Intrusion Detection Systems (IDS) monitor the network and determine whether it is currently under attack. This is done by diverting a copy of the traffic to the device for analysis. An IDS does not interrupt the flow of traffic, which allows the end user to access the data from the network immediately on demand, rather than having to wait for the IDS to process it. However, this also means that the attacker can immediately reach the different assets and an attack may initiate in the time between the attack traffic arriving, the IDS creating an alert, and administrators taking the required actions to stop it.

Intrusion Prevention Systems (IPS) run in line with network traffic. As traffic enters the system, it passes through the IPS before passing on to its eventual destination. This allows intrusions to be prevented without external action. Where the traffic is identified as a threat, the packets are dropped.

IDS and IPS both leverage signature-based detection and statistical anomaly detection, which randomly sample network traffic and compare it to a pre-calculated baseline. Anything outside a normal range will initiate an alert/blocking action.