing malicious content
  • Reconfiguring network security devices
  • Activating a third-party script or program

Intrusion Detection System vs. Intrusion Prevention System

An IDS is mainly passive. It scans network traffic and notifies an administrator of potential threats but otherwise cannot act. An IPS represents an evolution of intrusion detection in that it’s capable of automatic response and remediation.

CylanceGATEWAY™ is AI-empowered Zero Trust Network Access (ZTNA). It allows your remote workforce to establish secure network connectivity from any device—managed or unmanaged—to any app in the cloud or on premises, across any network. This cloud-native ZTNA solution provides scalable outbound-only access to any application while hiding critical assets from unauthorized users—minimizing attack surface areas.

The multi-tenant architecture of CylanceGATEWAY is designed for digital transformation and distributed work. Its powerful AI and machine learning improve your security posture and simplify the configuration and management of granular, dynamic security policies and access controls.