A comprehensive network intrusion detection and prevention system architecture

In today´s computing environments, Network Intrusion Detection and Prevention Systems (NIDPS) are one of the fundamental network components to monitor and analyze traffic to find possible attacks. Several works have been done to introduce an applicable NIDPS architecture, but none of them could cover all current NIDPS requirements. In this paper we will present a comprehensive architecture for NIDPS which is comprised of the main components and the data flow between them. This architecture consists of all NIDPS components including capture and decoding module, preprocessing, detection, response and management. The detection module will cover both misuse based and anomaly based approaches. Moreover, anomaly based detection module includes traffic and protocol anomaly detection as well as learning based approaches. The proposed architecture is designed to perform in four modes of operation: passive response mode, active response mode, fast prevention mode, and perfect prevention mode. Moreover, it is capable to work in high speed networks due to the existence of fast prevention mode. We also designed a complete management module for NIDPS which provides more useful functionalities in relation with the other modules to help them to operate in a proper manner.