**4. Intrusion, detection, and prevention systems**

The main goal of the intrusion detection and prevention system is to prevent situations that are not categorized as normal, but as suspicious (caused by the misuse of information), and to detect attacks and achieve security when such modes occur [14–16]. It also includes documentation of existing threats and serves as a controller of the IoT system security design. Intrusion Detection System (IDS) provides attack information, advanced diagnosis, systems recovery, and various investigations that allow ongoing events to be performed, including stopping the attack, terminating the network connection or user session, blocking the availability of the attack target, and changing the appropriate security.

The IDS [16], upon detection of an intrusion into the IoT system, raises an audio or video alarm, or sends a warning in the form of an e-mail message or text message to a smartphone. An improvement of this technology is the System (IPS), which can detect an intrusion and, furthermore, prevent that intrusion from Intrusion Prevention being successful through an appropriate active response.

The components of the IDS include (**Figure 3**) the following:


*Methods for Detection and Prevention of Vulnerabilities in the IoT (Internet of Things) Systems DOI: http://dx.doi.org/10.5772/intechopen.113898*

• Database—the database server is used to store the information received from the agents and the management server. The management server also uses the database server to complete the analysis.

There are two major methods for intrusion detection—a signature-based model and an anomaly-based detection model.

Signature-based detection model—this method works by comparing current events with certain known signatures. Below are some examples of signatures:


This type of IDS/IPS is very effective due to its low complexity in the implementation and detection process. It simply compares the current activity with the stored signatures to find any pattern in order to detect the attack. In addition, this model produces very specific attack reports compared to the anomaly-based model that is described below. A disadvantage of the signature-based detection and prevention model is its inability to detect new unknown attacks because the system has no signatures to enter the system for new attacks.

Anomaly-based detection model—this model detects attacks based on profiles. Profiles contain the pattern or normal behavior mode in which the system is used. Profiles are derived based on specific users, networks, or applications. They are created by monitoring system usage over a period of time, known as the evaluation period (**Figure 4**). This model compares current activities with profiles in order to detect abnormal activity, which in most cases indicates a seizure.

Since system and network usage are not static and always contain some variation over time, the profile must also adjust accordingly over time. Therefore, after creating profiles during the evaluation period, the detection and prevention system changes the profiles over time. Below are examples of profiles:


The advantage of the anomaly-based model is that it can detect even unknown attacks by comparing current abnormal events with events considered normal. Furthermore, this model can also be more efficient than a signature-based model, since there are a large number of signatures to compare when using the same model. On the other hand, the incidents detected by the anomaly-based model are not very specific and therefore require additional effort on the part of the administrator to determine the root point of the attack. In addition, this model is subject to the


**Figure 4.**

*Attacks registered by an IDS/IPS.*

so-called "slow attack". In this type of attack, the attacker first learns the threshold between normal and abnormal activity in the system. The attacker will then slowly attack the system to ensure that the activities during the attack do not reach a threshold that will result in the detection of the attack by the anomaly-based model.
