Intrusion detection and prevention systems — SY0-701
CompTIA Security+ SY0-701 reference page on intrusion detection and prevention systems — definitions, IDS vs IPS comparison, detection methods, and exam traps.
WHAT IT IS
An intrusion detection system (IDS) is "a security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner." (NIST SP 800-82r3, adapted from RFC 4949)
An intrusion prevention system (IPS) is software that "has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents." (CNSSI 4009-2015 via NIST SP 800-94)
Both systems are built on the same underlying process: intrusion detection — "the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents." (CNSSI 4009-2015 via NIST SP 800-94)
Mental model
Think of an IDS as a security camera with an alarm: it watches, detects, and alerts — but it does not physically stop anyone. An IPS adds a door lock to the same camera: it watches, detects, and can actively block or modify traffic to stop a possible incident before it reaches its target. The detection engine is the same; what differs is the response capability.
When to use it
The exam frequently asks candidates to distinguish IDS from IPS, and to distinguish detection methods from each other. The key axis is passive observation vs. active intervention, and known patterns vs. behavioral baseline.
| Characteristic | IDS | IPS |
|---|---|---|
| Monitors events | Yes | Yes |
| Alerts on possible incidents | Yes | Yes |
| Can attempt to stop incidents | No | Yes (NIST SP 800-94) |
| Typical placement | Out-of-band / passive tap | Inline / in the traffic path |
| Risk of disrupting legitimate traffic | Low | Higher (inline blocking) |
Detection method comparison
| Detection method | How it works | Limitation |
|---|---|---|
| Signature-based | Matches traffic against "a recognizable, distinguishing pattern associated with an attack" (NIST SP 800-12r1) | Cannot detect attacks for which no signature exists |
| Anomaly-based | Establishes a baseline of normal behavior; flags deviations | Can produce alerts on unusual but legitimate activity |
COMMON MISCONCEPTION
The trap: "IPS always blocks; IDS never does anything."
This framing is too binary. The NIST definition says an IPS "can attempt to stop possible incidents" — it is not guaranteed to block every attack, and it does not always block (many deployments run in detection-only or alert mode even when an IPS is installed). Conversely, some IDS configurations can be tuned to trigger automated responses through integration with other controls — the IDS itself still only detects and alerts.
A second common error is conflating where a system sits with what type it is. Placement (inline vs. out-of-band) is an architectural decision that often correlates with IPS vs. IDS deployment, but the NIST definitions hinge on capability (can it attempt to stop incidents?) — not on physical topology alone.
A third error involves false positives and false negatives. A false positive is "an instance in which a security tool incorrectly classifies benign content as malicious" (NIST SP 800-83r1). A false negative is "an instance in which a security tool intended to detect a particular threat fails to do so" (NIST SP 800-83r1). Candidates sometimes reverse these. In the context of IDS/IPS:
- Too many false positives → alert fatigue; legitimate traffic may be blocked by an IPS.
- False negatives → real attacks go undetected regardless of the system type.
How it shows up on the exam
The cognitive target for this concept is application — given a scenario, select the appropriate control or identify what a described system is doing.
Candidates often confuse:
- IDS vs. IPS when a scenario describes a system that "monitors and generates alerts" — that is an IDS by the NIST definition; it does not stop incidents. If the scenario says the system "stopped" or "blocked" traffic, that points to IPS capability.
- Signature-based vs. anomaly-based detection — a scenario describing detection of a "previously unknown" or "zero-day" attack pattern is signaling the limitation of signature-based detection, since signatures are, by definition, patterns of known attacks.
- Host-based vs. network-based scope — scenarios set on a single endpoint versus network-wide traffic are distinguishing HIDS/HIPS from NIDS/NIPS. The NIST IDS definition explicitly covers "network or system events," acknowledging both scopes.
Signal phrases to recognize: "monitors and analyzes," "real-time warning," "attempts to access in an unauthorized manner" → IDS. "detect … and also attempt to stop" → IPS. "recognizable, distinguishing pattern" → signature-based.
Related concepts
- Failure modes — understanding how IDS/IPS deployments handle fail-open vs. fail-closed behavior shapes architectural decisions, especially for inline IPS.
- Jump server — both jump servers and IDS/IPS are placed at network boundaries to control or monitor access; exam scenarios may involve both in the same architecture.
- Load balancer — inline IPS and load balancers share an "in the traffic path" placement pattern; distinguishing their purposes is a common architectural reasoning task.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: