Skip to content
Programming Glossary
Security Concepts Glossary
IDS/IPS — Explained with Examples

IDS/IPS — Explained with Examples

DodaTech Updated Jun 15, 2026 2 min read

IDS (Intrusion Detection System) monitors network traffic for threats, while IPS (Intrusion Prevention System) actively blocks detected threats in real time.

IDS stands for Intrusion Detection System. IPS stands for Intrusion Prevention System. Both analyze network traffic for malicious activity, but they respond differently.

IDS vs IPS

FeatureIDSIPS
ActionAlerts onlyAlerts and blocks
PositionOut-of-band (monitors copy)Inline (traffic passes through)
Network impactNone (passive)Can add latency
RiskFalse positives don’t block trafficFalse positives block legitimate traffic

Detection Methods

Signature-based — matches traffic against known attack patterns (like antivirus signatures). Effective for known threats but misses zero-day attacks.

Anomaly-based — establishes a baseline of normal traffic and flags deviations. Can detect novel attacks but has higher false positive rates.

# Simplified anomaly-based detection
import statistics

class AnomalyDetector:
    def __init__(self):
        self.baseline = {}

    def learn_baseline(self, traffic_data):
        """Establish normal traffic patterns"""
        for metric in ['requests_per_ip', 'bytes_per_second', 'error_rate']:
            values = [t[metric] for t in traffic_data]
            self.baseline[metric] = {
                'mean': statistics.mean(values),
                'stdev': statistics.stdev(values)
            }

    def detect(self, traffic):
        """Flag traffic that deviates significantly from baseline"""
        alerts = []
        for metric, stats in self.baseline.items():
            z_score = abs(traffic[metric] - stats['mean']) / stats['stdev']
            if z_score > 3:  # More than 3 standard deviations
                alerts.append(f"Anomaly detected: {metric} (z-score: {z_score:.2f})")
        return alerts

# Usage
detector = AnomalyDetector()
detector.learn_baseline(normal_traffic)
alerts = detector.detect(current_traffic)

Real-World Analogy

IDS is like a security camera system. It records everything and alerts security when it detects suspicious activity. But it can’t stop someone from breaking in — it just documents it. IPS is like a security guard who checks IDs at the door. If someone looks suspicious, the guard stops them from entering. The camera is cheaper and less risky (never blocks legitimate visitors), but the guard provides active protection.

Related Terms

WAF, Zero Trust, SIEM, XSS, SQL Injection

Previous WAF — Explained with Examples Next SQL Injection — Explained with Examples

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse Security Concepts Glossary