From National Institute of Standards and Technology | Aug 7, 2009
Intrusion detection is the process of monitoring the events occurring in a computer
system or network and analyzing them for signs of possible incidents, which are
violations or imminent threats of violation of computer security policies, acceptable
use policies, or standard security practices. Intrusion prevention is the process of
performing intrusion detection and attempting to stop detected possible incidents.
Intrusion detection and prevention systems (IDPS)1 are primarily focused on identifying
possible incidents, logging information about them, attempting to stop them, and
reporting them to security administrators. In addition, organizations use IDPSs for
other purposes, such as identifying problems with security policies, documenting
existing threats, and deterring individuals from violating security policies. IDPSs
have become a necessary addition to the security infrastructure of nearly every
organization.
IDPSs typically record information related to observed events, notify security
administrators of important observed events, and produce reports. Many IDPSs can also
respond to a detected threat by attempting to prevent it from succeeding. They use
several response techniques, which involve the IDPS stopping the attack itself,
changing the security environment (e.g., reconfiguring a firewall), or changing the
attack's content.
This publication describes the characteristics of IDPS technologies and provides
recommendations for designing, implementing, configuring, securing, monitoring, and
maintaining them. The types of IDPS technologies are differentiated primarily by the
types of events that they monitor and the ways in which they are deployed.
The attached Zip file includes:
- Intro Page.doc
- Cover Sheet and Terms.pdf
- Guide to Intrusion Detection and Prevention Systems.pdf
